If you've encountered the question "the blank describes how PHI may be used" in a HIPAA training module or certification exam, you're wrestling with one of the most fundamental concepts in healthcare privacy law. The answer is the Notice of Privacy Practices (NPP) — and getting this wrong isn't just an academic mistake. In 2019, OCR settled with Cignet Health for $4.3 million in part because the organization failed to provide patients with adequate access to their Notice of Privacy Practices. Understanding this document isn't optional for your workforce.

The Blank Describes How PHI May Be Used: It's the Notice of Privacy Practices

Under the HIPAA Privacy Rule (45 CFR §164.520), every covered entity must develop and distribute a Notice of Privacy Practices. This document is the definitive description of how protected health information may be used and disclosed by your organization. It tells patients — in plain language — what happens with their most sensitive data.

The NPP must explain uses and disclosures of PHI for treatment, payment, and healthcare operations. It must also describe the patient's individual rights, including the right to request restrictions, access their records, and file complaints with OCR. Most critically, it must be provided to every patient at their first encounter with your organization.

What the Privacy Rule Actually Requires in Your NPP

The requirements under 45 CFR §164.520 are specific. Your Notice of Privacy Practices must include:

  • A description of each purpose for which the covered entity is permitted or required to use or disclose PHI without individual authorization
  • A description of uses and disclosures that do require written patient authorization
  • A statement of the individual's rights with respect to their protected health information, including the right to complain to HHS
  • The covered entity's legal duties regarding PHI, including the duty to abide by the terms of the current notice
  • A point of contact for questions or complaints — a specific person or office, not a generic email address
  • An effective date — OCR looks for this during audits and it must be present

Healthcare organizations consistently struggle with the specificity requirement. A vague statement like "we may share your information for business purposes" doesn't satisfy the rule. Your NPP must be granular enough for a patient to understand what will actually happen with their data.

Distribution Requirements That Trigger OCR Enforcement

Writing a compliant Notice of Privacy Practices is only half the battle. The Privacy Rule mandates specific distribution methods depending on your entity type.

Healthcare providers with direct treatment relationships must provide the notice no later than the first date of service delivery. They must make a good faith effort to obtain a written acknowledgment from the patient. That acknowledgment must be retained — and if the patient refuses to sign, you must document the attempt.

Health plans must distribute the NPP at enrollment and within 60 days of any material revision. They must also remind members at least once every three years that the notice is available.

In my work with covered entities, I've seen organizations penalized not because their notice was poorly written, but because they couldn't prove they distributed it. OCR doesn't accept "we always hand it out" as evidence. You need documented processes and signed acknowledgments — or documented refusals.

How the NPP Connects to the Minimum Necessary Standard

The Notice of Privacy Practices doesn't exist in isolation. It works in tandem with the minimum necessary standard (45 CFR §164.502(b)), which requires your organization to limit PHI disclosures to only what is needed for a specific purpose.

Your NPP tells patients what you may do with their information. The minimum necessary standard governs how much information you actually use. Together, they form the backbone of HIPAA's privacy framework. When your workforce doesn't understand both, violations become almost inevitable.

Business Associates and the NPP Obligation

A common misconception is that business associates must issue their own Notice of Privacy Practices. They don't. The NPP obligation falls on the covered entity. However, business associates must comply with the terms described in the covered entity's notice as reflected in their Business Associate Agreement.

If your organization shares PHI with billing companies, cloud storage providers, or IT vendors, those business associates must handle data consistent with what your NPP promises patients. A disconnect between your notice and your vendor contracts is a HIPAA violation waiting to happen.

The Workforce Training Requirement Most Organizations Underestimate

OCR has made clear through enforcement actions and audit findings that workforce training must cover the Notice of Privacy Practices. Every member of your workforce — including volunteers, trainees, and part-time staff — must understand what the NPP says and how it governs daily operations.

This isn't a one-time checkbox. The Privacy Rule requires training when material changes occur to policies or procedures. If you update your NPP, your workforce must be retrained on the changes. A robust HIPAA training and certification program ensures every team member understands how PHI may be used and what the Notice of Privacy Practices promises your patients.

Conduct a Risk Analysis That Includes Your NPP Process

Your annual risk analysis under the Security Rule should extend to evaluating your NPP distribution and acknowledgment processes. Are signed acknowledgments being stored securely? Is your electronic NPP accessible on your website as required? Are revisions tracked with effective dates?

These are the operational details that separate compliant organizations from those facing corrective action plans. OCR's audit protocol explicitly includes NPP compliance as a review area — and auditors look at both the content of the notice and the evidence of distribution.

Take Action Before OCR Comes Knocking

The Notice of Privacy Practices is the document that describes how PHI may be used by your covered entity. It's the answer to the training question, and it's the foundation of your relationship with every patient who trusts you with their data.

Review your current NPP against the requirements in 45 CFR §164.520. Verify your distribution records. Confirm your workforce understands what the notice promises. If any of these areas have gaps, invest in workforce HIPAA compliance through HIPAACertify to bring your entire organization up to standard — before a breach or complaint forces you to.