HIPAA Notice of Privacy Practices Template for Therapists

What Is a HIPAA Notice of Privacy Practices?

A Notice of Privacy Practices (NPP) is a document required by the HIPAA Privacy Rule (45 CFR 164.520) that informs clients about how their protected health information (PHI) may be used and disclosed by your practice. It also explains clients' rights regarding their own health information — including the right to access records, request amendments, request restrictions, and file complaints.

For mental health professionals, the NPP carries particular weight because the therapeutic relationship depends on trust, and clients need to understand exactly how their sensitive information will be handled. Unlike informed consent — which is governed by state law and professional ethics codes — the NPP is a federal requirement with specific mandatory elements that must be included verbatim or in substance.

The NPP is not simply a formality. The Office for Civil Rights (OCR) at HHS actively enforces HIPAA requirements, and failure to maintain and distribute a compliant NPP can result in corrective action plans and civil monetary penalties ranging from $141 to $2,134,831 per violation category per year, depending on the level of culpability.

When You Need It

• At the start of treatment with every new client, before or at the first session
• Posted in a clear and prominent location in your physical office (waiting room or reception area)
• On your practice website if you maintain one (the NPP must be prominently posted, not buried)
• Whenever you make a material change to your privacy practices, the revised NPP must be distributed
• When a client requests a copy at any point during or after treatment
• When opening a new practice location or expanding to telehealth services

Key Components / What to Include

1. Header Statement

The NPP must begin with a header that reads, in substance: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." This language is required by 45 CFR 164.520(b)(1)(i) and should appear prominently at the top of the document.

2. Uses and Disclosures for Treatment, Payment, and Health Care Operations (TPO)

Describe how PHI may be used for treatment (sharing information with other providers involved in care), payment (submitting claims to insurance), and health care operations (quality improvement, training, audits). Provide at least one example for each category.

3. Uses and Disclosures Requiring Authorization

Explain that most uses and disclosures of PHI beyond TPO require the client's written authorization. For mental health practices, emphasize that psychotherapy notes require a separate, specific authorization for disclosure — they cannot be released under a general authorization.

4. Uses and Disclosures Without Authorization

List situations where PHI may be disclosed without client authorization, including: as required by law, for public health activities, to report abuse or neglect, for health oversight activities, in response to court orders, for law enforcement purposes, to avert a serious threat to health or safety (duty to warn), for workers' compensation, and to coroners or funeral directors.

5. Client Rights

The following rights must be described:

• Right to access — clients can inspect and obtain copies of their PHI
• Right to request amendments — clients can request corrections to their records
• Right to an accounting of disclosures — clients can request a list of non-TPO disclosures
• Right to request restrictions — clients can request limits on certain uses and disclosures
• Right to request confidential communications — clients can request to receive communications by alternative means or at alternative locations
• Right to a paper copy — clients can request a paper copy of the NPP at any time

6. Practice Duties

State that your practice is required by law to maintain the privacy of PHI, to provide this notice, and to abide by its terms. State that the practice reserves the right to change its privacy practices and that a revised notice will be made available.

7. Contact Information and Complaints

Provide the name and contact information for your privacy officer (in solo practice, this is typically you), and inform clients of their right to file a complaint with you and with the Secretary of HHS. Include the HHS complaint contact information.

How to Implement It

Step 1: Customize the template. Replace all bracketed fields with your specific information. Review your state's laws for any additional disclosure requirements beyond the federal HIPAA baseline — several states (including California, Texas, and Connecticut) have stricter privacy laws that must be reflected in your NPP.

Step 2: Have the document reviewed. Before distributing, have your NPP reviewed by a healthcare attorney or your malpractice insurance carrier's risk management team. Many carriers offer free document review for policyholders.

Step 3: Create an acknowledgment form. Prepare a separate, brief acknowledgment form that states: "I acknowledge that I have received a copy of the Notice of Privacy Practices for [Practice Name]." Include a signature line, date line, and a space to document if the client declined to sign and why.

Step 4: Distribute at intake. Provide the NPP to every new client at or before the first appointment. Obtain the signed acknowledgment and file it in the client's record. If the client declines to sign, note the date, the method of delivery, and the reason for refusal.

Step 5: Post prominently. Display the NPP in your waiting room and on your website. The full text must be available — not just a summary or link.

Step 6: Maintain version control. Date every version of your NPP. When you issue a revised version, document the date of revision and make good faith efforts to distribute it to current clients. Keep copies of all prior versions for your records.

Common Mistakes

Copying a medical practice NPP without modification. Generic medical NPPs typically do not address psychotherapy notes, substance use disorder records (42 CFR Part 2), or the specific confidentiality concerns in mental health treatment. Your NPP must reflect the heightened protections that apply to behavioral health information.

Failing to include the required header language. The HIPAA Privacy Rule specifically requires the header statement about how medical information may be used and disclosed. Omitting it or using substantially different language creates a compliance deficiency.

Not updating the NPP when laws change. The 2013 Omnibus Rule made significant changes to HIPAA, and many practices still have pre-2013 notices in circulation. Your NPP should reflect all current requirements, including breach notification obligations and the patient's right to restrict disclosures to health plans for services paid out of pocket.

Confusing the NPP with informed consent. These are separate documents serving different legal frameworks. Providing one does not satisfy the requirement for the other. Clients should receive both, and the language in each should be consistent regarding confidentiality and its limits.

Failing to document acknowledgment of receipt. Many practices hand out the NPP but do not maintain a signed acknowledgment. HIPAA requires a good faith effort to obtain written acknowledgment. Without documentation, you cannot demonstrate compliance during an audit or investigation.

Omitting the complaint process. The NPP must include instructions for how to file a complaint both with your practice and with HHS. This is a mandatory element, not optional.