Do clinics need a separate privacy policy from HIPAA?

Yes. HIPAA requires a Notice of Privacy Practices for patient health information, but your website and business operations also need a general privacy policy covering non-HIPAA data like website analytics and marketing.

What is a Notice of Privacy Practices?

A Notice of Privacy Practices (NPP) is a HIPAA-required document that explains how your clinic uses and discloses protected health information (PHI), and informs patients of their rights regarding their health data.

Is a website privacy policy required for medical practices?

Yes, if your website collects any information through contact forms, appointment scheduling, patient portals, or analytics. State privacy laws like CCPA apply to website data collection independently of HIPAA.

Privacy Policies for Medical Clinics: HIPAA, State Laws, and What Patients Expect

Healthcare privacy is not just about HIPAA

Most clinic owners know they need to comply with HIPAA. What many do not realize is that HIPAA's Notice of Privacy Practices is only one piece of the privacy puzzle. Modern clinics also need a website privacy policy that addresses non-HIPAA data collection — analytics, marketing, contact forms — and compliance with state privacy laws that may impose requirements beyond what HIPAA covers.

The distinction matters. HIPAA's Notice of Privacy Practices covers Protected Health Information (PHI). Your website privacy policy covers all personal information collected through your digital presence. These are separate documents with separate legal requirements, and most clinics need both.

HIPAA Notice of Privacy Practices

Every HIPAA-covered entity must provide patients with a Notice of Privacy Practices (NPP) that explains how their Protected Health Information may be used and disclosed. This is a HIPAA requirement, not a suggestion.

What the NPP must include

Your Notice of Privacy Practices must contain:

Uses and disclosures of PHI:

Treatment: sharing information with other providers involved in patient care
Payment: submitting claims to insurance companies, billing
Healthcare operations: quality improvement, training, compliance activities
Other permitted uses without authorization (public health, law enforcement, workers compensation)
Uses requiring written patient authorization (marketing, sale of PHI, psychotherapy notes)

Patient rights:

Right to access their medical records
Right to request amendments to their records
Right to an accounting of disclosures
Right to request restrictions on uses and disclosures
Right to request confidential communications (alternative address or phone number)
Right to receive a copy of the Notice of Privacy Practices
Right to file a complaint with the clinic or with HHS Office for Civil Rights

Clinic responsibilities:

Legal obligation to maintain privacy of PHI
Legal obligation to provide the Notice
Obligation to notify patients of a breach of unsecured PHI
How changes to the Notice will be communicated

Contact information:

Name and contact information for your Privacy Officer
How to file a complaint with the clinic
How to file a complaint with the HHS Office for Civil Rights

NPP distribution requirements

Provide the NPP to every new patient at their first visit
Make a good faith effort to obtain written acknowledgment of receipt
Post the current NPP in a clear and prominent location in your facility
Make copies available for anyone who requests one
Post the current NPP on your website (if you have one)

When to update your NPP

Update your Notice of Privacy Practices whenever you make material changes to your privacy practices. Distribute the updated notice to patients and post the new version prominently.

Website privacy policy (separate from NPP)

Your clinic's website likely collects personal information that is not Protected Health Information under HIPAA. This data requires a separate website privacy policy.

Data your clinic website collects

Website analytics:

IP addresses and approximate location
Browser type and device information
Pages visited and time spent
Referral sources (how visitors found your site)

Contact and appointment forms:

Names, phone numbers, email addresses
Reason for visit or medical concerns submitted through forms
Preferred appointment times

Patient portal:

Login credentials
Portal usage patterns
Secure message content (this may be PHI — handle accordingly)

Online bill pay:

Payment card information (processed through payment gateways)
Billing account identifiers

Marketing and communications:

Email newsletter subscriptions
Blog engagement data
Social media interactions
Online review responses

Telehealth platforms:

Video and audio recordings (if applicable)
Technical connection data
Session scheduling data

What your website privacy policy should address

Your website privacy policy should cover all non-PHI data collection:

What personal information the website collects
How cookies and tracking technologies are used
Third-party analytics and advertising tools (Google Analytics, Facebook Pixel)
How contact form submissions are handled
Email marketing practices and opt-out options
Social media integration and data sharing
Data security measures for website data
Consumer rights under applicable state privacy laws

Distinguishing website data from PHI

Some data submitted through your website may qualify as PHI if it relates to a patient's health condition and is collected by a covered entity. For example:

A message through your contact form describing symptoms is potentially PHI
An appointment request mentioning a medical condition is potentially PHI
A newsletter signup with just an email address is generally not PHI

Your website privacy policy should note that health-related information submitted through the website may be treated as PHI and governed by your Notice of Privacy Practices.

State privacy law compliance

State health privacy laws

Several states have health privacy laws that go beyond HIPAA:

California (CMIA): California's Confidentiality of Medical Information Act provides protections that in some cases exceed HIPAA, including a private right of action for patients
Texas: Texas Medical Records Privacy Act has specific requirements for electronic health record access
New York: SHIELD Act imposes data security requirements on businesses holding private information of New York residents

General state privacy laws

Comprehensive state privacy laws (CCPA/CPRA, Virginia VCDPA, Colorado CPA, etc.) may apply to your clinic's non-PHI data collection. While most have exemptions for HIPAA-covered data, they may still apply to:

Website visitor data not connected to patient care
Marketing data
Employee data (in some states)
Data from non-patient website visitors

State breach notification laws

Every state has its own breach notification law. While HIPAA has its own breach notification rule for PHI, state laws may impose additional requirements for breaches of non-PHI personal information.

Telehealth privacy considerations

The expansion of telehealth has created new privacy obligations:

Platform selection

Telehealth platforms must be HIPAA-compliant with a signed Business Associate Agreement
Consumer video platforms (regular Zoom, FaceTime, Skype) are generally not HIPAA-compliant for routine use
Document which platforms are approved for patient communication

State laws vary on whether patient consent is required to record telehealth sessions
Some states require two-party consent for recording
Document your recording policy in both your NPP and telehealth consent forms

Cross-state telehealth

Providing telehealth services to patients in other states may trigger those states' privacy laws
Licensing requirements may also apply when treating patients across state lines

Patient portal privacy

Patient portals raise specific privacy considerations:

Strong authentication requirements (multi-factor authentication recommended)
Session timeout policies
Proxy access for parents, guardians, and authorized representatives
Adolescent access and privacy rights (varies by state and age)
Audit logging of all portal access
Secure messaging encryption
Mobile app security for portal access

Common clinic privacy mistakes

Using one document for everything

Your Notice of Privacy Practices and your website privacy policy are separate documents with separate legal requirements. Do not try to combine them into a single document.

Not getting NPP acknowledgment

HIPAA requires a good faith effort to obtain written acknowledgment that the patient received the NPP. Failure to document this effort is a common audit finding.

Ignoring employee and vendor data

Your privacy obligations extend beyond patient data. Employee data, vendor data, and website visitor data all require appropriate privacy protections and disclosures.

Not updating for technology changes

Adding a new patient portal, switching EHR systems, implementing telehealth, or adding a new marketing platform all potentially require updates to your privacy policies.

Overlooking business associate agreements

Every vendor that handles PHI on your behalf must have a signed Business Associate Agreement. Common business associates include EHR vendors, billing services, cloud storage providers, IT support companies, and telehealth platforms.

How ComplyStack creates your clinic privacy policy

ComplyStack generates privacy policies tailored to healthcare practices — addressing both HIPAA Notice of Privacy Practices requirements and website privacy obligations. Every policy is customized for your clinic type, the services you offer, the technology platforms you use, and the state-specific privacy laws that apply to your practice.