Skip to main content
U.S. flag

An official website of the United States government

Return to Search

Notice of Privacy Practices

This is information regarding the HIPPA Notice of Privacy Practices requirement. The target audience is everyone who access health care services.

Final

Issued by: Office for Civil Rights (OCR)

Notice of Privacy Practices

YouTube embedded video: HHS OCR - Explaining the Notice of Privacy Practices

What is the HIPAA notice I receive from my doctor and health plan?

Your health care provider and health plan must give you a notice that tells you how they may use and share your health information. It must also include your health privacy rights. In most cases, you should receive the notice on your first visit to a provider or in the mail from your health plan. You can also ask for a copy at any time.

Why do I have to sign a form?

The law requires your doctor, hospital, or other health care provider to ask you to state in writing that you received the notice.

  • The law does not require you to sign the “acknowledgement of receipt of the notice.” 
  • Signing does not mean that you have agreed to any special uses or disclosures (sharing) of your health records. 
  • Refusing to sign the acknowledgement does not prevent a provider or plan from using or disclosing health information as HIPAA permits. 
  • If you refuse to sign the acknowledgement, the provider must keep a record of this fact.

What is in the Notice?

Hospital WorkersThe notice must describe:

  • How the Privacy Rule allows provider to use and disclose protected health information. It must also explain that your permission (authorization) is necessary before your health records are shared for any other reason
  • The organization’s duties to protect health information privacy
  • Your privacy rights, including the right to complain to HHS and to the organization if you believe your privacy rights have been violated
  • How to contact the organization for more information and to make a complaint

When and how can I receive a Notice of Privacy Practices?

You’ll usually receive notice at your first appointment. In an emergency, you should receive notice as soon as possible after the emergency.

The notice must also be posted in a clear and easy to find location where patients are able to see it, and a copy must be provided to anyone who asks for one.

If an organization has a website, it must post the notice there.

A health plan must give its notice to you at enrollment. It must also send a reminder at least once every three years that you can ask for the notice at any time.

A health plan can give the notice to the “named insured” (subscriber for coverage). It does not also have to give separate notices to spouses and dependents.

 

HHS is committed to making its websites and documents accessible to the widest possible audience, including individuals with disabilities. We are in the process of retroactively making some documents accessible. If you need assistance accessing an accessible version of this document, please reach out to the guidance@hhs.gov.

DISCLAIMER: The contents of this database lack the force and effect of law, except as authorized by law (including Medicare Advantage Rate Announcements and Advance Notices) or as specifically incorporated into a contract. The Department may not cite, use, or rely on any guidance that is not posted on the guidance repository, except to establish historical facts.