HIPAA Privacy Policy Template for Healthcare Providers and Health Apps (2026)

Q: What is the difference between a HIPAA Notice of Privacy Practices and a website privacy policy?

These are two completely different documents. A HIPAA Notice of Privacy Practices (NPP) is a federally mandated document that covered entities must provide to patients. It explains how Protected Health Information (PHI) may be used and disclosed for treatment, payment, and healthcare operations. A website privacy policy is a general document that explains how a website collects and uses visitor data (cookies, contact forms, appointment requests). Healthcare providers need both. The NPP covers clinical health records; the website privacy policy covers website visitor data. They should be clearly separate documents.

Q: Who must comply with HIPAA?

HIPAA applies to covered entities and their business associates. Covered entities include healthcare providers (doctors, hospitals, dentists, therapists, pharmacies) that transmit health information electronically, health plans (insurance companies, HMOs, employer health plans), and healthcare clearinghouses. Business associates are vendors that handle PHI on behalf of covered entities, such as billing companies, EHR vendors, cloud storage providers used for health records, and transcription services. Business associates must sign a Business Associate Agreement (BAA) and are directly liable under HIPAA.

Q: Does my health app need to comply with HIPAA?

Not automatically. HIPAA applies to covered entities and business associates. A health app that operates independently (not on behalf of a covered entity) is generally not subject to HIPAA, even if it collects health information. However, if your app is used by healthcare providers to manage patient data, if your app receives PHI from a covered entity, or if your company contracts with a healthcare provider to provide the app as a service, HIPAA likely applies. The FTC has also signaled it will pursue health apps that mishandle sensitive health data under Section 5 of the FTC Act even when HIPAA does not apply.

Q: What is HIPAA Safe Harbor de-identification?

HIPAA Safe Harbor de-identification is a method for removing 18 specific identifiers from health information so that it no longer qualifies as Protected Health Information (PHI) and is therefore not subject to HIPAA restrictions. The 18 identifiers include names, geographic data smaller than state, dates (other than year), phone numbers, email addresses, Social Security numbers, medical record numbers, and other elements that could identify an individual. De-identified data can be used for research, analytics, and product development without HIPAA restrictions.

Quick Answer: What Does HIPAA Require for Privacy Policies?

HIPAA does not require a standard "website privacy policy." Instead, it requires covered healthcare entities to provide patients with a Notice of Privacy Practices (NPP), which is a specific federally mandated document explaining how Protected Health Information (PHI) will be used.

Healthcare providers and health organizations also need a separate website privacy policy for their website data (cookies, contact forms, appointment scheduling). These are two distinct documents with different legal purposes. Health apps that operate independently of a covered entity are often not subject to HIPAA at all, but may be subject to FTC enforcement and state health privacy laws like California's CMIA.

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the US Congress in 1996. Its privacy provisions, contained in the HIPAA Privacy Rule, set national standards for the protection of Protected Health Information (PHI). The HIPAA Security Rule sets standards for electronic PHI (ePHI). The HIPAA Breach Notification Rule requires covered entities to notify patients and HHS in the event of a PHI breach.

HIPAA is enforced by the Office for Civil Rights (OCR) within the US Department of Health and Human Services (HHS). Penalties for HIPAA violations range from $100 to $50,000 per violation, with an annual maximum of $1.9 million per violation category. Criminal violations can result in fines of up to $250,000 and imprisonment for up to 10 years.

Did you know?

In 2022, HHS issued guidance clarifying that tracking technologies (like Google Analytics and Meta Pixel) on healthcare provider websites may violate HIPAA if they transmit PHI to third parties without patient authorization. Several major hospital systems faced enforcement actions for using standard website analytics tools. Healthcare websites must carefully evaluate any third-party tracking technology.

Notice of Privacy Practices vs. Website Privacy Policy: These Are Different Documents

This is the most common source of confusion for healthcare providers. Many organizations believe their HIPAA Notice of Privacy Practices satisfies their website privacy policy obligation. It does not. These are two completely different documents with different purposes, different legal bases, and different content.

Aspect	Notice of Privacy Practices (NPP)	Website Privacy Policy
Legal requirement	Mandated by HIPAA Privacy Rule 45 CFR 164.520	Required by CalOPPA, GDPR, FTC Act, and others
Data covered	Protected Health Information (PHI) in clinical records	Website visitor data, cookies, online forms, analytics
Who receives it	Patients at first point of service	Website visitors
Required content	Uses of PHI, patient rights, complaint procedures, effective date	Data collected, cookies, third-party sharing, user rights
Acknowledgment required	Yes, patients must acknowledge receipt	Generally no (except EU cookie consent)

Healthcare providers need both documents. The NPP is provided to patients and governs clinical data. The website privacy policy is published on the website and governs online visitor data. They should be clearly labeled and kept separate to avoid confusion.

Who Must Comply with HIPAA?

HIPAA compliance obligations fall on two categories: covered entities and business associates. Understanding which category applies to you determines your specific obligations.

Covered Entities

Healthcare providers (doctors, hospitals, dentists, therapists, chiropractors)
Pharmacies and pharmacy benefit managers
Health plans and insurance companies
HMOs and employer-sponsored health plans
Healthcare clearinghouses
Covered entity requirement: must transmit health information electronically

Business Associates

Medical billing and coding companies
Electronic Health Record (EHR) vendors
Cloud storage providers used for health records
Medical transcription services
Healthcare IT consultants with PHI access
Must sign a Business Associate Agreement (BAA)

Did you know?

Subcontractors of business associates are also subject to HIPAA. If your company is a business associate and you share PHI with a subcontractor (such as a cloud hosting provider or an analytics firm), that subcontractor becomes a downstream business associate and must also sign a BAA. The chain of accountability extends throughout the data processing ecosystem.

PHI: Definition and Examples

Protected Health Information (PHI) is health information that is created, received, maintained, or transmitted by a covered entity or business associate and that identifies or could be used to identify an individual. PHI includes information about the past, present, or future physical or mental health of an individual, the provision of healthcare to an individual, or payment for healthcare.

The following are common examples of PHI:

Clearly PHI

Medical records and clinical notes
Lab results and diagnostic images
Prescription records
Mental health treatment records
Health insurance claim records
Appointment scheduling with health context

May Be PHI (Context-Dependent)

IP addresses on healthcare provider websites
Appointment request form submissions
Health questionnaire responses
Patient portal login activity
Wearable device data shared with a provider
Contact form messages mentioning health conditions

The context matters significantly. An email address alone is not PHI. But an email address combined with information indicating the person is a patient of a specific healthcare provider, or that they are seeking treatment for a specific condition, becomes PHI.

HIPAA Safe Harbor De-Identification

De-identified health information is not subject to HIPAA restrictions and can be used freely for research, analytics, product development, and publication. HIPAA provides two methods for de-identifying PHI: the Safe Harbor method and the Expert Determination method.

The Safe Harbor method requires the removal of 18 specific identifiers from health data. Once all 18 identifiers are removed and the covered entity has no actual knowledge that the information could be used to identify the individual, the data is considered de-identified.

The 18 HIPAA Safe Harbor identifiers to remove:

1. Names2. Geographic data smaller than state3. Dates (except year) including birth, death, admission4. Phone numbers5. Fax numbers6. Email addresses7. Social Security numbers8. Medical record numbers9. Health plan beneficiary numbers10. Account numbers11. Certificate and license numbers12. Vehicle identifiers and serial numbers13. Device identifiers and serial numbers14. Web URLs15. IP addresses16. Biometric identifiers (finger and voice prints)17. Full-face photographs18. Any other unique identifying numbers

State Health Privacy Laws: Often Stricter Than HIPAA

HIPAA sets a federal floor for health privacy. Many states have enacted health privacy laws that are significantly stricter. When state law provides stronger protections than HIPAA, the state law prevails.

State Law	Scope	Key Distinction from HIPAA
California CMIA	Providers, health plans, contractors, and potentially health apps	Broader entity coverage; penalties up to $250,000 per violation
Washington My Health MY Data Act	Any entity collecting health data from WA residents	Applies beyond covered entities; includes consumer health data not in HIPAA
Nevada Senate Bill 370	Operators of websites and online services	Requires consent before selling covered information including health data
New York SHIELD Act	Businesses that own or license New York resident data	Health data is a "special category" with enhanced breach notification requirements

Health App Exemptions: Most Apps Are Not Covered by HIPAA

This surprises many health app founders: most consumer health apps are not subject to HIPAA. HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses) and their business associates. A fitness app, mental wellness app, or symptom tracker that collects health data directly from consumers and has no relationship with a covered entity is generally not a HIPAA covered entity or business associate.

However, not being subject to HIPAA does not mean health app companies have no privacy obligations. Several other frameworks apply:

FTC Act Section 5: The FTC has authority to act against health apps that engage in unfair or deceptive practices related to health data. This includes sharing health data with advertisers without disclosure and making misleading security claims.
FTC Health Breach Notification Rule: Consumer health apps that experience breaches of unsecured personally identifiable health information must notify affected users and the FTC.
California CMIA: California has interpreted CMIA broadly to potentially cover some health apps. Apps that "provide health care" as broadly defined may fall under CMIA even if not under HIPAA.
Washington My Health MY Data Act: Applies to any entity that collects consumer health data from Washington State residents, regardless of HIPAA status.
GDPR: Health data is special category data under GDPR Article 9. If your app has EU users, you need explicit consent to process health data and a comprehensive privacy policy.

Did you know?

In 2023, the FTC took action against several mental health apps including BetterHelp for sharing user health information with advertising platforms like Facebook and Snapchat without adequate disclosure. BetterHelp agreed to pay $7.8 million in refunds to consumers. Health app companies must be extremely careful about how they use health data for advertising purposes, regardless of HIPAA status.

5 Common HIPAA Privacy Policy Mistakes

Mistake 1: Confusing the Notice of Privacy Practices with a website privacy policy

Healthcare providers frequently publish only their HIPAA Notice of Privacy Practices and believe this satisfies their website privacy policy obligation. The NPP covers clinical PHI only. A separate website privacy policy is needed for cookies, analytics, online appointment forms, contact forms, and website visitor data. Both documents are required.

Mistake 2: Health apps incorrectly claiming HIPAA compliance

Many consumer health apps claim to be HIPAA compliant as a marketing tactic even when HIPAA does not legally apply to them. Making false HIPAA compliance claims can trigger FTC enforcement for deceptive practices. Only say you are HIPAA compliant if you are actually a covered entity or business associate with documented compliance programs.

Mistake 3: Using Google Analytics on a healthcare provider website without assessment

Following HHS 2022 guidance, using standard Google Analytics or Meta Pixel on healthcare provider websites may transmit PHI (IP addresses combined with health-seeking behavior) to third parties in violation of HIPAA. Healthcare websites must audit their tracking technologies and either remove them, implement server-side proxying, or obtain specific patient authorization.

Mistake 4: Not signing Business Associate Agreements with technology vendors

Healthcare providers who use cloud services, email providers, EHR systems, or analytics platforms that may come into contact with PHI must have Business Associate Agreements with those vendors. Many providers use Google Workspace or Microsoft 365 for patient communications without executing the required BAA with those providers.

Mistake 5: Failing to keep the Notice of Privacy Practices current

HIPAA requires covered entities to update their NPP whenever there is a material change to their privacy practices and to make the revised NPP available to patients. Many providers have NPPs that are years out of date, particularly if they have added telehealth services, changed EHR systems, or begun sharing data with health information exchanges.

How to Create a HIPAA-Compliant Privacy Policy

Determine your HIPAA status

Confirm whether you are a covered entity (healthcare provider, health plan, clearinghouse) or a business associate. If you are a health app operating independently, identify which non-HIPAA laws apply to you (FTC, CMIA, state laws).

Draft your Notice of Privacy Practices (covered entities only)

If you are a covered entity, create a HIPAA-compliant NPP that covers permitted uses and disclosures of PHI, patient rights (access, amendment, restriction, accounting), how to file a complaint, and the effective date. Have a healthcare attorney review it.

Create a separate website privacy policy

Write a standard website privacy policy covering cookies, analytics tools, contact forms, appointment scheduling data, and any online health questionnaires. This is separate from the NPP and covers website visitor data only.

Audit your tracking technologies

Review every third-party script, pixel, and analytics tool on your website. Assess whether any of them might transmit data that could constitute PHI given the HHS 2022 tracking guidance. Remove or replace tools that present HIPAA risk.

Execute Business Associate Agreements

Identify every vendor that processes or could access PHI on your behalf. Execute BAAs with each. This includes cloud storage providers, email services used for patient communication, telehealth platforms, and EHR vendors.

Frequently Asked Questions

What is the difference between a HIPAA Notice of Privacy Practices and a website privacy policy?

A HIPAA Notice of Privacy Practices (NPP) is a federally mandated document for covered entities that explains how PHI in clinical records may be used. A website privacy policy covers website visitor data (cookies, analytics, forms). Healthcare providers need both documents, and they should be clearly separate.

Who must comply with HIPAA?

HIPAA applies to covered entities (healthcare providers, health plans, clearinghouses that transmit health data electronically) and their business associates (billing companies, EHR vendors, cloud providers that handle PHI). Business associates must sign Business Associate Agreements and are directly liable under HIPAA.

Does my health app need to comply with HIPAA?

Not automatically. Consumer health apps that operate independently of a covered entity are generally not subject to HIPAA. However, they remain subject to FTC enforcement, the FTC Health Breach Notification Rule, California CMIA, Washington's My Health MY Data Act, and GDPR for EU users.

What is HIPAA Safe Harbor de-identification?

HIPAA Safe Harbor de-identification requires removing 18 specific identifiers from health data (names, dates, phone numbers, email addresses, IP addresses, and others). Once removed, the data is no longer PHI and can be used freely for research and analytics without HIPAA restrictions.

What is California's Confidentiality of Medical Information Act (CMIA)?

California's CMIA provides stronger health privacy protections than HIPAA and may apply to some health apps and digital health companies that are not covered by HIPAA. CMIA violations can result in civil penalties of up to $250,000 per violation plus actual damages.

Generate Your Healthcare Privacy Policy

Create a website privacy policy for your healthcare organization or health app in minutes. Our generator covers HIPAA-relevant disclosures, health data categories, and state law requirements. Note: always have a healthcare attorney review your HIPAA Notice of Privacy Practices.

Generate Free Privacy Policy

Related Resources

Privacy Policy for Nonprofit GDPR Privacy Policy Template CCPA Privacy Policy Example Privacy Policy for Mobile App Cookie Policy for Websites Privacy Policy Fines and Penalties CalOPPA Privacy Policy Template Free Privacy Policy Generator