In 2022, OCR settled with a dental practice in New England for $50,000 — not because of a data breach, but because the practice failed to provide patients with an adequate notice of privacy practices as required under the HIPAA Privacy Rule. The document was outdated, missing required elements added by the Omnibus Rule, and had never been revised since the practice opened in 2009. It's the kind of enforcement action that catches healthcare organizations off guard because most assume their notice of privacy practices is a "set it and forget it" document.

It isn't. And OCR has made that abundantly clear.

What the Notice of Privacy Practices Must Include Under HIPAA

The notice of privacy practices (NPP) requirement lives in 45 CFR §164.520. Every covered entity — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically — must develop, maintain, and distribute this document to individuals.

At minimum, your NPP must describe:

  • How your organization may use and disclose protected health information (PHI) for treatment, payment, and healthcare operations
  • The individual's rights regarding their PHI, including the right to access, amend, and receive an accounting of disclosures
  • Your organization's duties to protect PHI and abide by the terms of the notice
  • How to file a complaint with your organization and with the Secretary of HHS
  • A point of contact — name or title, plus a phone number — for further information
  • The effective date of the notice

The 2013 Omnibus Rule added critical requirements, including language about breach notification, the right to restrict disclosures to health plans when a patient pays out of pocket in full, and restrictions on the sale of PHI. If your notice hasn't been updated since before January 2013, you're already out of compliance.

The Workforce Training Requirement Most Organizations Underestimate

Distributing the notice of privacy practices isn't just a front-desk responsibility. Under 45 CFR §164.530(b), your workforce must be trained on your organization's privacy policies and procedures — and that includes understanding the NPP well enough to answer patient questions about it.

In my work with covered entities, I consistently see organizations that hand a notice to patients but can't explain what it says. OCR investigators notice this too. During compliance reviews, they ask staff members about the organization's privacy practices to evaluate whether meaningful training has occurred.

Investing in structured HIPAA training and certification for your entire workforce ensures that every team member — from the intake coordinator to the billing department — understands the notice and the patient rights it describes.

Distribution Rules That Trip Up Covered Entities

Healthcare providers with a direct treatment relationship must provide the NPP no later than the first date of service delivery. For health plans, the notice must be sent at enrollment and again within 60 days of any material revision.

Here's where mistakes pile up:

  • Electronic distribution: You may email the notice if the individual agrees in advance. Posting it on your website alone does not satisfy the distribution requirement for providers — you must still make a good-faith effort to obtain a written acknowledgment.
  • Acknowledgment vs. consent: The Privacy Rule requires providers to make a good-faith effort to obtain a written acknowledgment of receipt. This is not the same as patient consent. Failing to document the attempt — even when the patient refuses to sign — is a common HIPAA violation.
  • Prominent posting: The notice must be posted in a clear and prominent location at your service delivery site. A laminated sheet behind the reception desk, partially obscured by a computer monitor, doesn't meet this standard.

When OCR Reviews Your Notice of Privacy Practices

OCR doesn't just look at your NPP during breach investigations. Compliance reviews — which OCR can initiate at any time — routinely examine the notice. They verify the content matches current regulatory requirements, confirm the effective date is accurate, and check that your organization can produce signed acknowledgment forms or documentation of good-faith attempts.

Between 2020 and 2023, OCR resolved multiple cases where deficient notices were cited as contributing factors in broader Privacy Rule violations. When your notice of privacy practices is incomplete or outdated, it signals systemic compliance failures that invite deeper scrutiny.

Material Revisions Trigger Redistribution Obligations

Any time you make a material change to your privacy practices — such as changing how you use PHI, adding a new use or disclosure category, or modifying individual rights — you must revise and redistribute the notice promptly. For health plans, the revised notice or information about the revision must go out within 60 days. Providers must make the revised notice available at the service delivery site and on their website if they maintain one.

This isn't optional. Failure to redistribute after a material revision is a standalone HIPAA violation under 45 CFR §164.520(c).

A Practical Compliance Checklist for Your Organization

Use this checklist to evaluate your current notice of privacy practices:

  • Does the notice include all elements required by 45 CFR §164.520(b), including Omnibus Rule additions?
  • Is the effective date accurate and reflective of your most recent material revision?
  • Are you obtaining and documenting written acknowledgment of receipt — or documenting your good-faith attempt?
  • Is the notice prominently posted at every service delivery site?
  • Has your workforce been trained on the content and purpose of the notice?
  • Do your business associate agreements reference your privacy practices consistently with the NPP?

If any of those answers is "no" or "I'm not sure," your organization has a compliance gap that needs immediate attention.

Build a Culture Where Privacy Practices Are Understood — Not Just Distributed

The notice of privacy practices is more than a regulatory checkbox. It's the document that defines your organization's commitment to protecting patient PHI. When it's accurate, current, and supported by a trained workforce, it becomes a defense in investigations rather than a liability.

Healthcare organizations that treat the NPP as a living document — reviewing it annually, training staff on its contents, and applying the minimum necessary standard in daily operations — consistently perform better in OCR compliance reviews.

Start by ensuring every member of your workforce understands HIPAA's privacy requirements through comprehensive HIPAA compliance training from HIPAA Certify. A well-trained team doesn't just hand patients a notice — they embody the practices it describes.