Sample Notice of Privacy Practices: Free Template

What You Need to Know About a Sample Notice of Privacy Practices

• A Notice of Privacy Practices is a HIPAA-required document telling patients how your practice handles their health information.
• As of February 16, 2026, all covered providers must add substance use disorder language to their Notice of Privacy Practices.
• Download the template, add your practice details, and have it reviewed before giving it to patients.

Download the Free Sample Notice of Privacy Practices Template

Note: This template is for informational purposes only and does not constitute legal or medical advice. Have your compliance officer review it before clinical use.

• Download the Sample Notice of Privacy Practices Template: editable DOCX, all seven universal required elements plus the conditional substance use disorder section included

What Is a Notice of Privacy Practices?

A Notice of Privacy Practices is the HIPAA-mandated written disclosure that explains to patients how a practice uses and protects their health information and what privacy rights they hold over it. Every covered healthcare provider must give patients a Notice of Privacy Practices at the first visit.¹ Post it in your waiting room and on your website. The Notice of Privacy Practices is not an informed consent form. Consent forms cover specific treatments. The Notice of Privacy Practices covers how your practice handles patient health information.¹ PHI is patient data. It can identify a specific person. HIPAA does not require a patient signature.¹ You need to show a good-faith effort to get an acknowledgment. Keep a record of that effort. The template on this page is built around the HIPAA Privacy Rule.¹ It includes the 2026 substance use disorder update.

What Should a Notice of Privacy Practices Include?

Your Notice of Privacy Practices must include seven universal required elements plus one conditional element if your practice creates or maintains substance use disorder records subject to 42 CFR Part 2. All seven universal elements are required by the HIPAA Privacy Rule (45 CFR 164.520(b)(1)).¹

Required header. Open every Notice of Privacy Practices with this exact line: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY." This wording must appear verbatim (45 CFR 164.520(b)(1)(i)).¹

Uses and disclosures. Describe your uses of patient PHI. Cover treatment, payment, and healthcare operations. Include other permitted uses such as public health reports and required legal disclosures.¹

Patient rights. List every right patients have over their PHI:¹

• The right to see and get a copy of their records
• The right to ask for corrections
• The right to ask for a log of who got their information
• The right to ask for limits on how you share their information
• The right to choose how you contact them
• The right to get a copy of this notice

Covered entity's duties. State that your practice is required to maintain the privacy of PHI, abide by the terms of the current notice, and notify patients in the event of a breach of unsecured PHI (45 CFR 164.520(b)(1)(v)).¹

Complaints. State that patients may file a complaint with your practice or with HHS if they believe their privacy rights have been violated. Include a brief description of how to file a complaint and a statement that you will not retaliate (45 CFR 164.520(b)(1)(vi)).¹

Contact. Include the name, title, or telephone number of a person or office patients can contact for further information about your privacy practices (45 CFR 164.520(b)(1)(vii)).¹ In most practices this is the privacy officer.

Effective date. Show the Notice of Privacy Practices' effective date at the top of the form (45 CFR 164.520(b)(1)(viii)).¹

SUD section (conditional). If your practice creates, receives, or maintains substance use disorder records subject to 42 CFR Part 2, add a Part 2 section to your Notice of Privacy Practices.¹ The downloadable template above includes this language.

How Do You Fill Out and Distribute the Notice of Privacy Practices?

Fill out and distribute the Notice of Privacy Practices by adding your practice details to the template, reviewing each section, handing it to patients at the first visit, collecting an acknowledgment, and retaining your records. Start with the HHS model notice or the downloadable notice of privacy practices template above. Both are built around the HIPAA Privacy Rule requirements.¹

Step 1: Add your practice details. Fill in these fields:

• Practice name and address
• Phone number
• Privacy officer name and contact information
• Effective date

Step 2: Review each section. Read each use and disclosure in the template. Remove any items not relevant to your practice. Keep all uses and disclosures relevant to your practice.

Step 3: Give it to patients at the first visit. Hand the Notice of Privacy Practices to each new patient before their first appointment, alongside your other new patient forms.¹ For telehealth patients, send it by email or patient portal before the visit. Post a copy in your waiting room. Keep it on your website.

Step 4: Get an acknowledgment. Ask each patient to sign the acknowledgment line. Some patients will not sign. Note refusals in the patient chart. HIPAA does not require a signature.¹

Step 5: Keep your records. File signed acknowledgments for at least six years.¹ Record the date and patient name for each Notice of Privacy Practices you give. These records protect your practice during an audit.

What Are the 2026 HIPAA Compliance Requirements for Your Notice of Privacy Practices?

Two rule updates affect your Notice of Privacy Practices right now.

SUD enforcement started February 16, 2026. In 2024, HHS aligned 42 CFR Part 2 with HIPAA and updated the HIPAA Privacy Rule to require Notices of Privacy Practices to reflect the new Part 2 protections.¹ Part 2 protects substance use disorder (SUD) records. The update deadline was February 16, 2026. OCR now accepts complaints about missing Part 2 language.¹ Any covered provider without updated SUD language may face OCR complaints.

**Your updated Notice of Privacy Practices must explain:**¹

• How SUD records under Part 2 may be used and shared
• That SUD records cannot be used in civil, criminal, administrative, or legislative proceedings against the patient without written consent or a court order issued after notice and an opportunity to be heard
• That shared information may be re-shared by others
• That using SUD records for treatment, payment, or operations requires written consent

Reproductive health language is not required. On June 18, 2025, a federal court vacated most of the April 2024 HIPAA reproductive health privacy rule (Carmen Purl et al. v. HHS, N.D. Tex.).¹ Do not add reproductive health language to your Notice of Privacy Practices. The Part 2 SUD provisions described above are from a separate June 2024 rulemaking and were not affected by that court order. They remain fully in effect.

Review your Notice of Privacy Practices whenever your privacy practices change. HIPAA requires covered providers to update their Notice of Privacy Practices any time they make a material change to their privacy practices (45 CFR 164.520(b)(3)).¹ Health plans face an additional obligation: they must notify individuals of the availability of the Notice of Privacy Practices and how to obtain it at least once every three years (45 CFR 164.520(c)(1)(ii)).¹ For individual providers, the practical trigger is any regulatory change, new service, or new data use, such as the 2026 SUD update. A HIPAA compliance checklist can help you track required reviews. After any update, post the revised Notice of Privacy Practices on your website and in your waiting room. State requirements vary. Check your state medical association for local guidance.

How Commure Scribe Works With Your Notice of Privacy Practices

Your Notice of Privacy Practices makes specific promises to patients: that your practice maintains the privacy of their PHI, abides by the terms of the notice, and handles their data only for the uses it describes. The clinical documentation those promises cover has to be created and stored somewhere. Commure Scribe, an AI medical scribe, is built to handle that PHI to the same standards your notice sets out.

Scribe listens to the encounter and, seconds after the clinician clicks End Recording, drafts a structured clinical note, whether you document in SOAP notes or another format, for the clinician to review and finalize before anything enters the chart. It is HIPAA compliant, SOC 2 certified, and stores all data onshore. Audio recordings are encrypted and never used for AI training, product improvement, or any purpose other than generating the clinical note, which is exactly the kind of handling the "uses and disclosures" and "covered entity's duties" sections of your notice describe.

For the clinical documentation your Notice of Privacy Practices governs, Commure Scribe gives you a defensible, auditable record, and 90%+ of providers report reduced clinical documentation time and digital fatigue. The AI Copilot can also help draft documentation tasks generated from the encounter, such as patient communications, with the clinician reviewing before anything goes out.

Frequently Asked Questions

Is a patient signature required on the Notice of Privacy Practices?

No. HIPAA requires a good-faith effort to get an acknowledgment of receipt, not a signed document (45 CFR 164.520).¹ If a patient will not sign, note the refusal in their chart. Your practice can still provide care. Written records of these attempts protect your practice during an audit.

When does the Notice of Privacy Practices have to be given to patients?

At the first service delivery, before or at the start of the first appointment (45 CFR 164.520).¹ For telehealth patients, send it before the visit by email or patient portal. Post it in your waiting room and on your website. You do not need to give a new Notice of Privacy Practices at every visit.

Does the 2026 SUD update apply to my practice if I don't treat addiction?

Yes, in most cases. Update your Notice of Privacy Practices if your practice ever creates, receives, or stores substance use disorder records subject to 42 CFR Part 2.¹ This applies to general practice settings, not just addiction specialists. If you document any SUD-related information, your Notice of Privacy Practices needs the Part 2 language. The enforcement deadline was February 16, 2026.

What happened to the HIPAA reproductive health privacy update?

On June 18, 2025, a federal court vacated most of the April 2024 HIPAA reproductive health privacy rule (Carmen Purl et al. v. HHS, N.D. Tex.).¹ You do not need to add reproductive health language to your Notice of Privacy Practices. The Part 2 substance use disorder requirements are not part of that rule. They come from a separate June 2024 rulemaking and were not challenged in that case. They remain in full effect and in OCR enforcement.

How often should a Notice of Privacy Practices be reviewed and updated?

Any time your privacy practices change (45 CFR 164.520(b)(3)).¹ HIPAA requires covered providers to update the Notice of Privacy Practices after any material change, including new services, new data uses, or regulatory changes like the 2026 SUD update. Health plans must also notify individuals of the Notice of Privacy Practices' availability and how to obtain it at least once every three years (45 CFR 164.520(c)(1)(ii)); that notification obligation does not apply to individual covered providers. After any update, post the revised Notice of Privacy Practices on your website and in your waiting room.

Can I customize this Notice of Privacy Practices template for my specialty or EHR system?

Yes. Fill in your practice information, privacy officer contact, and any specialty-specific uses of patient data. Remove any uses or disclosures that do not apply to your practice. Have your compliance officer review the final version before you give it to patients. State requirements vary. Your compliance officer can flag any local adjustments.

This article is for general informational and educational purposes only. It does not constitute legal, medical, or professional advice and does not guarantee compliance. Requirements vary by state, payer, and clinical setting and can change over time. Verify current details with your own compliance officer, legal counsel, or the relevant authority before relying on this information.

‍