Notice of Privacy Practices (NPP): What Small Healthcare Practices Need to Know

Protecting your clients' private information isn't just about HIPAA compliance and avoiding fines—it's about building the kind of trust your practice needs to thrive.

This is where the Notice of Privacy Practices (NPP) comes in.

Think of your NPP as a straightforward way to tell your clients, "I take your privacy seriously."  It spells out exactly how you use and protect their sensitive health information.

It might sound intimidating, but we'll walk you through what your NPP needs to say, how to make it easily accessible to your clients, and what tool to use that will make the whole process a breeze.

What is a Notice of Privacy Practices (NPP)?

The NPP is like your practice's privacy rulebook. It's a clear, plain-language document that tells your clients:

• How you'll use and share their Protected Health Information (PHI)
• Their rights regarding their own data
• Your commitment to protecting their privacy
• Who they will contact if they need more information about your privacy policies

Covered Entities (CE), with certain exceptions, are legally required to create and distribute a NPP under HIPAA's Privacy Rule.

Now, you’re probably wondering: is your practice a Covered Entity?

The short answer is if you’re a healthcare provider who engages in the electronic exchange of information to carry out financial or administrative activities related to healthcare, then you are a CE. This may include psychologists, dentists, chiropractors, doctors, and other practitioners.

If you exchange emails with clients, accept insurance, or bill online, you are most likely a CE. But if you are not, that doesn’t mean you should ignore HIPAA. Securing your clients’ PHI is still important from a professional and ethical standpoint, and following HIPAA is a good way to ensure you’re providing adequate protection.

💡 Hushmail tip: Use this easy-to-use question-and-answer decision tool to determine whether your practice is a Covered Entity.

Why is a NPP important for small healthcare practices like yours?

Whether you're a solo practitioner or a small healthcare practice, a NPP is important for the following reasons:

• Trust is everything. Your clients share sensitive information with you. The NPP shows that you respect that privacy and gives them peace of mind.
• HIPAA compliance is key. Not having a NPP can lead to hefty fines, even for small practices like yours. Learn more: What happens when a HIPAA complaint is filed against you?

👉 Important note: NPPs can differ depending on one’s practice. Your small healthcare practice might need a slightly different NPP than someone else’s.  This can sometimes cause confusion, but here's why:

Your practice may handle different aspects of healthcare ( e.g., treatment and care, while an insurer, for example, manages coverage and payments) and use patient health information in unique ways.

Keep reading to learn what you should include in your NPP as a small healthcare practice or solo practitioner.

Getting your NPP right as a small healthcare practice

The 2016-2017 HIPAA audit showcases the challenges of creating a fully compliant NPP.  While the audit was done a few years ago, here are some of the key takeaways that remain crucial when crafting a NPP today:

• Compliance is rare: The audit found that only 2% of organizations had fully compliant NPPs. You need to make sure that your NPP meets the requirements outlined by the Department of Health and Human Services.
• Avoid jargon: Many NPPs were overly complex, and filled with confusing legal and technical terms. You need to focus on making yours clear and understandable. The audit even highlighted the need for the NPP to be written in plain language.
• Don't miss the essentials: The audit found NPPs often lacked legally required information. You need to double-check that yours covers all the bases.

You definitely don't want to be one of those practices that don't get their NPPs right. For example, a mental health center failed to provide a privacy notice to a father and his minor daughter. The good news is they acknowledged their mistake and revised their policies to ensure patients receive the notice prior to their assessment. The center also assured the Office for Civil Rights (OCR) that all staff involved in the daughter's care were informed of the changes.

Now, if you're a small healthcare practice, what should you make sure your NPP includes?

Key elements of a NPP for small healthcare practices

Here's a breakdown of the key elements of a NPP for small healthcare practices. Click here for a complete list of statements that you must include in your NPP.

1. Must-have text

Start your NPP with a header that clearly states, "This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully."

💡 Hushmail tip: This is the wording required by HIPAA. Copy and paste it on your header.

2. Effective date

This is the date your NPP goes into effect. This is important in case you ever need to update it.

💡 Hushmail tip: Put this date under your header so it's easy to find.

3. Statement of your HIPAA duties

This is a clear statement that you must follow HIPAA's privacy rules.

💡 Hushmail tip: Don't overthink this, just use clear language like, "We are required by law to protect your health information and provide you with this Notice of our Privacy Practices.”

4. Statement regarding breach notification

This is your commitment to notify clients if their protected health information is ever compromised in a data breach.

💡 Hushmail tip: HIPAA has very specific requirements for breach notifications. For example, the HIPAA Breach Notification Rule requires you to notify all affected clients by mail or email, without unreasonable delay and no later than 60 days following the discovery of a breach. However, be aware that state law may require you to notify them sooner so check with your local jurisdiction. Make sure your NPP language and procedures fully align with the law.

5. How you use and share your PHI

This is the meat of your NPP. Explain in plain language:

• How you'll use PHI for treatment (e.g., coordinating care with other doctors)
• How you'll use PHI for payment (e.g., submitting claims to insurance)
• How you'll use PHI for healthcare operations (e.g., quality improvement, staff training)
• Other reasons you might share PHI without specific permission (these are outlined by HIPAA, so make sure you list the correct ones)

💡 Hushmail tip: Think about ALL the ways you use client information, from appointment reminders to note-taking. Be as specific as possible.

6. Client rights regarding their PHI

HIPAA gives your clients specific rights, and you need to inform them of these rights. These include:

• The right to access and receive a copy of their records
• The right to request corrections if they think their records are wrong
• The right to restrict some sharing of their information
• The right to receive a list of disclosures (who their info has been shared with)

💡 Hushmail tip: It's helpful to offer instructions on how your clients can exercise these rights (e.g., Do they submit a form? Contact you directly?).

7. Your contact information

List the name and contact information of the person in your practice who is responsible for handling privacy questions or complaints.

💡 Hushmail tip: If you're a sole practitioner, this will likely be you!

8. Statement on potential use of PHI for marketing or sales

HIPAA has strict rules about using PHI for marketing or selling it. You need to clearly state if you will (or will not) be doing those things.

💡 Hushmail tip: Most small practices won't be doing this, so a simple statement like, "We will not sell your information or use it for marketing without your written permission" is sufficient.

9. Statement regarding complaints

This section explains the process for filing a complaint if a client believes their privacy rights have been violated. You should state that clients also have the right to file a complaint with the Department of Health and Human Services (HHS) and provide the Office of Civil Rights (OCR) contact information.

💡 Hushmail tip: Include the contact information of your designated privacy officer or the appropriate person.

Even after you've written your NPP, it's always important to keep an eye on the HHS' latest updates.

What not to include in a NPP?

Here's a rundown of things that should NOT be included in your NPP:

• Promises you can't keep. Don't say your client's information will never be shared. There are times when you might have to.
• Every instance when you will share their information. The NPP is about your general practices, not a detailed list of every possible disclosure.
• Confusing legal jargon. Keep it simple so your clients understand their rights.
• Your admin practices. The NPP is about privacy rules, not how you run your practice.
• Information unrelated to privacy. For example, don't mix appointment policies or social media guidelines into your NPP. Keep those in separate documents.

NPP delivery to your clients: When, where, and how

Your next step is to understand when to provide your NPP, where to keep it visible, and how to give it to your clients. The HHS provides guidance on NPP delivery and here’s what you should be mindful of:

When to give your NPP to clients

• Give new clients a copy of your NPP during their first visit or as part of their welcome packet.
• If you have to treat someone during an emergency situation, give them the NPP as soon as possible afterward.

💡 Hushmail tip: If you make any changes in how you handle PHI, you need to update your NPP and let your clients know.

Make your NPP available

• Keep copies of your NPP at your office and on your website – you can either create a page or make it downloadable.
• If a client asks, you must give them a copy of your NPP. You can email it to clients upon request or hand out physical copies for clients to take.
• Place a copy of your NPP somewhere noticeable in your waiting area or office.

👉 Recommended resource: NPP templates by the HHS

Design tips for your NPP

• Keep it simple. Use plain language as highlighted in the HIPAA audit mentioned earlier. Avoid medical jargon or complicated legal terms.
• Make it easy to read. Use a clear font larger text size, and break up information into smaller sections.
• Translations. Consider providing translated versions of your NPP for clients who speak other languages.
• Accessibility. If you post your NPP online, make sure that it's accessible to people with disabilities.

Do clients need to sign and acknowledge receipt of the NPP form?

Healthcare practices must obtain written acknowledgment that clients have received the NPP. However, anticipated HIPAA Privacy Rule updates (expected later in 2024) will likely remove this written acknowledgment requirement.

The primary purpose of the written acknowledgment is to maintain records that clients have received the notice. This also helps protect your practice by demonstrating that you have made a good-faith effort to inform your clients of their privacy rights and the use of their health information.

Simplify NPP Delivery with Hushmail for Healthcare

Hushmail for Healthcare provides secure, HIPAA-compliant ways to deliver and collect NPP acknowledgments through the following:

1. With e-signatures

If your Hushmail plan includes electronic signatures you can use it for your NPP through the following:

• Build an e-signable NPP as a secure online form with our easy drag-and-drop tool.
• Clients can e-sign your NPP from anywhere, on any device.
• Your NPP submissions use the same encryption as your Hushmail email which supports your HIPAA compliance.

2. Without e-signatures

If your Hushmail plan doesn't include e-signatures, you can still use our forms to deliver your NPPs and have clients acknowledge receipt through the following:

• Create a simple NPP form that clients can access online. Include a required checkbox that states "I acknowledge that I have received the Notice of Privacy Practices." A confirmation page or email can reiterate the acknowledgment for added clarity.
• Add clear text in your forms stating that submission equals acknowledgment of NPP receipt, like "By submitting this form, you acknowledge that you have received the Notice of Privacy Practices."

In the future, if a written acknowledgment is not required anymore because HIPAA's Privacy Rule updates are already in effect, Hushmail can still help you with:

• Emailing your NPP to new clients
• Adding links to your NPP in your email signature or contact page

Ready to simplify your NPP?

HIPAA compliance for your private practice isn't just about avoiding fines or bad press. It's about building the kind of trust that makes your practice thrive. A clear, concise NPP is a powerful way to start a relationship with your clients. It’s a testament to your commitment to quality care.

This guide has hopefully demystified the NPP process — from creation to delivery. Now, your next step is to get Hushmail for Healthcare where you can:

• Make easy-to-create NPP forms
• Ask for e-signatures or convenient acknowledgments
• Have peace of mind knowing your client's information and practice are protected

“Our practice is not just about offering clinical expertise. It's also about creating a safe space for our clients to explore their emotions. Hushmail has been invaluable in shaping the success and integrity of our practice,” shares Dr. Josh Littleton CST, LMHC

Get Hushmail for Healthcare today. All of our plans come with a 60-day money-back guarantee.