Every mental health practice that qualifies as a HIPAA covered entity must provide clients with a Notice of Privacy Practices (NPP). This document explains how you collect, use, store, and share protected health information (PHI)—and it must be provided before or at the first appointment.
Getting the NPP right matters. It establishes transparency with clients, protects your practice from compliance violations, and fulfills a core HIPAA Privacy Rule requirement. This guide covers what your NPP must include, when to provide it, and how to document client acknowledgment.
What Is a Notice of Privacy Practices?
The Notice of Privacy Practices is a written document required under the HIPAA Privacy Rule (45 CFR 164.520). It informs clients about how their health information may be used and disclosed, explains their privacy rights, and describes your practice's legal duties regarding PHI protection.
Unlike informed consent for treatment—which addresses the therapeutic process itself—the NPP focuses specifically on information handling. Both documents are required, but they serve different purposes.
The NPP requirement applies to covered entities, which includes any therapist who transmits health information electronically in connection with HIPAA-covered transactions. If you submit electronic insurance claims, you're a covered entity and must provide an NPP to every client.
Required Elements of a Therapy Practice NPP
HIPAA specifies that your Notice of Privacy Practices must contain certain elements. Missing any of these can result in compliance violations.
Header Requirements
Your NPP must begin with a header that includes the phrase "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." This exact language (or substantially similar wording) is required by regulation.
Uses and Disclosures Without Authorization
Explain the categories where PHI may be used or disclosed without requiring separate client authorization. For therapy practices, these typically include treatment (sharing information with other providers involved in your client's care), payment (submitting claims to insurance companies), and healthcare operations (quality improvement, training, compliance activities).
Your NPP should also describe other situations where disclosure may occur without authorization, such as when required by law, for public health activities, to report abuse or neglect, for health oversight activities, for judicial proceedings, to avert serious threats to health or safety, and for specialized government functions.
Uses and Disclosures Requiring Authorization
Identify categories that require written client authorization before disclosure. For therapy practices, two categories deserve special attention: psychotherapy notes (which have heightened protections under HIPAA) and marketing communications.
Any use or disclosure not covered by treatment, payment, healthcare operations, or the specific exceptions listed above requires written authorization from the client.
Client Rights
Your NPP must explain each of the following rights. Clients have the right to access and obtain copies of their PHI, with some exceptions for psychotherapy notes. They can request restrictions on certain uses or disclosures, though you're not required to agree to all restriction requests. Clients may request amendments to their records if they believe information is incorrect. They can request confidential communications through alternative means or locations. They have the right to receive an accounting of disclosures made in the prior six years. Finally, clients may file complaints with your practice or with the Department of Health and Human Services if they believe their privacy rights were violated.
Practice Duties
State that your practice is required by law to maintain the privacy of PHI, provide the NPP to clients, notify affected individuals following a breach of unsecured PHI, and abide by the terms of the current NPP.
Changes to the Notice
Include a statement that you reserve the right to change the NPP and that revised notices will apply to PHI already maintained. Describe how clients will be notified of changes—typically by posting the new notice in your office and on your website, with copies available upon request.
Contact Information
Provide the name, title, and contact information for the person clients should contact with questions, complaints, or requests related to their privacy rights. In a solo practice, this is typically yourself as the designated Privacy Officer.
Effective Date
Include the date the NPP becomes effective.
When to Provide the NPP
HIPAA requires that you provide the NPP no later than the date of first service delivery. For therapy practices, this means providing it at or before the initial session.
Best practice is to include the NPP in your intake paperwork and obtain written acknowledgment before the first appointment. Many EHR systems and client portals can automate this process by requiring clients to review and acknowledge the NPP during online intake.
If a client refuses to sign the acknowledgment, you can still provide services. Document that you offered the NPP, that the client refused to sign, and the date and reason for refusal if known. Keep this documentation in the client's record.
You must also make the NPP available to anyone who requests it and post it prominently in your office. If you maintain a website with information about your practice's services or benefits, you must post the NPP there as well.
NPP Acknowledgment Documentation
While HIPAA doesn't require client signatures on the NPP itself, you must make a "good faith effort" to obtain written acknowledgment that the client received the notice. This acknowledgment should be a separate form from the NPP—not embedded within it.
The acknowledgment form should state that the client received a copy of your Notice of Privacy Practices, include the date, and provide a signature line. Keep signed acknowledgments in client records for at least six years from the date of creation or the date when the notice was last in effect, whichever is later.
If you use electronic acknowledgment through a client portal, ensure your system captures a timestamp and some form of electronic signature or confirmation. The electronic record must be retrievable and printable if needed for an audit.
Sample Acknowledgment Language
I acknowledge that I have received a copy of [Practice Name]'s Notice of Privacy Practices. I understand that this notice describes how my health information may be used and disclosed, and how I can access this information.
Client Signature: _______________ Date: ___________
State Law Considerations
HIPAA establishes a federal floor for privacy protections, but state laws may impose additional requirements. When state law is more protective of client privacy than HIPAA, the state law takes precedence.
For example, some states require specific language in privacy notices related to mental health records, substance use disorder treatment records, or records involving minors. Review your state's health privacy laws and licensing board requirements to ensure your NPP addresses all applicable regulations.
Many states also have their own breach notification requirements that may differ from HIPAA's federal rules. Your NPP should reflect the most protective standard applicable to your practice.
HIPAA and Minors: Special Considerations →
Common NPP Mistakes to Avoid
Several errors frequently appear in therapy practice NPPs. Using an outdated template that doesn't reflect current HIPAA regulations is common—the Privacy Rule has been amended multiple times since 2003, and your NPP should reference current requirements including breach notification obligations.
Some therapists copy NPPs designed for large healthcare organizations that include provisions irrelevant to private practice, such as references to hospital directories or organ donation. This creates confusion and suggests lack of attention to compliance.
Failing to update the NPP when practice operations change is another mistake. If you add telehealth services, bring on new business associates, or change how you handle certain types of disclosures, your NPP should reflect those changes.
Finally, forgetting to document acknowledgment—or failing to note when clients decline to sign—creates compliance gaps that can be problematic during audits.
HIPAA Violation Examples and Consequences →
Maintaining Your NPP Over Time
Review your NPP annually as part of your HIPAA compliance activities. Check for any regulatory changes that require updates, confirm that contact information and office locations remain accurate, verify that described practices match your actual operations, and ensure consistency with your other HIPAA policies and procedures.
When you update your NPP, post the new version in your office, update your website, and begin providing the revised notice to new clients. You're not required to re-obtain acknowledgments from existing clients when the NPP changes, but making the updated notice available demonstrates ongoing compliance.
How Practice Management Software Can Help
Modern practice management platforms can streamline NPP compliance by automating delivery during client intake, capturing electronic acknowledgments with timestamps, storing acknowledgment records within client files, tracking which clients have and haven't acknowledged the NPP, and alerting you when it's time for annual review.
This automation reduces administrative burden while creating clear documentation of your compliance efforts.
The Notice of Privacy Practices isn't just a regulatory requirement—it's a transparency tool that builds trust with clients. A well-crafted NPP demonstrates your commitment to protecting client information while ensuring your practice meets HIPAA obligations from the very first appointment.