HIPAA Notice of Privacy Practices for Therapists: What Should Be Included?

Most therapists have a Notice of Privacy Practices.

In many cases, the document came from an EHR platform, a practice startup resource, a consultant, or a template that was customized during the practice setup process. Some therapists have also used AI tools to help revise or personalize the language.

That approach is understandable. A Notice of Privacy Practices can be a lengthy document, and most therapists are focused on providing care, building systems, and managing the many responsibilities that come with running a practice.

What often surprises people is that a Notice of Privacy Practices is not simply an intake document or a practice policy. It is a federally required disclosure document governed by the HIPAA Privacy Rule requirements for Notices of Privacy Practices.

Because of that, the goal is not simply to have a Notice of Privacy Practices. The goal is to have one that accurately reflects how the practice actually uses and discloses protected health information and provides the disclosures required by law.

Is a Privacy Policy the Same Thing as a Notice of Privacy Practices?

One question that comes up regularly is whether a website Privacy Policy and a Notice of Privacy Practices serve the same purpose.

The confusion makes sense. Both documents address privacy, and both may be presented to clients at some point during their interaction with a practice.

They are not the same document.

A website Privacy Policy generally explains how information is collected, stored, and used through a website or online service. A Notice of Privacy Practices explains how a HIPAA-covered practice may use and disclose protected health information and outlines the rights individuals have under the HIPAA Privacy Rule Notice of Privacy Practices provisions.

A practice may need both documents, but they serve different purposes and are governed by different requirements.

If your Notice of Privacy Practices was:

• Downloaded years ago
• Adapted from a colleague’s document
• Generated from an EHR template
• Created or revised with AI assistance

It may be worth taking a fresh look at whether the document still reflects your current practice operations, technology, workflows, and applicable legal requirements.

What Is a Notice of Privacy Practices?

A Notice of Privacy Practices, often called an NPP, explains how a practice may use and disclose protected health information and describes the privacy rights available to clients.

The Notice must be provided no later than the first service encounter and must include an effective date, consistent with HHS Notice of Privacy Practices requirements. It should also reflect the version currently in effect within the practice.

While many templates provide a useful starting point, the document should ultimately reflect how the individual practice actually operates.

That is one reason a Notice of Privacy Practices often requires more review than therapists initially expect. The document is intended to describe the practice’s specific privacy practices, systems, and applicable legal obligations rather than functioning as a generic healthcare form.

Circular infographic titled "Does Your Notice of Privacy Practices Reflect Your Practice Today?" The graphic illustrates how a Notice of Privacy Practices should align with multiple areas of a therapy practice, including documentation, technology, telehealth, communication methods, workforce access, state law requirements, and client privacy rights. At the center, the graphic emphasizes that a Notice of Privacy Practices should accurately describe how the practice uses and discloses protected health information. Guardian Clinical Essentials™ branding appears at the bottom.

What Should Be Included in a Notice of Privacy Practices?

The HIPAA requirements for Notice of Privacy Practices content require several categories of information to be included.

How Protected Health Information May Be Used and Disclosed

The Notice should explain how protected health information may be used and disclosed for:

  • Treatment
  • Payment
  • Health care operations

These are categories of uses and disclosures that generally do not require a separate written authorization under HIPAA treatment, payment, and health care operations provisions.

The Notice should also explain that some uses and disclosures require authorization and distinguish those situations from disclosures that are permitted or required by law.

Disclosures Required or Permitted by Law

The Notice should explain circumstances in which information may be disclosed without authorization when permitted or required by law.

Depending on the situation, this may include matters such as:

  • Court orders
  • Mandated reporting obligations
  • Serious and imminent threats to health or safety
  • Public health activities
  • Health oversight activities
  • Other legally required disclosures

The specific language should accurately reflect applicable federal and state requirements.

Psychotherapy Notes

For mental health practices, psychotherapy notes deserve particular attention.

Psychotherapy notes receive additional protections under HIPAA, and most uses and disclosures of psychotherapy notes require written authorization, as described in HHS guidance on psychotherapy notes.

Because psychotherapy notes are unique to mental health practice, therapists may want to review this section carefully when evaluating a template Notice of Privacy Practices.

Marketing and Sale of Protected Health Information

The HIPAA Omnibus Rule added additional Notice requirements related to marketing and the sale of protected health information.

The Notice should explain circumstances in which information may be disclosed without authorization when permitted or required under HIPAA permitted uses and disclosures guidance.

It should also explain that the sale of protected health information requires written authorization.

The Notice should further describe that authorizations may generally be revoked in writing, except to the extent action has already been taken in reliance on the authorization.

What Client Rights Should Be Included?

A Notice of Privacy Practices must also explain the individual rights established under the HIPAA Privacy Rule regarding protected health information.

These rights may include:

  • Access to records
  • Requests for amendment
  • Accounting of disclosures
  • Requests for restrictions
  • Confidential communications
  • Paper copies of the Notice
  • Breach notification rights
  • Requests to restrict disclosure to a health plan when services have been paid in full out of pocket

The Notice should also explain how individuals can exercise those rights, where requests should be directed, and how privacy concerns may be communicated to the practice.

What Responsibilities Does the Practice Have?

The Notice should describe the HIPAA Privacy Rule responsibilities of covered entities.

This generally includes explaining that the practice is required to:

  • Maintain the privacy of protected health information
  • Provide a Notice of Privacy Practices
  • Follow the terms of the Notice currently in effect

The Notice should also explain that the practice may revise the Notice in the future and describe how individuals will be informed of material changes.

Can a Template Be Used for a Notice of Privacy Practices?

Templates can be helpful starting points.

The challenge is that a Notice of Privacy Practices is intended to describe how a specific practice operates. A document may contain the correct practice name, logo, and contact information while still reflecting generic language that does not fully align with the practice’s workflows, technology systems, policies, or state-specific requirements.

For that reason, customization often involves much more than updating basic identifying information.

Can AI Be Used to Create or Revise a Notice of Privacy Practices?

AI tools can sometimes help organize information or improve readability.

At the same time, a Notice of Privacy Practices is a regulated disclosure document. Whether the document is drafted by a therapist, generated from a template, or revised using AI, it still needs to accurately reflect the practice’s actual operations and applicable legal requirements.

A document can sound professional and still require substantial review.

When AI is used during drafting or revision, the final responsibility for accuracy remains with the practice.

Does State Law Matter?

HIPAA establishes a federal baseline for privacy protections, while HHS guidance on the interaction between HIPAA and state law explains how certain state requirements may also apply.

Many states also have laws that affect confidentiality, documentation, parental access, minors’ rights, substance use treatment information, HIV-related information, and other privacy-related topics.

A Notice of Privacy Practices should be reviewed with applicable state requirements in mind so that the document accurately reflects both federal and state obligations.

The Bigger Picture

A Notice of Privacy Practices is more than a required disclosure document. It is intended to explain how a practice actually handles protected health information and how individuals can exercise their privacy rights.

Because of that, the Notice should align with the way the practice operates. Documentation practices, communication methods, technology systems, workforce access, telehealth services, and applicable state laws can all influence what should be reflected in the document.

Templates can provide a useful starting point, but over time practices often adopt new technology, revise workflows, expand services, or make other operational changes. Reviewing the Notice periodically helps ensure it continues to accurately reflect current practice operations.

Most therapists were never taught how privacy requirements, technology, documentation, and practice operations work together.

Guardian Clinical Essentials™ exists to help bridge that gap with practical, therapist-focused education.

Subscribe to receive compliance updates, educational resources, training opportunities, and implementation guidance delivered directly to your inbox.

A Notice of Privacy Practices is not intended to sit untouched for years after a practice is opened. As the practice evolves, the document should evolve with it. Periodic review can help ensure it continues to accurately reflect how protected health information is used, disclosed, and safeguarded within the practice.

About the Author

Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™.

She helps therapists and group practices understand how compliance, documentation, privacy, technology, and practice operations work together in real-world clinical settings. Her work focuses on turning complex requirements into practical systems, policies, workflows, and implementation strategies that providers can actually use.

Drawing from experience in both clinical practice and compliance consulting, Samantha specializes in helping mental health professionals build defensible, sustainable systems that support both quality care and regulatory compliance.

Learn more about Samantha and Guardian Clinical Essentials™.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials

Continue Exploring Guardian Clinical Essentials™

Looking for additional compliance, privacy, AI, documentation, and practice operations resources?

Explore the Guardian Clinical Essentials™ Resource Library for educational articles, implementation guidance, training opportunities, and practical resources designed specifically for mental health professionals.

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.