HIPAA Notice of Privacy Practices

comments before final use
3. Have this document reviewed by qualified healthcare legal counsel
4. Verify compliance with all 45 CFR § 164.520 content requirements
5. Provide to patients no later than date of first service delivery
6. Post prominently in office and on website
7. Ensure 42 CFR Part 2 (SUD records) provisions are addressed per February 2026 compliance deadline
8. Customize state-specific sections for your jurisdiction

JURISDICTION: Federal (HIPAA Privacy Rule)
ENTITY TYPES: Covered Healthcare Providers, Health Plans, Healthcare Clearinghouses
-->

NOTICE OF PRIVACY PRACTICES

[________________________________]

(Name of Covered Entity / Practice / Organization)

THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.

SECTION 1: OUR COMMITMENT TO YOUR PRIVACY

[________________________________] ("we," "us," or "our") is committed to protecting the privacy of your health information. This Notice of Privacy Practices ("Notice") describes how we may use and disclose your protected health information ("PHI") to carry out treatment, payment, or healthcare operations ("TPO") and for other purposes that are permitted or required by law. It also describes your rights regarding your PHI and our legal duties with respect to your PHI.

"Protected health information" or "PHI" means individually identifiable health information that we create, receive, maintain, or transmit in any form or medium, including electronic, paper, and oral forms. PHI includes information that relates to your past, present, or future physical or mental health condition, the provision of healthcare to you, or the past, present, or future payment for your healthcare, and that identifies you or could reasonably be used to identify you.

We are required by law to:

• Maintain the privacy of your PHI as required by the HIPAA Privacy Rule
• Provide you with this Notice of our legal duties and privacy practices with respect to your PHI
• Notify you following a breach of your unsecured PHI
• Follow the terms of this Notice that is currently in effect
• Obtain your written acknowledgment of receipt of this Notice (or document our good faith efforts to obtain it)

We reserve the right to change the terms of this Notice and to make the new provisions effective for all PHI we maintain. If we make a material change to this Notice, we will make the revised Notice available upon request, post it in our office, and publish it on our website.

SECTION 2: CONTACT INFORMATION

Privacy Officer / Contact Person

Filing a Complaint

If you believe your privacy rights have been violated, you may file a complaint with us or with the U.S. Department of Health and Human Services. You will not be penalized or retaliated against for filing a complaint.

To file a complaint with us: Contact our Privacy Officer at the address, telephone number, or email address listed above.

To file a complaint with HHS:

SECTION 3: HOW WE MAY USE AND DISCLOSE YOUR PHI

3.1 Uses and Disclosures for Treatment, Payment, and Healthcare Operations

We may use and disclose your PHI without your written authorization for the following core purposes:

A. Treatment

We may use and disclose your PHI to provide, coordinate, or manage your healthcare and any related services. This includes consultation among healthcare providers relating to your care and referral of your care from one provider to another.

Examples:

• Sharing your medical history with a specialist to whom we refer you
• Sending prescriptions electronically to your pharmacy
• Consulting with another healthcare provider about your diagnosis or treatment options
• Coordinating your care with a hospital, laboratory, or rehabilitation facility
• Providing your PHI to home health agencies, ambulance services, or other providers involved in your care

B. Payment

We may use and disclose your PHI to obtain reimbursement for the healthcare services we provide to you, including billing, claims management, and collection activities.

Examples:

• Submitting claims to your health insurance plan or Medicare/Medicaid
• Determining your eligibility or coverage for a particular treatment or service
• Obtaining prior authorization or precertification from your health plan
• Conducting utilization review and medical necessity determinations
• Providing your PHI to a billing service or claims clearinghouse

C. Healthcare Operations

We may use and disclose your PHI for our internal operations necessary to run our practice and ensure that our patients receive quality care.

Examples:

• Quality assessment and improvement activities, including outcomes evaluation
• Reviewing the competence, qualifications, and performance of healthcare professionals
• Conducting or arranging for training programs, including training of students and trainees
• Accreditation, licensing, credentialing, and certification activities
• Conducting audits, compliance programs, and legal services
• Business planning, development, and general administrative activities

3.2 Other Uses and Disclosures That Do Not Require Your Authorization

We may also use or disclose your PHI without your written authorization in the following circumstances, as permitted or required by law:

A. As Required by Law

We will use or disclose your PHI when required to do so by any federal, state, or local law. The use or disclosure will be made in compliance with the law and will be limited to the relevant requirements of the law.

B. Public Health Activities

We may disclose your PHI for public health activities as permitted by law, including:

• Reporting disease, injury, vital events (such as birth or death), and conducting public health surveillance, investigations, and interventions
• Reporting adverse events, product defects, or product tracking information to the U.S. Food and Drug Administration (FDA)
• Notifying individuals who may have been exposed to a communicable disease or who may be at risk of contracting or spreading a disease or condition
• Notifying the appropriate government authority about suspected abuse, neglect, or domestic violence (with your agreement or as required or authorized by law)
• Reporting to an employer about work-related illness or injury as required by law

C. Victims of Abuse, Neglect, or Domestic Violence

We may disclose your PHI to a government authority, including a social service or protective services agency, if we reasonably believe you are a victim of abuse, neglect, or domestic violence, as authorized or required by law.

D. Health Oversight Activities

We may disclose your PHI to a health oversight agency for activities authorized by law, including audits, civil or criminal investigations, inspections, licensure, and disciplinary actions.

E. Judicial and Administrative Proceedings

We may disclose your PHI in the course of any judicial or administrative proceeding in response to an order of a court or administrative tribunal, or in response to a subpoena, discovery request, or other lawful process, subject to required assurances that the individual has been notified or that a protective order has been obtained.

F. Law Enforcement Purposes

We may disclose your PHI to a law enforcement official for law enforcement purposes, including:

• As required by law (e.g., certain types of wounds, injuries, or other reporting obligations)
• In compliance with a court order, warrant, subpoena, or summons issued by a judicial officer
• To identify or locate a suspect, fugitive, material witness, or missing person (limited information only)
• About a victim of a crime, under certain limited circumstances
• To report a death that may have resulted from criminal conduct
• About criminal conduct that occurred on our premises
• In emergency circumstances, to report a crime, the location of the crime, or victims, or to describe the identity, description, or location of a perpetrator

G. Decedents

We may disclose PHI to a coroner, medical examiner, or funeral director, as authorized by law, to permit them to carry out their duties. We may also use or disclose PHI of deceased individuals for research purposes, subject to certain conditions.

H. Organ and Tissue Donation

We may use or disclose your PHI to organ procurement organizations or other entities engaged in the procurement, banking, or transplantation of cadaveric organs, eyes, or tissue for the purpose of facilitating donation and transplantation.

I. Research

We may use or disclose your PHI for research purposes, provided that the research has been approved by an Institutional Review Board ("IRB") or a Privacy Board that has reviewed the research proposal and determined that adequate protocols are in place to ensure the privacy of your PHI, or where the research involves only decedent information, or where data has been de-identified.

J. Serious Threat to Health or Safety

We may use or disclose your PHI when, in good faith, we believe the disclosure is necessary to prevent or lessen a serious and imminent threat to your health or safety or to the health or safety of the public or another person. Disclosure will be made only to a person or persons reasonably able to prevent or lessen the threat, including the target of the threat.

K. Specialized Government Functions

We may disclose your PHI for specialized government functions, including:

• Military and veterans' activities (for members of the armed forces)
• National security and intelligence activities
• Protective services for the President and others
• Medical suitability determinations for the Department of State
• Correctional institution or law enforcement custodial situations

L. Workers' Compensation

We may use or disclose your PHI as authorized by and to the extent necessary to comply with workers' compensation laws and other similar programs providing benefits for work-related injuries or illness.

M. Inmates and Individuals in Custody

If you are an inmate of a correctional institution or under the custody of a law enforcement official, we may disclose your PHI to the correctional institution or law enforcement official for certain purposes, including providing healthcare, protecting health and safety, and law enforcement on the premises.

N. Health-Related Benefits and Services

We may use your PHI to contact you to provide appointment reminders, treatment alternatives, or information about health-related benefits or services that may be of interest to you.

O. Fundraising Activities

We may use or disclose your PHI for fundraising activities, limited to your demographic information and dates of healthcare provided to you, as well as the department or treating physician. You have the right to opt out of receiving fundraising communications. Each fundraising communication will include instructions on how to opt out.

P. Limited Data Set Disclosures

We may use or disclose a limited data set (PHI from which certain identifying information has been removed) for purposes of research, public health, or healthcare operations, subject to a data use agreement.

Q. De-Identified Information and Facility Directory

We may use or disclose information that has been de-identified (i.e., information from which all personal identifiers have been removed) without restriction, as such information is not PHI. We may also use your name, location in the facility, general condition, and religious affiliation for our facility directory, unless you object.

3.3 Uses and Disclosures That Require an Opportunity for You to Agree or Object

A. Facility Directory

Unless you object, we may include certain limited information about you in our facility directory while you are a patient. This information may include your name, location in our facility, your general condition (e.g., good, fair, critical), and your religious affiliation. Directory information, except for your religious affiliation, may be disclosed to people who ask for you by name. Your religious affiliation may be given to a member of the clergy.

B. Individuals Involved in Your Care or Payment for Your Care

Unless you object, we may disclose your PHI to a family member, relative, close friend, or any other person you identify who is involved in your healthcare or payment for your healthcare. We may also disclose your PHI to a person responsible for your care to notify them of your location, general condition, or death. If you are unable to agree or object (e.g., if you are incapacitated or in an emergency), we may disclose PHI as we determine is in your best interest based on our professional judgment.

C. Disaster Relief

We may disclose your PHI to an authorized public or private entity to assist in disaster relief efforts.

3.4 Uses and Disclosures Requiring Your Written Authorization

We will obtain your written authorization before using or disclosing your PHI for the following purposes:

You may revoke your authorization at any time by submitting a written revocation to our Privacy Officer. Your revocation will not affect any uses or disclosures we made in reliance on your authorization while it was in effect. We are unable to take back any disclosures already made with your authorization.

3.5 Special Categories of Information

Certain categories of health information receive additional protections under federal or state law. These additional protections may limit how we use or disclose such information, even for treatment, payment, or healthcare operations.

A. Substance Use Disorder (SUD) Records (42 CFR Part 2)

If we maintain records of substance use disorder treatment, those records are protected by federal regulation 42 CFR Part 2. Effective February 16, 2026, the amended Part 2 regulations align more closely with HIPAA. Key provisions include:

• Single Consent: You may provide a single consent for all future uses and disclosures for treatment, payment, and healthcare operations
• Redisclosure: HIPAA-covered entities and business associates receiving SUD records under consent may redisclose in accordance with the HIPAA regulations, but redisclosure for civil, criminal, administrative, or legislative proceedings against the patient is generally prohibited without separate patient consent or a court order
• SUD Counseling Notes: SUD counseling notes maintained separately from the medical record receive heightened protection similar to psychotherapy notes under HIPAA
• Patient Rights: Part 2 patients have rights to an accounting of disclosures and to request restrictions on certain disclosures
• Breach Notification: HIPAA breach notification requirements apply to Part 2 records held by covered entities and business associates
• Anti-Discrimination: Part 2 records may not be used to discriminate against patients in employment, access to housing, or other contexts

B. HIV/AIDS Information

State-Specific Requirements Apply. [________________________________]
(Insert applicable state law requirements for HIV/AIDS information)

C. Mental Health Information

State-Specific Requirements Apply. [________________________________]
(Insert applicable state law requirements for mental health information)

D. Genetic Information

We will not use or disclose your genetic information for underwriting purposes, as prohibited by the Genetic Information Nondiscrimination Act ("GINA") and the HIPAA Privacy Rule. Genetic information includes information about an individual's genetic tests, the genetic tests of the individual's family members, and the manifestation of a disease or disorder in the individual's family members.

E. Reproductive Health Information

We will not use or disclose your PHI related to reproductive healthcare in a manner prohibited by applicable federal or state law. [________________________________]
(Insert applicable state law requirements for reproductive health information)

F. Minors' Health Information

State-Specific Requirements Apply. [________________________________]
(Insert applicable state law requirements regarding minors' health information)

SECTION 4: YOUR RIGHTS REGARDING YOUR PHI

You have the following rights with respect to your protected health information. To exercise any of these rights, please contact our Privacy Officer in writing at the address listed in Section 2.

4.1 Right to Inspect and Copy Your PHI (45 CFR § 164.524)

You have the right to inspect and obtain a copy of your PHI contained in a "Designated Record Set," which includes medical records, billing records, and other records used to make decisions about your care.

4.2 Right to Request Amendment of Your PHI (45 CFR § 164.526)

You have the right to request that we amend your PHI in a Designated Record Set if you believe the information is incorrect or incomplete.

4.3 Right to an Accounting of Disclosures (45 CFR § 164.528)

You have the right to receive a list (accounting) of certain disclosures of your PHI made by us during the six (6) years prior to your request (or a shorter period if you specify).

The accounting will NOT include disclosures:

• For treatment, payment, or healthcare operations
• Made to you or authorized by you
• Made incident to a use or disclosure otherwise permitted
• For our facility directory or to persons involved in your care
• For national security or intelligence purposes
• To correctional institutions or law enforcement officials in custodial situations
• As part of a limited data set
• That occurred before April 14, 2003

4.4 Right to Request Restrictions (45 CFR § 164.522(a))

You have the right to request that we place additional restrictions on our use or disclosure of your PHI.

• We are generally not required to agree to your request
• However, we MUST agree to your request to restrict disclosure to a health plan if:
• (i) The disclosure is for payment or healthcare operations purposes (not treatment) and is not otherwise required by law; AND
• (ii) The PHI pertains solely to a healthcare item or service for which you (or someone other than the health plan on your behalf) have paid us in full out of pocket
• If we agree to a restriction, we will comply with it except in emergency treatment situations where the restricted PHI is needed to provide treatment
• You or we may terminate a restriction, provided that we notify you; termination applies only to PHI created or received after the termination

4.5 Right to Request Confidential Communications (45 CFR § 164.522(b))

You have the right to request that we communicate with you about your health matters in a particular way or at a particular location.

• For example, you may request that we contact you only at your work address or by mail instead of by telephone
• We will accommodate all reasonable requests
• We will not ask you the reason for your request
• Your request must specify how or where you wish to be contacted

4.6 Right to a Paper Copy of This Notice

You have the right to obtain a paper copy of this Notice upon request at any time, even if you have previously agreed to receive the Notice electronically.

4.7 Right to Be Notified of a Breach (45 CFR §§ 164.404-164.408)

You have the right to be notified if we (or one of our business associates) discover a breach of your unsecured PHI.

4.8 Right to Complain

If you believe your privacy rights have been violated, you have the right to file a complaint with us and with the Secretary of the U.S. Department of Health and Human Services. See Section 2 above for complaint contact information. We will not retaliate against you for filing a complaint.

4.9 Personal Representatives

If you have a personal representative (such as a legal guardian, healthcare power of attorney, or a parent of a minor child), that individual has the right to exercise your rights and act on your behalf with respect to your PHI. We will verify the authority and identity of personal representatives before granting access. We may decline to treat a person as your personal representative if we reasonably believe the individual has subjected you to domestic violence, abuse, or neglect, or that treating such person as your personal representative could endanger you.

SECTION 5: OUR LEGAL DUTIES

We are required by law to:

☐ Maintain the privacy of your PHI as required by the HIPAA Privacy Rule and applicable state law

☐ Provide you with this Notice of our legal duties and privacy practices with respect to your PHI

☐ Notify you following a breach of your unsecured PHI in accordance with the HIPAA Breach Notification Rule

☐ Abide by the terms of this Notice that is currently in effect

☐ Obtain your written acknowledgment of receipt of this Notice, or document our good faith efforts to obtain it (for covered healthcare providers with a direct treatment relationship)

☐ Apply the minimum necessary standard when using or disclosing PHI, or when requesting PHI from another covered entity or business associate (except for disclosures to or requests by a healthcare provider for treatment, disclosures to the individual, uses or disclosures made pursuant to an authorization, disclosures to HHS, uses or disclosures required by law, and other exceptions specified in 45 CFR § 164.502(b))

☐ Enter into business associate agreements with entities that perform functions or activities on our behalf involving PHI

☐ Mitigate, to the extent practicable, any harmful effect we learn of from a use or disclosure of your PHI in violation of our policies and procedures or the HIPAA Privacy Rule

SECTION 6: CHANGES TO THIS NOTICE

We reserve the right to change this Notice at any time. We reserve the right to make the revised or changed Notice effective for PHI we already have about you as well as any PHI we receive in the future.

When we make a material change to this Notice, we will:

☐ Post the revised Notice in a clear and prominent location in our facility

☐ Post the revised Notice on our website at: [________________________________]

☐ Make copies of the revised Notice available upon request at our office

☐ Provide the revised Notice on or before the effective date of the change

☐ Promptly revise and distribute the Notice as required by 45 CFR § 164.520(b)(3)

For Health Plans Only (if applicable):

☐ Provide the revised Notice to enrollees within 60 days of the material revision

SECTION 7: COMPLIANCE WITH STATE LAW

Where state law provides greater privacy protections or grants individuals greater rights than the HIPAA Privacy Rule, we will comply with the more stringent state law requirements. The following categories of information may have additional protections under your state's law:

Applicable State: [________________________________]

State-Specific Provisions:

[________________________________]

SECTION 8: USES AND DISCLOSURES OF SUBSTANCE USE DISORDER RECORDS

Applicability: ☐ This section applies to our organization ☐ This section does not apply

If we maintain records relating to substance use disorder ("SUD") treatment that are protected under 42 CFR Part 2, the following additional provisions apply:

Consent: With your written consent, we may use and disclose your SUD treatment records for treatment, payment, and healthcare operations. A single consent may cover all future uses and disclosures for these purposes.

Redisclosure: Entities that receive your SUD records under a valid consent may further disclose them in accordance with HIPAA, except that:

• SUD records may not be used in civil, criminal, administrative, or legislative proceedings against you without your separate written consent or a court order under 42 CFR § 2.64
• Certain investigative agencies may receive SUD records only under court order for investigation of an extremely serious crime or for the purpose of auditing or evaluating a Part 2 program

SUD Counseling Notes: SUD counseling notes (notes by a SUD or mental health professional documenting the contents of private, group, joint, or family SUD counseling sessions, maintained separately from the medical record) may not be used or disclosed without your specific authorization, subject to limited exceptions.

Anti-Discrimination: Information from your SUD records may not be used to discriminate against you in connection with employment, access to housing, or other rights protected by law.

Your Rights Under Part 2:

☐ Right to receive a copy of the Part 2 Patient Notice

☐ Right to request an accounting of disclosures of your SUD records

☐ Right to request restrictions on the use and disclosure of your SUD records

☐ Right to revoke consent for disclosure of your SUD records (prospectively only)

☐ Right to file a complaint with the Secretary of HHS if you believe your Part 2 rights have been violated

SECTION 9: ORGANIZED HEALTHCARE ARRANGEMENT

Applicability: ☐ This section applies ☐ This section does not apply

[________________________________] participates in an organized healthcare arrangement ("OHCA") with the following entities:

[________________________________]

The participants in the OHCA will share PHI with each other as necessary for the joint healthcare operations of the OHCA, including quality assessment and improvement, credentialing, and training. This Notice applies to all participants in the OHCA.

SECTION 10: QUESTIONS ABOUT THIS NOTICE

If you have any questions about this Notice, our privacy practices, or your rights under HIPAA, please contact:

ACKNOWLEDGMENT OF RECEIPT OF NOTICE OF PRIVACY PRACTICES

Patient / Individual Acknowledgment

I acknowledge that I have received a copy of the Notice of Privacy Practices of [________________________________].

I understand that this Notice describes how my protected health information may be used and disclosed and that I have certain rights regarding my PHI as described in the Notice.

If signed by a Personal Representative:

Provider / Staff Documentation

I have provided the patient (or personal representative) with a copy of the Notice of Privacy Practices and made a good faith effort to obtain written acknowledgment of receipt:

☐ Written acknowledgment obtained (see above)

☐ Written acknowledgment not obtained; reason documented below

Staff Member Name (Printed): [________________________________]

Staff Member Signature: [________________________________]

Date: [__/__/____]

If Acknowledgment Was Not Obtained

Document the reason and the good faith effort made to obtain acknowledgment:

POSTING AND DISTRIBUTION REQUIREMENTS CHECKLIST

For Healthcare Providers with a Direct Treatment Relationship (45 CFR § 164.520(c)(2))

☐ Notice provided to each individual no later than the date of first service delivery (including electronic service delivery)

☐ Notice posted in a clear and prominent location where it is reasonable to expect individuals seeking service to be able to read the notice

☐ Notice posted prominently on our website (if we maintain a website)

☐ Copy of Notice available for individuals to take with them

☐ Good faith effort made to obtain written acknowledgment of receipt

☐ If Notice is revised, revised Notice made available upon request on or after the effective date of the revision

For Health Plans (45 CFR § 164.520(c)(1))

☐ Notice provided to each individual at enrollment

☐ Revised Notice provided within 60 days of material revision

☐ Notice provided to individuals upon request

☐ Notice posted prominently on website (if applicable)

☐ Notice provided to new enrollees at time of enrollment

For Healthcare Clearinghouses (45 CFR § 164.520(c)(2))

☐ Notice posted on website (if applicable)

☐ Notice provided to individuals upon request

For Electronic Notice (45 CFR § 164.520(c)(3))

☐ Individual has agreed to electronic notice

☐ Electronic notice provided in a manner that complies with applicable requirements

☐ Paper copy available upon request even if electronic notice has been agreed to

Additional Compliance Items

☐ Notice reviewed and updated at least annually

☐ All staff trained on Notice content and patient privacy rights

☐ Privacy Officer designated and identified in the Notice

☐ Business associate agreements in place for all applicable business associates

☐ 42 CFR Part 2 provisions incorporated (if applicable) per February 16, 2026 compliance deadline

☐ State-specific provisions reviewed and incorporated

☐ Complaint process established and documented

☐ Breach notification procedures in place

This Notice is effective as of [__/__/____] and will remain in effect until replaced by a revised Notice.

This Notice was last revised on [__/__/____].

Sources and References

• 45 CFR § 164.520 - Notice of Privacy Practices for Protected Health Information (eCFR)
• HHS.gov - Notice of Privacy Practices for Protected Health Information
• HHS.gov - Model Notices of Privacy Practices
• HHS.gov - Model Notice of Privacy Practices for HIPAA Covered Health Care Provider
• HHS.gov - Summary of the HIPAA Privacy Rule
• HHS.gov - Individuals' Right under HIPAA to Access their Health Information
• HHS.gov - Fact Sheet: 42 CFR Part 2 Final Rule
• HHS.gov - Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records
• HHS.gov - Your Rights Under HIPAA
• HHS.gov - Notice of Privacy Practice FAQs
• HHS.gov - Personal Representatives
• 45 CFR Part 164, Subpart E - Privacy of Individually Identifiable Health Information (eCFR)
• 42 CFR Part 2 - Confidentiality of Substance Use Disorder Patient Records (eCFR)
• Federal Register - Confidentiality of Substance Use Disorder (SUD) Patient Records Final Rule (2024)
• 45 CFR § 164.520 - LII / Legal Information Institute