HIPAA distinguishes between two documents, the Notice of Privacy Practices and Authorization. Knowing when each applies helps healthcare providers stay compliant while delivering quality care.
As Cohen and Mello observed in their 2018 JAMA article, despite initial criticism of HIPAA's complexity, the framework has successfully achieved its main goal which is enabling patients to feel secure sharing sensitive information with their healthcare providers while still allowing necessary information sharing for treatment, operations, research, and public health activities.
Read also: FAQs: HIPAA authorizations
The Notice of Privacy Practices (NPP) is a document that healthcare providers must give to patients explaining how their protected health information (PHI) may be used for treatment, payment, and healthcare operations.
According to the HHS guidance document, "The HIPAA Privacy Rule gives individuals a fundamental new right to be informed of the privacy practices of their health plans and of most of their health care providers, as well as to be informed of their privacy rights with respect to their personal health information." The guidance further explains that "The notice is intended to focus individuals on privacy issues and concerns, and to prompt them to have discussions with their health plans and health care providers and exercise their rights."
According to 45 CFR § 164.520, the NPP must be "written in plain language" and must prominently display a specific header. The regulation requires that the notice contain the following statement as "a header or otherwise prominently displayed":
"THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
The HHS guidance document specifies that "Covered entities are required to provide a notice in plain language that describes: How the covered entity may use and disclose protected health information about an individual."
Healthcare providers must make a good-faith effort to get patients to sign an acknowledgment showing they received the NPP. The regulation specifically states that covered health care providers must "make a good faith effort to obtain the individual's written acknowledgment of receipt of the notice. If an acknowledgment cannot be obtained, the provider must document his or her efforts to obtain the acknowledgment and the reason why it was not obtained." However, treatment cannot be denied if a patient refuses to sign.
The NPP covers routine healthcare activities like coordinating care between providers, billing insurance companies, conducting quality reviews, and training staff. For example, when your primary care doctor refers you to a specialist and shares your medical records, that's covered under the NPP. No additional permission is needed because it falls under routine treatment activities.
The regulation also mandates that the notice must contain "a statement that the covered entity is required by law to maintain the privacy of protected health information, to provide individuals with notice of its legal duties and privacy practices," ensuring patients understand their provider's legal obligations.
Furthermore, the HHS guidance document provides flexibility for emergency situations, stating, "In an emergency treatment situation, provide the notice as soon as it is reasonably practicable to do so after the emergency situation has ended." This allows urgent medical care not to be delayed due to administrative requirements.
Authorization is different. It's a detailed, specific permission required when PHI will be used for purposes beyond routine healthcare. According to the Department of Health and Human Services, "An authorization is a more customized document that gives covered entities permission to use specified PHI for specified purposes, which are generally other than TPO."
As Cohen and Mello explained in their JAMA article, HIPAA's Privacy Rule establishes that written patient authorization is generally required when covered entities disclose identifiable health information, except when specific exceptions apply such as treatment or operations purposes.
A valid HIPAA authorization must include specific elements such as, what information will be shared, who can disclose it, who will receive it, the purpose, an expiration date, and the patient's signature. Importantly, healthcare providers generally cannot require patients to sign an authorization as a condition of receiving treatment.
For research purposes, Cohen and Mello noted that investigators may access protected health information without patient authorization when a privacy board or institutional review board confirms that obtaining authorization would be impractical and the research presents minimal risk. Researchers can also work with limited data sets that exclude direct identifiers like names and medical record numbers, provided they agree to maintain certain security and confidentiality measures.
The NPP covers predictable, routine healthcare activities and requires only acknowledgment of receipt. Authorization covers specific, non-routine uses and requires detailed, written permission.
Healthcare staff need to recognize which situations fall under each category. Routine care coordination, billing, and quality improvement activities described in the NPP don't require separate authorization. But using patient information for marketing, research, or sharing with employers always requires specific authorization.
As Cohen and Mello pointed out, HIPAA's protections are tied to traditional healthcare relationships and settings, meaning HIPAA covered data now represent only a small portion of all health information being stored and shared online. Health-related information also comes from sources such as mobile health apps, social media platforms, wearable devices, and even retail purchases that can reveal health conditions. The availability of information created outside traditional healthcare settings, combined with advances in computing technology, challenges the longstanding assumption that health data can be permanently deidentified.
Patients have different rights under each framework. The Notice of Privacy Practices must inform patients of several rights, including:
While patients can request restrictions on how their PHI is used for routine purposes, providers aren't required to agree. With authorization, patients have clear control—they can refuse to sign, and providers cannot condition treatment on obtaining it.
Patients can also revoke authorizations in writing at any time, though the revocation doesn't undo information already shared. The HIPAA guidance states, "An individual may revoke consent in writing, except to the extent that the covered entity has taken action in reliance on the consent."
Providers must update their NPP whenever there are material changes to their privacy policies or legal duties under HIPAA.
Providers must document the refusal, but they cannot deny treatment because a patient declines to sign.
Yes, HIPAA requires authorizations to be in writing and signed by the individual whose information is being disclosed.
An authorization remains valid until its stated expiration date or event, unless revoked in writing earlier by the patient.
Yes, but only if the disclosure is directly relevant to the person’s involvement in the patient’s care or payment and the patient agrees or does not object.