HIPAA Privacy Policy Requirements: Healthcare Compliance Guide for 2026

The Health Insurance Portability and Accountability Act (HIPAA) is the primary US federal law governing the privacy and security of health information. If you run a healthcare practice, a health tech startup, a telehealth platform, or any business that touches patient data — HIPAA applies to you. And the privacy requirements go far beyond what a typical website privacy policy covers.

Many healthcare businesses make the mistake of thinking a generic privacy policy template is enough. It is not. HIPAA requires a specific document called a Notice of Privacy Practices (NPP), and the rules around what it must contain, how it must be distributed, and what happens if you get it wrong are strict. This guide breaks it all down.

What Is HIPAA and Who Does It Apply To?

HIPAA was enacted in 1996 and has been updated several times since, most significantly by the HITECH Act in 2009 and the Omnibus Rule in 2013. The law establishes national standards for protecting Protected Health Information (PHI) — any individually identifiable health information held or transmitted by a covered entity or its business associates.

PHI includes obvious things like medical records, diagnoses, and treatment plans. But it also includes names, addresses, dates of birth, Social Security numbers, and any other data that could identify a patient when linked to health information. When PHI exists in digital form, it is called ePHI (electronic Protected Health Information).

Covered Entities

HIPAA directly applies to three types of covered entities:

• Healthcare providers — doctors, dentists, clinics, hospitals, pharmacies, psychologists, chiropractors, and any provider who transmits health information electronically
• Health plans — health insurance companies, HMOs, employer-sponsored health plans, and government programmes like Medicare and Medicaid
• Healthcare clearinghouses — entities that process nonstandard health information into standard formats

Business Associates

HIPAA also applies to business associates — any person or organisation that performs functions or activities on behalf of a covered entity that involve access to PHI. Common examples include:

• IT companies that host or manage health records systems
• Billing and coding companies
• Cloud storage providers that store ePHI
• Email service providers used for patient communication
• Telehealth platform vendors
• Accountants and lawyers who receive PHI in the course of their work

If you are a business associate, you must sign a Business Associate Agreement (BAA) with the covered entity. You are also directly liable for HIPAA violations under the HITECH Act.

Website Privacy Policy vs. HIPAA Notice of Privacy Practices

This is where most healthcare businesses get confused. A website privacy policy and a HIPAA Notice of Privacy Practices (NPP) are two different documents that serve two different purposes.

A website privacy policy is a general document that tells visitors how your website collects and uses their personal data — things like cookies, IP addresses, form submissions, and analytics. It exists to comply with laws like GDPR, the CCPA, and general consumer protection regulations.

A Notice of Privacy Practices is a HIPAA-specific document that tells patients how their protected health information is used and disclosed. It covers medical records, treatment information, billing data, and any other PHI the covered entity handles. It is required under the HIPAA Privacy Rule (45 CFR 164.520).

The key difference: your website privacy policy covers website visitor data. Your NPP covers patient health data. They overlap in some areas, but they are not interchangeable.

Do You Need Both a Privacy Policy and an NPP?

In almost every case, yes. If you are a covered entity or business associate with a website, you need:

• A website privacy policy that covers how your website collects data from all visitors (including non-patients), how you use cookies and analytics, and how you comply with applicable privacy laws like GDPR and the CCPA
• A HIPAA Notice of Privacy Practices that covers how you handle PHI for your patients, including their rights under HIPAA and how they can file complaints

Some organisations combine these into a single document, but this is not recommended. The audiences are different, the legal requirements are different, and combining them often results in a document that fails to adequately satisfy either set of requirements. Keep them separate for clarity and compliance.

What a HIPAA Notice of Privacy Practices Must Include

The HIPAA Privacy Rule at 45 CFR 164.520 specifies exactly what your NPP must contain. Here is every required element:

1. Header

Your NPP must include the following header or a substantially similar statement: “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”

2. Uses and Disclosures of PHI

Your NPP must describe, with sufficient detail and at least one example, how you may use and disclose PHI for:

• Treatment — sharing records with other providers involved in your care
• Payment — sending billing information to your insurance company
• Healthcare operations — quality assessment, staff training, business planning

You must also describe any other purposes for which you use or disclose PHI, such as appointment reminders, treatment alternatives, or health-related benefits and services.

3. Uses and Disclosures That Require Authorisation

Your NPP must state that other uses and disclosures of PHI not described in the notice will be made only with the patient’s written authorisation. It must also explain that the patient may revoke that authorisation at any time.

4. Patient Rights

Your NPP must describe each of the following patient rights and explain how to exercise them:

• Right to access — patients can inspect and obtain a copy of their PHI
• Right to amend — patients can request corrections to their records
• Right to an accounting of disclosures — patients can request a list of certain disclosures made of their PHI
• Right to request restrictions — patients can ask you to limit how their PHI is used or disclosed
• Right to request confidential communications — patients can ask to receive communications by alternative means or at alternative locations
• Right to a paper copy — patients can request a paper copy of the NPP even if they agreed to receive it electronically

5. Duties of the Covered Entity

Your NPP must include a statement that the covered entity is:

• Required by law to maintain the privacy of PHI
• Required to provide patients with notice of its duties and privacy practices
• Required to abide by the terms of the notice currently in effect
• Required to notify affected individuals following a breach of unsecured PHI

6. Complaint Process

Your NPP must explain how patients can file a complaint if they believe their privacy rights have been violated. This must include both an internal contact (such as a privacy officer) and a statement that patients can file a complaint with the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. You must state that patients will not be retaliated against for filing a complaint.

7. Contact Information

Your NPP must include the name, title, and phone number of a contact person or office to whom patients can direct questions or complaints about your privacy practices.

8. Effective Date

Your NPP must include the date on which the notice is effective. This must be updated whenever the notice is materially revised.

HIPAA Requirements for Website Tracking and Analytics

This is an area that has received significant enforcement attention in recent years. In 2022, the HHS Office for Civil Rights issued guidance clarifying that tracking technologies on healthcare websites can create HIPAA violations if they transmit PHI to third parties.

Here is what you need to know for 2026:

Google Analytics and Similar Tools

If your website allows patients to log in to a patient portal, book appointments, or access health information, and you are running Google Analytics on those pages, you may be transmitting ePHI (such as IP addresses combined with the health-related context of the page visited) to Google. This is a HIPAA violation unless you have a BAA with Google — and Google does not sign BAAs for Google Analytics.

The safest approach: do not run Google Analytics on any authenticated or health-related pages. Use a HIPAA-compliant analytics alternative, or limit analytics to purely marketing pages that contain no PHI.

Meta Pixel and Advertising Trackers

The Meta Pixel (formerly Facebook Pixel) is particularly problematic. Several major healthcare organisations have faced enforcement actions and class-action lawsuits for running the Meta Pixel on pages where patients schedule appointments or access health information. The pixel can transmit health condition information (inferred from the pages visited) along with identifiers to Meta.

The recommendation is clear: do not use Meta Pixel, Google Ads remarketing tags, or similar advertising trackers on any pages that contain or collect PHI.

Cookies and Session Tracking

Cookies that are strictly necessary for website functionality (such as session management for a patient portal) are generally acceptable. However, third-party cookies that share data with external services must be evaluated for HIPAA compliance. Your website privacy policy should clearly disclose all cookies in use, and your HIPAA compliance programme should ensure that no cookies are transmitting PHI to non-compliant third parties.

Telehealth and HIPAA Privacy Requirements in 2026

Telehealth has become a permanent fixture in healthcare delivery. In 2026, the privacy requirements for telehealth are well established:

• Platform requirements — you must use a telehealth platform that is HIPAA-compliant and willing to sign a BAA. Consumer video apps like FaceTime, Skype, and standard Zoom are not compliant. You need Zoom for Healthcare, Doxy.me, or a similar purpose-built platform
• Encryption — all telehealth communications must be encrypted in transit and at rest. This applies to video calls, chat messages, and any shared documents
• Patient consent — patients must be informed about the privacy risks of telehealth and provide consent. Many states have their own telehealth consent requirements in addition to HIPAA
• Recording and storage — if you record telehealth sessions, those recordings are PHI and must be stored and protected accordingly
• Remote access — if clinicians are accessing patient records from home or mobile devices, those devices must meet HIPAA security standards, including encryption, password protection, and remote wipe capability

Your NPP should specifically address telehealth if you offer it, explaining how PHI is used and protected during virtual visits.

Common HIPAA Privacy Policy Mistakes

These are the errors that most frequently lead to enforcement actions and complaints:

• Not having an NPP at all — some healthcare businesses rely solely on a generic website privacy policy and assume it covers HIPAA. It does not
• Using an outdated NPP — if your NPP has not been updated since the 2013 Omnibus Rule, it is missing required elements such as breach notification requirements and updated patient rights language
• Failing to distribute the NPP — covered entities must make a good faith effort to obtain a written acknowledgement from patients that they received the NPP. The NPP must also be posted prominently in your physical location and on your website
• Not addressing website tracking technologies — failing to disclose third-party trackers or running analytics tools on patient-facing pages without a BAA
• Ignoring business associate obligations — if you are a business associate, you need your own HIPAA compliance programme. Having a signed BAA is not enough by itself
• Vague descriptions of PHI uses — your NPP must include specific examples of how PHI is used for treatment, payment, and operations. Generic statements do not satisfy the regulation
• No complaint procedure — failing to include information about how patients can file complaints with both your organisation and HHS

HIPAA Penalties and Enforcement in 2026

HIPAA violations carry significant financial penalties. The HHS Office for Civil Rights (OCR) enforces HIPAA and has been increasingly active in recent years. The penalty structure is tiered based on the level of culpability:

• Tier 1 — Did not know: $137 to $68,928 per violation, with an annual maximum of $2,067,813
• Tier 2 — Reasonable cause: $1,379 to $68,928 per violation, with an annual maximum of $2,067,813
• Tier 3 — Wilful neglect (corrected): $13,785 to $68,928 per violation, with an annual maximum of $2,067,813
• Tier 4 — Wilful neglect (not corrected): $68,928 per violation, with an annual maximum of $2,067,813

These amounts are adjusted annually for inflation. Beyond financial penalties, criminal violations can result in fines up to $250,000 and imprisonment up to 10 years.

In recent years, OCR has also pursued enforcement actions related to website tracking technologies specifically. Multiple healthcare systems have settled with OCR for millions of dollars over improperly configured analytics and advertising pixels. State attorneys general can also enforce HIPAA, and class-action lawsuits from affected patients add another layer of financial risk.

The message is clear: HIPAA compliance is not optional, and the cost of getting it wrong far exceeds the cost of doing it right.

How to Create a HIPAA-Compliant Privacy Policy

Building HIPAA-compliant privacy documentation requires addressing two separate but related needs: a website privacy policy that covers your general data practices and meets laws like GDPR and the CCPA, and a Notice of Privacy Practices that satisfies HIPAA’s specific requirements.

Here are the steps to get both right:

• Audit your data flows — identify every place you collect, store, transmit, or share PHI and general personal data. Include your website, patient portal, EHR system, email, telehealth platform, and any third-party tools
• Inventory your business associates — list every vendor that has access to PHI and ensure you have a signed BAA with each one
• Review your website tracking — audit all analytics, advertising, and tracking scripts. Remove any that transmit PHI to third parties without a BAA
• Draft your NPP — include every element required by 45 CFR 164.520, using specific examples relevant to your practice
• Draft your website privacy policy — cover cookies, analytics, contact forms, and any other non-PHI data collection on your website
• Distribute and post — post your NPP in your physical location, on your website, and provide it to every new patient. Post your privacy policy in your website footer
• Review annually — HIPAA does not require annual updates, but best practice is to review your NPP and privacy policy at least once a year and update them when your practices change

LegalForge simplifies this process. Answer a series of questions about your healthcare business — what services you provide, what data you collect, which third-party tools you use, and whether you offer telehealth — and our AI generates a comprehensive website privacy policy tailored to healthcare businesses. Your policy will address HIPAA considerations, GDPR requirements if you serve international patients, and state-level privacy laws like the CCPA.