HIPAA Notice of Privacy Practices

Summary

Group health plans can use this template to satisfy the Health Insurance Portability and Accountability Act (HIPAA) requirement for covered entities to provide individuals with a Notice of Privacy Practices (NPP) that complies with HIPAA Privacy Rule regulations. This template contains practical guidance, drafting notes, and an optional clause. HIPAA generally provides that an individual has a right to adequate notice of the uses and disclosures that a HIPAA covered entity may make of the individual's protected health information (PHI) and of the individual's rights and the covered entity's legal duties regarding PHI. For covered entities that are group health plans, the responsibility for providing the notice is borne by: • Self-funded or fully insured group health plans where the plan creates or receives PHI –and/or– • Insurers issuing the coverage for an insured plan See 45 C.F.R. § 164.520(a)(2)(ii). The insurer is solely responsible if a fully insured plan does not create or receive PHI other than summary health information (as defined in § 164.504(a)) or enrollment information. (Also, a small self-funded plan (sponsor has fewer than 50 eligible employees) may qualify for an exemption from HIPAA covered entity status if it does not use a third-party administrator, but this is fairly rare.) The NPP must be furnished upon an individual's enrolment in the plan and as necessary to reflect material changes to the notice. In addition, a follow-up communication must be issued at least once every three years. The follow-up may consist of an up-to-date version of the NPP itself or a notice of availability that includes specific instructions on how to obtain a copy of the NPP. 45 C.F.R. § 164.520(c)(1)(ii). The NPP must contain the contents set forth in 45 C.F.R. § 164.520(b) (note that content requirements differ for health care provider notices). For a detailed discussion on the content and delivery requirements for health plans, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules. The U.S. Department of Health and Human Services (DHHS) has developed Model Notices of Privacy Practices which are available on its website, in both Spanish and English. Modifications to these requirements were finalized in 2024 that pertain to coordination with regulations governing substance use disorder (SUD) records under 42 C.F.R. Part 2 and new limitations on use or disclosure of PHI for purposes of investigating or imposing liability on persons for lawfully seeking or providing reproductive health care. 89 Fed. Reg. 32,976 (April 26, 2024) (2024 Rules). However, on June 18, 2025, the District Court for the Northern District of Texas vacated the provisions of the 2024 Rules that dealt with PHI rules concerning reproductive health care. Purl v. United States HHS, 2025 U.S. Dist. LEXIS 116234 (N.D. Tex. 2025). Most of the NPP changes in the 2024 remain intact, except for a few disclosures that were specific to the reproductive health care provisions that were vacated. The compliance date for the 2024 Rules pertaining to the NPP is February 16, 2026. HHS is considering furnishing model language that reflect these changes. The 2024 Rules changes are not yet reflected in this template, but are described in the drafting notes. For extensive coverage of important topics in the healthcare industry, see Healthcare Fundamentals Resource Kit. For a full listing of key content that can be used by in-house counsel to develop, revise, and implement a company's employee and third-party-related policies, see In-House Company Policies Resource Kit. For a full listing of key content covering HIPAA considerations, see HIPAA Resource Kit. For more on health information privacy and security, see Health Information Privacy and Security Resource Kit. For a version of the notice that can be inserted in a summary plan description, see HIPAA Privacy Notice Clause (Summary Plan Description). For more information on the Privacy Rule notice requirement and HIPAA generally, see HIPAA Privacy, Security, Breach Notification, and Other Administrative Simplification Rules.