HIPAA Notice of Privacy Practices for Therapists: What Must Be Included

Most therapists have a Notice of Privacy Practices.

That does not automatically mean it is complete.

Recently, I reviewed a Notice of Privacy Practices that had been generated using an EHR template and AI assistance. It looked polished. It sounded official. At first glance, it seemed fine.

It was missing required federal disclosures.

That is happening more often than people realize.

A HIPAA Notice of Privacy Practices for therapists is not just an intake form. It is a federally required disclosure document governed by the HIPAA Privacy Rule at 45 CFR §164.520. If required elements are missing, that creates a compliance gap, even if everything else feels organized.

Here is what must actually be included.

What Is a HIPAA Notice of Privacy Practices?

The Notice of Privacy Practices, often called an NPP, explains how your practice may use and disclose protected health information and outlines your clients’ rights.

It must be provided no later than the first service encounter and must accurately reflect how your practice actually operates.

The Notice must also include an effective date and clearly reflect the version currently in effect.

This is where many templates fall short. They describe generic health care scenarios that do not match how a mental health practice functions.

If your Notice of Privacy Practices was:

Downloaded years ago
Pulled from a colleague
Automatically generated by your EHR
Created or refined using AI

It is worth reviewing whether it meets the requirements of 45 CFR §164.520.

Reviewing Your HIPAA Notice of Privacy Practices for Therapists

Many therapists assume their Notice of Privacy Practices is compliant because it came from an EHR or a template. Reviewing your HIPAA Notice of Privacy Practices for therapists against federal requirements helps identify missing disclosures before they become a compliance issue.

Required Uses and Disclosures

Your Notice must describe how protected health information may be used and disclosed for:

• Treatment
• Payment
• Health care operations without written authorization

The Notice must distinguish between uses and disclosures that require authorization and those that do not.

It must also explain disclosures that are permitted or required by law, including court orders, mandated reporting, serious and imminent threats, public health reporting, and certain oversight activities.

If those categories are incomplete or overly simplified, that is a problem.

Psychotherapy Notes and HIPAA Requirements

If you are a therapist, this section matters.

Psychotherapy notes receive additional protection under federal law. Most uses and disclosures of psychotherapy notes require written authorization.

Many generic templates either omit this entirely or mention it vaguely.

For a mental health practice, that is not a minor detail.

Omnibus Rule Updates: Marketing and Sale of PHI

The HIPAA Omnibus Rule added specific requirements to the Notice of Privacy Practices.

Your NPP must state that:

• Most uses and disclosures of protected health information for marketing require written authorization.
• The sale of protected health information requires written authorization.

Even if you do not sell information, the disclosure requirement still applies. The Notice must also explain when written authorization is required and that authorizations may be revoked in writing, except to the extent action has already been taken.

This is one of the most common omissions I see.

Individual Rights That Must Be Explained

Your Notice must clearly describe client rights, including:

• Access to records
• Amendments
• Accounting of disclosures
• Restrictions
• Restriction to a health plan when services are paid in full out-of-pocket
• Confidential communications
• Paper copies
• Breach notification

Listing these without explaining how to exercise them is not sufficient.

How to Exercise Rights

The Notice must also explain how individuals can exercise these rights, including how to submit written requests, where requests should be directed, and how to contact the practice regarding privacy concerns.

Duties of the Practice

Your Notice must also describe the duties of the practice. This includes stating that the practice is required by law to maintain the privacy of protected health information, provide a Notice of Privacy Practices, and follow the terms of the Notice currently in effect. It must also explain that the practice reserves the right to revise the Notice and how individuals will be informed of material changes.

Business Associates and Electronic Systems

If you use an EHR, billing service, telehealth platform, or cloud storage provider, your Notice should reflect that protected health information may be shared with business associates who are required to safeguard it.

This is often missing in simplified versions.

State Law May Require More

HIPAA sets the federal baseline.

However, if your state provides stronger privacy protections, those may need to be reflected in your Notice.

This can include:

• Minor consent laws
• Parental access limitations
• Substance use disorder confidentiality
• HIV or genetic privacy protections
• State privacy statutes such as California’s CMIA

Your Notice cannot contradict stricter state law.

Your HIPAA Notice of Privacy Practices for therapists should accurately reflect your policies, your systems, and your state law obligations.

The Bigger Compliance Picture

Compliance is about accuracy and alignment.

Your Notice of Privacy Practices should reflect how your practice actually operates, including your documentation standards, workforce access, electronic systems, and state-specific confidentiality obligations.

The Notice is only one required component of a broader federal HIPAA compliance framework. When it does not align with your internal policies and procedures, that is where compliance gaps occur.

A compliant Notice of Privacy Practices should align with your broader federal HIPAA compliance policies and procedures for mental health practices.

Where to File a HIPAA Privacy Complaint

If you believe your HIPAA privacy rights have been violated, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.

Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.

Learn more about her work with mental health practices.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials

Related HIPAA Resources

Review federal HIPAA Security Risk Analysis guidance (HHS/OCR)

Explore HIPAA compliance resources for mental health providers

Explore structured documentation planning tools for behavioral health practices

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy