Hushmail Blog

Notice of Privacy Practices (NPP): What Small Healthcare Practices Need to Know

Written by Hushmail | Mar 16, 2026 2:48:43 PM

Estimated reading time: 18 minutes.

Summarize this article with ChatGPT

Protecting client privacy isn't just about HIPAA compliance. It's about building trust and showing your clients that you take their confidentiality seriously.

This is where the Notice of Privacy Practices (NPP) comes in.

Think of your NPP as a straightforward way to tell your clients, β€œI take your privacy seriously.” It spells out exactly how you use and protect their sensitive health information.

It might sound intimidating, but we'll walk you through what your NPP needs to say, what's changed recently (including a major update that took effect on February 16, 2026), how to make your NPP easily accessible to your clients, and what tool makes the whole process a breeze.

TL;DR: Your Notice of Privacy Practices (NPP) explains how you use and protect clients' health information. If you haven't updated yours recently, now is the time.

A new federal rule, effective February 16, 2026, changes how substance use disorder (SUD) records must be handled in your NPP. This update may apply even if you only receive SUD-related records from another provider. Your state may also have additional requirements that a generic NPP template doesn't cover.

The good news? You don't need to start from scratch. This guide shows what to include, what's changed, and how Hushmail makes it simple to keep your NPP current and compliant over time.

 

Protecting client privacy isn't just about HIPAA compliance. It's about building trust and showing your clients that you take their confidentiality seriously.

Table of Contents

What is a Notice of Privacy Practices (NPP)?

The NPP is like your practice's privacy rulebook. It's a clear, plain-language document that tells your clients:

  • How you'll use and share their Protected Health Information (PHI)
  • Their rights regarding their own data
  • Your commitment to protecting their privacy
  • Who they will contact if they need more information about your privacy policies

What is Protected Health Information (PHI)?

Any information about a person's health that can identify them. This includes details about their physical or mental health, healthcare services, and healthcare payments. This information is protected if it's handled by healthcare providers, health plans, or related businesses.

Examples of PHI include: name, email address, Social Security number, acknowledgment that a person is your client, client notes from a telehealth session, diagnoses, and recommendations to join a support group.


Covered Entities (CE), with certain exceptions, are legally required to create and distribute an NPP under HIPAA's Privacy Rule.

Now, you're probably wondering: is your practice a Covered Entity?

The short answer is if you're a healthcare provider who engages in the electronic exchange of information to carry out financial or administrative activities related to healthcare, then you are a CE. This may include psychologists, dentists, chiropractors, doctors, and other practitioners.

A healthcare provider A health plan A healthcare clearinghouse

This includes providers such as:

  • Doctors
  • Clinics
  • Psychologists
  • Dentists
  • Chiropractors
  • Nursing Homes
  • Pharmacies

…but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

This includes:

  • Health insurance companies
  • HMOs
  • Company health plans
  • Government programs that pay for health care, such as Medicare, Medicaid, and the military and veterans health care programs

This includes entities that process nonstandard health information they receive from another entity into a standard (i.e., standard electronic format or data content), or vice versa.

If you exchange emails with clients, accept insurance, or bill online, you are most likely a CE. But if you are not, that doesn't mean you should ignore HIPAA. Securing your clients' PHI remains important from a professional and ethical standpoint, and following HIPAA is a good way to ensure you provide adequate protection.

πŸ’‘ Hushmail tip: Use this easy-to-use question-and-answer decision tool from CMS to determine whether your practice is a Covered Entity.

Why your NPP matters

Whether you're a solo practitioner or a small healthcare practice, an NPP is important for the following reasons:

  • Trust is everything. Your clients share sensitive information with you. The NPP shows that you respect their privacy and gives them peace of mind.
  • HIPAA compliance is key. Not having an NPP can lead to hefty fines, even for small practices like yours.

Learn more: What happens when a HIPAA complaint is filed against you?

πŸ‘‰ Important note: NPPs can differ depending on one's practice. Your small healthcare practice might need a slightly different NPP than someone else's. This can sometimes cause confusion, but here's why: your practice may handle different aspects of healthcare (e.g., treatment and care) while an insurer manages coverage and payments, and uses patient health information in unique ways.

Keep reading to learn what you should include in your NPP as a small healthcare practice or solo practitioner.

How to avoid common compliance gaps in your NPP

The 2016–2017 HIPAA audit showcases the challenges of creating a fully compliant NPP. While the audit was done a few years ago, here are some of the key takeaways that remain crucial when crafting an NPP today:

  • Compliance is rare: The audit found that only 2% of organizations had fully compliant NPPs. You need to make sure that your NPP meets the requirements outlined by the Department of Health and Human Services.
  • Avoid jargon: Many NPPs were overly complex, filled with confusing legal and technical terms. Focus on making yours clear and understandable. The audit even highlighted the need for the NPP to be written in plain language.
  • Don't miss the essentials: The audit found NPPs often lacked legally required information. Double-check that yours covers all the bases.

You definitely don't want to be one of those practices that get their NPPs wrong. For example, a mental health center failed to provide a privacy notice to a father and his minor daughter. The good news is that they acknowledged their mistake and revised their policies to ensure patients receive the notice before their assessment. The center also assured the Office for Civil Rights (OCR) that all staff involved in the daughter's care were informed of the changes.

Now, if you're a small healthcare practice, what should you make sure your NPP includes?

Key elements of an NPP for small healthcare practices

Here's a breakdown of the key elements of an NPP for small healthcare practices. Click here for a complete list of statements that must be included in your NPP.

1. Must-have text

Start your NPP with a header that clearly states, β€œThis notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”

πŸ’‘ Hushmail tip: This is the wording required by HIPAA. Copy and paste it into your header.

2. Effective date

This is the date your NPP goes into effect. This is important in case you ever need to update it.

πŸ’‘ Hushmail tip: Put this date under your header so it's easy to find.

3. Statement of your HIPAA duties

This is a clear statement that you must follow HIPAA's privacy rules.

πŸ’‘ Hushmail tip: Don't overthink this. Just use clear language like, β€œWe are required by law to protect your health information and provide you with this Notice of our Privacy Practices.”

4. Statement regarding breach notification

This is your commitment to notify clients if their protected health information is ever compromised in a data breach.

πŸ’‘ Hushmail tip: HIPAA has very specific requirements for breach notifications. For example, the HIPAA Breach Notification Rule requires you to notify all affected clients by mail or email, without unreasonable delay and no later than 60 days following the discovery of a breach. However, be aware that state law may require you to notify them sooner, so check with your local jurisdiction.

5. How you use and share PHI

This is the meat of your NPP. Explain in plain language:

  • How you'll use PHI for treatment (e.g., coordinating care with other doctors)
  • How you'll use PHI for payment (e.g., submitting claims to insurance)
  • How you'll use PHI for healthcare operations (e.g., quality improvement, staff training)
  • Other reasons you might share PHI without specific permission (these are outlined by HIPAA, so make sure you list the correct ones)

πŸ’‘ Hushmail tip: Think about ALL the ways you use client information, from appointment reminders to note-taking. Be as specific as possible.

6. Client rights regarding their PHI

HIPAA gives your clients specific rights, and you need to inform them of these rights. These include:

  • The right to access and receive a copy of their records
  • The right to request corrections if they think their records are wrong
  • The right to restrict some sharing of their information
  • The right to receive a list of disclosures (who their info has been shared with)

πŸ‘‰ New for 2026: If your practice handles SUD-related records protected by 42 CFR Part 2 (see the section below), your NPP should also inform clients of these additional rights:

  • The right to an accounting of disclosures of Part 2 records
  • The right to request restrictions on certain disclosures
  • The right to revoke consent at any time
  • The right to file a complaint directly with the Secretary of HHS

πŸ’‘ Hushmail tip: It's helpful to offer instructions on how your clients can exercise these rights (e.g., do they submit a form? Contact you directly?).

7. Your contact information

List the name and contact information of the person in your practice who is responsible for handling privacy questions or complaints.

πŸ’‘ Hushmail tip: If you're a sole practitioner, this will likely be you!

8. Statement on potential use of PHI for marketing or sales

HIPAA has strict rules about using PHI for marketing or selling it. You need to clearly state if you will (or will not) be doing those things.

πŸ’‘ Hushmail tip: Most small practices won't be doing this, so a simple statement like, β€œWe will not sell your information or use it for marketing without your written permission” is sufficient.

9. Statement regarding complaints

This section explains the process for filing a complaint if a client believes their privacy rights have been violated. You should state that clients have the right to file a complaint with the Department of Health and Human Services (HHS) and provide the Office for Civil Rights (OCR) contact information.

πŸ‘‰ New for 2026: If your practice handles SUD-related Part 2 records (see section below), your NPP should now also include that patients can file complaints about Part 2 violations directly with the Secretary of HHS. You should also include a no-retaliation statement, letting clients know they will not face consequences for filing a complaint.

πŸ’‘ Hushmail tip: Include the contact information of your designated privacy officer or the appropriate person.

Does 42 CFR Part 2 apply to your practice?

In addition to HIPAA, some practices must comply with a federal law known as 42 CFR Part 2. This regulation provides extra protections for substance use disorder (SUD) treatment records.

The rule, effective February 16, 2026, requires certain providers to update their NPPs to reflect these protections.

⚠️ Important clarification: Even if your practice does not directly provide SUD treatment, Part 2 may still apply if you receive SUD records from another provider that is subject to 42 CFR Part 2. For example, a rehab discharge summary or medication-assisted treatment records.

Determine your category

Don't panic. You can figure this out by answering a few simple questions.

The regulation distinguishes three categories of providers. Here's a simplified breakdown:

Category Who it applies to What it means for your NPP
Part 2 Program You provide and advertise SUD diagnosis, treatment, or referral as a core service. You'll need to follow the full set of Part 2 rules.
NPP must include Part 2 language.
Lawful Holder You don't treat SUD, but you receive Part 2-protected records from another provider (e.g., rehab discharge summaries). You'll need to follow stricter rules around resharing and legal proceedings. NPP should reflect the stricter Part 2 limits.
Outside Part 2 You don't provide SUD services and don't receive Part 2 records. You don't need to add any Part 2 language.

What your NPP must now address

If you fall into the Part 2 Program or Lawful Holder category, your NPP needs to address several new areas. Here's the high-level picture (for specific sample language, see the HHS fact sheet on the Part 2 Final Rule and the HHS model NPP templates):

  • State that SUD records are treated differently from other PHI. Explain that these records have additional protections beyond standard HIPAA.
  • Describe consent requirements for Part 2 records. Unlike regular PHI, Part 2 records generally cannot be used for treatment, payment, or healthcare operations without the client's specific written consent.
  • Include the legal proceedings restriction. Part 2 records and related testimony cannot be used in civil, criminal, administrative, or legislative proceedings against the patient without written consent.
    • The most common request is a subpoena. Suggested NPP language: "We will only respond to a court order or subpoena that legally requires us to share your health information.”
  • Explain client rights specific to Part 2 records. This includes the right to an accounting of disclosures, the right to revoke consent, and the right to restrict disclosures.
  • Include the complaint process. Clients can file complaints with the program and directly with the Secretary of HHS. Add a no-retaliation statement.
  • Note that Part 2 is a β€œmore restrictive law.” Ensure your NPP reflects the stricter standard where it applies.
  • If applicable, include a fundraising opt-out statement for Part 2-protected information.

πŸ’‘ Hushmail tip: You can combine your HIPAA NPP and Part 2 Patient Notice into one document. You do not need to create a separate document. HHS has clarified that as long as the combined document includes all required elements under both 45 CFR 164.520 and 42 CFR 2.22, it meets the legal requirements. This way, a single document covers everything.

Where to find help

If all of this feels overwhelming, you're not alone. The intersection of HIPAA and 42 CFR Part 2 can be complex, especially with the 2026 updates. Fortunately, there are reliable resources available to help you get it right.

The HHS fact sheet on the 42 CFR Part 2 Final Rule and the HHS model NPP templates are helpful starting points. Person Centered Tech also offers a free decision guide with a step-by-step decision flow and sample NPP language by category.

When in doubt, have your final NPP language reviewed by a qualified attorney who understands both HIPAA and Part 2.

πŸ’‘ Hushmail tip: When your NPP needs updating, whether for Part 2 or any other reason, Hushmail's secure, editable forms mean you update the language once. Every new client will automatically get the current version. This eliminates the need to chase down PDFs or worry about which version a client signed.

πŸ‘‰ A note on psychotherapy notes and SUD counseling notes: Psychotherapy notes are already subject to special protections under HIPAA and generally require separate authorization for most disclosures. SUD counseling notes that fall under 42 CFR Part 2 may have additional or overlapping protections. Make sure your NPP clearly explains how these types of records are handled in your practice.

State-specific requirements

HIPAA is the floor, not the ceiling. Your state may impose stricter requirements, and your NPP needs to reflect them.

The federal government's model NPP templates instruct covered entities to describe any state or other laws that provide for additional limits on disclosures. If your state has stricter rules, your NPP must say so.

Your local professional association chapter is the best starting point for understanding your state's specific requirements.

πŸ’‘ Hushmail tip: When state rules change, you update your form once in Hushmail. No resending PDFs or tracking which version a client received.

What not to include in an NPP

Here's a rundown of things that should NOT be included in your NPP:

  • ❌ Promises you can't keep. Don't say your client's information will never be shared. There are times when you might have to.
  • ❌ Every instance when you will share their information. The NPP is about your general practices, not a detailed list of every possible disclosure.
  • ❌ Confusing legal jargon. Keep it simple so your clients understand their rights.
  • ❌ Your admin practices. The NPP is about privacy rules, not how you run your practice.
  • ❌ Information unrelated to privacy. For example, don't mix appointment policies or social media guidelines into your NPP. Keep those in separate documents.

Do clients need to sign and acknowledge receipt of the NPP?

Starting on February 16, 2026, you are no longer required to obtain a signed acknowledgment from clients confirming receipt of your NPP. However, documenting that you provided the NPP remains a best practice.

πŸ’‘ Hushmail tip: Continue documenting NPP distribution: While a signature on an acknowledgment form is no longer required, it's still a great way to show your clients received the NPP. Hushmail helps you keep track with e-signatures or form submission activity.

Do I need to resend my updated NPP to existing clients?

When you update your NPP, you do not need to send the new version to every existing client. However, you should make the updated NPP accessible and provide it as needed. You should:

  • Prominently post the revised version on your website
  • If you maintain an office, it must be prominently posted there
  • Provide it to anyone who asks
  • Give it to new clients no later than their first visit, as usual

This applies whether you're updating for Part 2, a state law change, or any other reason.

NPP delivery to your clients: when, where, and how

Your next step is to understand when to provide your NPP, where to keep it visible, and how to give it to your clients.

When to give your NPP to clients

  • Give new clients a copy of your NPP during their first visit or as part of their welcome packet.

  • If you have to treat someone during an emergency situation, give them the NPP as soon as possible afterward.

πŸ’‘ Hushmail tip: If you make any changes in how you handle PHI, you need to update your NPP.

Make your NPP available

  • Keep copies of your NPP at your office and prominently posted on your website.

  • If a client asks, you must give them a copy of your NPP.

  • Place a copy of your NPP in a prominent place in your waiting area or office.

Design tips for your NPP

  • Keep it simple. Use plain language. Avoid medical jargon or complicated legal terms.
  • Make it easy to read. Use a clear font, larger text size, and break up information into smaller sections.
  • Translations. Consider providing translated versions of your NPP for clients who speak other languages.
  • Accessibility. If you post your NPP online, make sure it's accessible to people with disabilities.

Simplify NPP delivery with Hushmail for Healthcare

When regulations change, like the February 2026 Part 2 deadline, having editable, centralized forms means you update once and move on. That's exactly what Hushmail for Healthcare provides.

With e-signatures

If your Hushmail plan includes electronic signatures, you can:

  • Build an e-signable NPP as a secure online form with our easy drag-and-drop tool.
  • Let clients e-sign your NPP from anywhere, on any device.
  • Know that your NPP submissions use the same encryption as your Hushmail email, supporting your HIPAA compliance.

Without e-signatures

If your plan doesn't include e-signatures, you can still deliver your NPP and collect acknowledgments:

  • Create a simple NPP form that clients can access online. Include a required checkbox that states "I acknowledge that I have received the Notice of Privacy Practices."
  • Add clear text in your forms stating that submission constitutes acknowledgment of receipt of the NPP, such as "By submitting this form, you acknowledge that you have received the Notice of Privacy Practices."

Hushmail keeps you organized

  • Update the language in one place. When a requirement changes, you only update it once. You're not hunting through folders or rebuilding PDFs.
  • New clients automatically get the current version. No resending, no version confusion.
  • Old forms remain archived, time-stamped, and traceable. You can always show what a client signed and when.
  • Secure delivery built in. Clients complete and sign forms digitally through encrypted email. Every Hushmail for Healthcare plan includes a signed Business Associate Agreement, so your baseline compliance is covered before you start customizing.

Ready to update your NPP?

HIPAA compliance isn't just about avoiding fines. It's about building the kind of trust that makes your practice thrive. A clear, up-to-date NPP is a powerful way to show your clients that their privacy is in good hands.

β€œWe prioritize our clients' safety and trust. Hushmail offers encrypted email services and web forms, ensuring the confidentiality and security of our client information. With Hushmail, our clients can rest assured that their journey with us is in a secure, protected space.”

Dr. Josh Littleton CST, LMHC
Florida Division Vice-President
Excelsis Behavioural Health


Here's your next step:

  • Review your current NPP.
  • Determine whether Part 2 applies to you using the decision guide linked above.
  • Make your updates.

When you're ready, Hushmail makes it realistic to keep your forms current without rebuilding everything from scratch.

Reviewed by: Steven O. Youngman, VP of Legal and Compliance, Hushmail.
View full post