Yundra
← All articlesCompliance Basics

What Is a Notice of Privacy Practices and Does Your Therapy Practice Need One?

11 min read

The Notice of Privacy Practices (NPP) is one of HIPAA's most visible requirements — it's the document you hand to every new patient explaining how your practice uses and protects their health information. Yet many solo therapists either don't have one, have one that's severely outdated, or have one copied from a template that doesn't reflect their actual practice.

This guide covers what the NPP is, exactly what it must contain, how to provide it to patients, and the 2026 updates that affect therapy practices.

What Is the Notice of Privacy Practices?

The NPP is a written document that informs patients about:

  • How your practice uses and discloses their Protected Health Information (PHI)
  • Their rights regarding their health information
  • Your legal obligations to protect their information
  • How to file a complaint if they believe their privacy has been violated

It's required by the HIPAA Privacy Rule (45 CFR § 164.520). Every covered entity — including every solo therapy practice — must have one and must provide it to patients.

What Must Be Included

The Privacy Rule specifies required content. Your NPP must include:

Uses and disclosures

Treatment, payment, and healthcare operations. Explain that you use PHI for providing treatment, processing payments, and running your practice. These are the three main permitted uses that don't require separate patient authorisation.

Other permitted uses. Explain that you may disclose PHI without authorisation in certain situations: as required by law, for public health activities, to report abuse or neglect, for health oversight activities, and for judicial proceedings.

Uses requiring authorisation. Explain that all other uses of PHI require the patient's written authorisation — including marketing, sale of PHI, and psychotherapy notes (which have special protections under HIPAA).

Patient rights

Your NPP must inform patients of their rights to:

  • Access their health records
  • Request amendments to their records
  • Receive an accounting of disclosures (a list of who you've shared their information with, outside of treatment/payment/operations)
  • Request restrictions on how you use or disclose their information
  • Request confidential communications (e.g., "only call me at this number")
  • Receive a paper copy of the NPP
  • File a complaint with you or with HHS if they believe their privacy has been violated

Your obligations

State that you are required by law to:

  • Maintain the privacy of PHI
  • Provide the NPP to patients
  • Follow the terms of the NPP currently in effect
  • Notify patients if a breach of their unsecured PHI occurs

Contact information

Provide the name (or title) and contact information for your Privacy Officer (that's you, for a solo practice). Include a phone number, address, and email where patients can direct privacy questions or complaints.

Effective date

The NPP must include the date it was first effective and the date of any revisions.

The 2026 Updates

If your NPP was written before February 2026, it likely needs updating. Key changes include:

42 CFR Part 2 alignment. Substance use disorder treatment records are now treated the same as other PHI under HIPAA. If you treat any patients with substance use issues — even as a secondary concern — your NPP must reflect this alignment.

Expanded individual rights. Patients now have clearer rights to access their records electronically, and timeframes for responding to access requests have been tightened.

Reproductive health protections. New provisions protect reproductive health information from certain disclosures.

If your NPP predates these changes, update it. An outdated NPP is a compliance gap.

How to Provide the NPP to Patients

First visit. You must make a good-faith effort to provide the NPP to every patient at their first appointment. Most practices include it in the intake paperwork packet.

Acknowledgment. You must make a good-faith effort to obtain a signed acknowledgment that the patient received the NPP. If they refuse to sign, document the refusal.

Availability. The NPP must be available at your office for anyone to pick up and read. If you have a website, it should also be posted there.

Updates. When you update your NPP, you must make the new version available to patients and post it prominently. You don't need to re-distribute it to every existing patient, but it must be available.

Common NPP Mistakes

Using a generic template without customisation. Your NPP should reference your specific practice name, address, and Privacy Officer contact information — not "[Practice Name]" placeholders.

Not including psychotherapy notes protections. As a therapist, the special protections for psychotherapy notes under HIPAA are particularly relevant to your practice. Your NPP should address this.

Missing the complaint process. Patients must know both how to complain to you AND how to complain to HHS. Include both.

No effective date. Every NPP needs a date. No date means it's not clear which version is current.

Not updating for 2026. The February 2026 changes are significant. An NPP that doesn't address them is non-compliant.

Getting Your NPP Right

Your Yundra Compliance Pack includes a complete Notice of Privacy Practices, updated for the 2026 requirements, with your practice name, address, and contact information pre-filled. It covers all required elements including psychotherapy notes protections and the 42 CFR Part 2 alignment.

If you're not sure whether your current NPP is up to date, take the free assessment — it checks your NPP status alongside 39 other compliance areas.

Take the free HIPAA Risk Assessment →

Need these documents for your practice?

Yundra generates all 7 HIPAA documents — personalised to your practice, your vendors, your EHR. Starting at $399, ready in minutes.

Free · See your score instantly