gridlyx.com / Write a Privacy Policy with AI / hipaa-privacy-policy

Generate a HIPAA-Compliant Privacy Policy

Tested prompts for hipaa compliant privacy policy template compared across 5 leading AI models.

BEST BY JUDGE SCORE Claude Haiku 4.5 8/10

If you run a healthcare practice, health tech startup, or any business that handles protected health information (PHI), you legally need a privacy policy that meets HIPAA requirements. This is not optional. The HHS Office for Civil Rights enforces HIPAA notices of privacy practices, and missing or inadequate disclosures can result in fines starting at $100 per violation and climbing into the millions for willful neglect.

Most generic privacy policy templates pulled from the internet are written for e-commerce or SaaS businesses. They cover cookies and marketing data, not PHI, covered entities, or patient rights under 45 CFR 164.520. Using one of those templates for a medical practice or health app is a compliance liability, not a solution.

This page shows you how to use AI to generate a HIPAA-specific privacy policy by feeding it the right inputs about your organization, what PHI you collect, who you share it with, and how patients can exercise their rights. The outputs shown below are starting points that require legal review before publishing, but they give you a structured, compliant draft in minutes rather than paying an attorney for a first-draft document.

When to use this

This approach works when you need a first draft of a HIPAA-compliant privacy policy or Notice of Privacy Practices (NPP) and want something purpose-built for healthcare rather than a generic template. It is especially useful when you can describe your specific entity type, data practices, and patient rights procedures clearly.

  • A new medical or dental practice setting up its website and patient intake process for the first time
  • A telehealth startup building its compliance documentation before a HIPAA audit or investor due diligence review
  • A healthcare SaaS company that acts as a Business Associate and needs a privacy policy reflecting that relationship
  • A therapy or mental health practice that needs to explain sensitive PHI handling, including psychotherapy notes protections
  • An existing practice updating its NPP after adding new services, EHR vendors, or telehealth capabilities

When this format breaks down

  • Do not use an AI-generated draft as your final published document without review by a licensed healthcare attorney or HIPAA compliance officer. The output is a starting point, not a legal sign-off.
  • If your organization is currently under an HHS investigation or has received a corrective action plan, you need attorney-drafted documents, not AI-assisted templates.
  • If you are not a covered entity or business associate under HIPAA, you do not need a HIPAA privacy policy. Use a standard privacy policy instead. Falsely claiming HIPAA compliance when it does not apply is itself a regulatory and FTC risk.
  • If your PHI handling involves highly complex arrangements, such as a research institution with IRB data-sharing agreements or a health plan with dozens of subcontractors, a template workflow will miss too much specificity to be safe.

The prompt we tested

You are a healthcare privacy compliance expert specializing in HIPAA regulations (Privacy Rule 45 CFR Part 160 and Subparts A and E of Part 164). Generate a complete, HIPAA-compliant Privacy Policy template based on the organization details provided below.

Instructions: Format as a formal legal document with numbered sections and clear headings. Use professional but accessible language suitable for patients. Include all mandatory HIPAA Notice of Privacy Practices elements and use [BRACKETED] placeholders for any organization-specific information.

Organization details:
We are a small private dental practice called Bright Smiles Dental, located in Austin, Texas, with three dentists and about 1,200 active patients. We collect standard patient health information, process insurance claims, and occasionally share records with specialists for referrals. We need a Notice of Privacy Practices to post in our office and give to new patients.

Produce a ready-to-use Privacy Policy template with clearly labeled sections, placeholder fields in [BRACKETS] for organization-specific details, and plain-language explanations where appropriate. Include all required HIPAA sections: (1) Our Commitment to Your Privacy, (2) Uses and Disclosures of Protected Health Information (PHI) — for treatment, payment, and healthcare operations, (3) Uses and Disclosures Requiring Your Authorization, (4) Your Rights Regarding PHI (access, amendment, accounting of disclosures, restrictions, confidential communications, paper copy, complaints), (5) Our Responsibilities, (6) Breach Notification, (7) Changes to This Notice, (8) Contact Information and Privacy Officer, (9) Effective Date. End with a disclaimer that the template should be reviewed by qualified legal counsel before use.

Model comparison

ModelQualityCostLatencyTokens
Claude Opus 4.7 6 $0.1627 29.0s 609 / 2048
Claude Haiku 4.5 8 $0.0106 18.9s 387 / 2048
GPT-5.4 7 $0.0316 52.3s 343 / 2048
Grok 4.1 Fast Reasoning 8 $0.0010 20.8s 483 / 1737

Outputs

Claude Opus 4.7 6/10 
# NOTICE OF PRIVACY PRACTICES

## BRIGHT SMILES DENTAL

**Effective Date:** [MM/DD/YYYY]

---

**THIS NOTICE DESCRIBES HOW MEDICAL AND DENTAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.**

---

## SECTION 1: OUR COMMITMENT TO YOUR PRIVACY

Bright Smiles Dental ("we," "our," or "the Practice") is committed to protecting the privacy and security of your Protected Health Information ("PHI"). PHI includes any information about your health, dental treatment, or payment for dental services that can be used to identify you.

We are required by federal law (the Health Insurance Portability and Accountability Act, or "HIPAA") and applicable Texas state law to:

- Maintain the privacy and security of your PHI;
- Provide you with this Notice describing our legal duties and privacy practices regarding your PHI;
- Notify you if there is a breach of your unsecured PHI;
- Follow the terms of the Notice currently in effect.

This Notice applies to all records of your care generated by Bright Smiles Dental, including records maintained by our dentists, hygienists, dental assistants, administrative staff, and any business associates acting on our behalf.

---

## SECTION 2: USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION (PHI)

We may use and disclose your PHI without your written authorization for the following purposes:

### 2.1 For Treatment
We use your PHI to provide, coordinate, and manage your dental care. For example:
- Our dentists and hygienists review your dental and medical history before performing procedures.
- We may share your PHI with specialists (such as oral surgeons, orthodontists, endodontists, or periodontists) when referring you for specialized care.
- We may consult with your physician or other healthcare providers regarding your treatment.

### 2.2 For Payment
We use and disclose your PHI to obtain payment for the services we provide. For example:
- We submit claims to your dental or medical insurance carrier.
- We may verify your eligibility and benefits with your insurer.
- We may provide information to billing services, collection agencies, or other entities involved in processing payment.

### 2.3 For Healthcare Operations
We use and disclose your PHI to support the business activities of our practice. For example:
- Reviewing the quality of care provided by our dentists and staff;
- Training dental students, assistants, or hygienists;
- Conducting licensing, certification, and accreditation activities;
- Scheduling appointments and sending appointment reminders via [PHONE/TEXT/EMAIL/POSTCARD];
- Conducting business planning and management.

### 2.4 Other Permitted Uses and Disclosures
We may also use or disclose your PHI without your authorization in the following circumstances:

- **As Required by Law:** When required by federal, state, or local law.
- **Public Health Activities:** To prevent disease, report adverse reactions to medications, or report suspected abuse or neglect.
- **Health Oversight Activities:** To health oversight agencies for audits, investigations, and inspections.
- **Judicial and Administrative Proceedings:** In response to a court order, subpoena, or lawful discovery request.
- **Law Enforcement:** To law enforcement officials as permitted or required by law.
- **Coroners, Medical Examiners, and Funeral Directors:** To perform their authorized duties.
- **Research:** When the research has been approved by an Institutional Review Board and privacy protections are in place.
- **Serious Threats to Health or Safety:** To prevent a serious and imminent threat.
- **Military, National Security, and Specialized Government Functions:** As authorized by law.
- **Workers' Compensation:** To comply with workers' compensation laws.
- **Business Associates:** To third parties who perform services on our behalf (e.g., billing companies, IT vendors, dental laboratories), subject to written agreements requiring them to safeguard your PHI.

---

## SECTION 3: USES AND DISCLOSURES REQUIRING YOUR AUTHORIZATION

Other uses and disclosures of your PHI not described above will be made only with your written authorization. This includes:

- **Marketing Communications** (beyond face-to-face communications or promotional gifts of nominal value);
- **Sale of PHI** to any third party;
- **Psychotherapy Notes**, if applicable;
- **Most Uses and Disclosures** that do not fall within the categories described in Section 2.

You may revoke your authorization at any time, in writing, except to the extent that we have already acted in reliance on it. To revoke an authorization, submit a written request to our Privacy Officer at the contact information in Section 8.

---

## SECTION 4: YOUR RIGHTS REGARDING YOUR PHI

You have the following rights with respect to your PHI:

### 4.1 Right to Access and Inspect
You have the right to inspect and obtain a copy of your PHI maintained in our designated record set. Requests must be submitted in writing. We may charge a reasonable, cost-based fee for copies as permitted by law. We will respond to your request within [30] days.

### 4.2 Right to Amend
If you believe that your PHI is incorrect or incomplete, you may request that we amend it. Requests must be submitted in writing and include a reason supporting the request. We may deny your request under certain circumstances and will provide a written explanation if we do.

### 4.3 Right to an Accounting of Disclosures
You have the right to request an accounting of certain disclosures of your PHI made by us during the six years prior to your request. The first accounting within a 12-month period is free; additional requests may incur a reasonable fee.

### 4.4 Right to Request Restrictions
You have the right to request restrictions on certain uses and disclosures of your PHI for treatment, payment,
Judge notes: The output is cut off mid-sentence in Section 4.4 and never delivers Sections 5–9 (Our Responsibilities, Breach Notification, Changes to Notice, Contact Information/Privacy Officer, Effective Date, and legal disclaimer), making it incomplete and not production-ready despite strong formatting and content quality in the delivered portions.
Claude Haiku 4.5 8/10 
# NOTICE OF PRIVACY PRACTICES

**BRIGHT SMILES DENTAL**

[Organization Address: 123 Main Street, Austin, Texas 78701]

[Phone Number: (512) XXX-XXXX]

**Effective Date: [INSERT DATE]**

---

## 1. OUR COMMITMENT TO YOUR PRIVACY

Bright Smiles Dental ("we," "us," "our," or the "Practice") is committed to protecting the privacy and confidentiality of your health information. This Notice of Privacy Practices ("Notice") explains how we collect, use, and disclose your protected health information ("PHI") in accordance with applicable federal and state privacy laws, specifically the Health Insurance Portability and Accountability Act of 1996 ("HIPAA") and its implementing regulations (45 CFR Parts 160 and 164).

This Notice describes:
- How we may use and disclose your health information
- Your rights regarding your health information
- Our legal obligations concerning your health information
- How to file a complaint if you believe your privacy has been violated

**You have the right to receive a copy of this Notice upon request and at the time of your first appointment.** We encourage you to read it carefully.

---

## 2. USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION

We collect, maintain, use, and disclose your PHI to provide you with high-quality dental care and to support the operations of our practice. PHI includes any health information in a medical or dental record or other health care-related information that can be used to identify you.

### 2.1 Uses and Disclosures for Treatment, Payment, and Healthcare Operations (No Authorization Required)

Under HIPAA, we may use and disclose your PHI without your written authorization for the following purposes:

#### **A. Treatment**

We use your PHI to provide you with dental care services, including:
- Examining and evaluating your oral health
- Diagnosing dental conditions
- Planning and delivering treatment
- Consulting with other healthcare providers about your care
- Following up on your treatment outcomes

*Example: Your dentist reviews your patient record before your appointment, communicates with a dental specialist about a referral, or discusses your treatment plan with the hygienist.*

#### **B. Payment**

We use and disclose your PHI to obtain payment for the dental services we provide, including:
- Billing you for services rendered
- Processing insurance claims and reimbursements
- Determining insurance eligibility and coverage
- Managing accounts receivable
- Coordinating benefits with other payers
- Pursuing collection efforts if necessary

*Example: We send your claim information to your dental insurance company to process your claim or we contact your insurance to verify your coverage before treatment.*

#### **C. Healthcare Operations**

We use and disclose your PHI to support the day-to-day operations of our practice, including:
- Quality improvement and peer review activities
- Credentialing and licensing verification
- Training and supervision of staff members
- Evaluation of healthcare providers' performance
- Arrangement and negotiation of contracts with other providers
- General administrative and practice management functions
- Customer service activities

*Example: We review your records to ensure quality care, use your information to train staff, or contact you to remind you of an appointment or to inform you of important treatment information.*

### 2.2 Disclosures to Business Associates (No Authorization Required)

We may disclose your PHI to third-party service providers, known as "Business Associates," who perform services on our behalf under a written Business Associate Agreement. These may include:
- [Insurance billing companies]
- [Electronic health records vendors]
- [Dental laboratories]
- [Accounting and auditing firms]
- [Legal consultants]
- [IT support and cloud storage providers]

Business Associates are contractually obligated to safeguard your information and use it only for the purposes specified.

### 2.3 Disclosures to Other Providers and Specialists (No Authorization Required for Treatment-Related Disclosures)

We may disclose your PHI to other dental and medical providers involved in your care, including:
- Dental specialists (endodontists, orthodontists, periodontists, surgeons, etc.)
- Physicians (for medical history and medication management)
- Hospitals or emergency care facilities
- Other dentists or healthcare providers you see

*Example: We send your radiographs and treatment notes to an endodontist for a root canal referral.*

### 2.4 Disclosures Required by Law (No Authorization Required)

We may use and disclose your PHI without authorization when required by federal, state, or local law, including:
- Court orders, subpoenas, or summonses
- Public health activities (disease reporting, health surveillance)
- Law enforcement requests (limited to specific circumstances)
- National security and intelligence purposes
- Abuse, neglect, or domestic violence reporting (as mandated by law)
- Workers' compensation claims
- Organ and tissue donation
- Coroner, medical examiner, and funeral director requests

---

## 3. USES AND DISCLOSURES REQUIRING YOUR WRITTEN AUTHORIZATION

Except as described in Section 2 above, we will not use or disclose your PHI without your written authorization. Uses and disclosures requiring your prior written authorization include:

- Disclosure to employers
- Marketing and fundraising activities
- Disclosure to life insurers
- Psychotherapy notes (if applicable)
- Substance abuse treatment information (if applicable)
- HIV/AIDS-related information (subject to state law)
- Genetic information
- Any other use or disclosure not described in this Notice

You may revoke an authorization at any time by providing us with written notice. Revocation will not affect disclosures already made in reliance on your authorization.

---

## 4. YOUR RIGHTS REGARDING YOUR PROTECTED HEALTH INFORMATION

Under HIPAA, you have the following rights:

### 4.1 Right to Access Your Health Information

You have the right to inspect and obtain a copy of your dental records, including:
- Patient registration information
- Medical and dental histories
- Radiographs (X-rays)
- Treatment notes and clinical records
- Insurance information and billing records
- Records of disclosures we have made

**How to Request:** Submit a written request to our Privacy Officer at [Contact Information]. We will provide access within 30 days (or as required by law). We may charge a reasonable fee for copies ($[X] per page or actual cost of reproduction). We may deny access in limited circumstances as permitted by law and will explain our denial in writing.

**Note:** If you believe the denial is improper, you may request a review by another licensed healthcare provider.

### 4.2 Right to Request Amendment

You have the right to request that we amend or correct information in your health record if you believe it is inaccurate or incomplete.

**How to Request:** Submit a written request to our Privacy Officer specifying what you wish to amend and why. We will respond within 30 days. If we deny your request, we will explain the reason in writing, and you may submit a written statement of disagreement to be included in your record.

### 4.3 Right to an Accounting of Disclosures

You have the right to request an accounting of all disclosures we have made of your PHI during the six (6) years preceding your request, except for:
- Disclosures for treatment, payment, or healthcare operations
- Disclosures you authorized
- Disclosures to you
- Disclosures made in accordance with your patient authorization

**How to Request:** Submit a written request to our Privacy Officer. We will provide an accounting within 30 days. The first accounting in a 12-month period is free; subsequent requests may incur a reasonable fee.

### 4.4 Right to Request Restrictions on Uses and Disclosures

You have the right to request that we restrict how we use and disclose your PHI for treatment, payment, and operations. You may also request that we restrict disclosures to a specific individual, such as a family member or friend.

**Important:** We are not required to agree to your requested restriction. If we agree, we will honor the restriction except in emergencies or when the information is otherwise required to be disclosed by law.

**How to Request:** Submit a written request to our Privacy Officer specifying your requested restrictions. If we deny your request, we will inform you in writing.

### 4.5 Right to Request Confidential Communications

You have the right to request that we communicate with you about your health information in a confidential manner or at an alternative location (e.g., mailing to a P.O. Box or alternate address instead of your home).

**How to Request:** Submit a written request to our Privacy Officer explaining your preferred method of communication. We will accommodate reasonable requests.

### 4.6 Right to Receive Notice

You have the right to receive this Notice in a written format and to request a paper copy at any time, even if you initially received it electronically.

### 4.7 Right to File a Complaint
Judge notes: The output is cut off mid-section (Section 4.7 is incomplete), missing Sections 5–9 and the required legal disclaimer, which prevents it from being production-ready without completion.
GPT-5.4 7/10 
# NOTICE OF PRIVACY PRACTICES  
**[PRACTICE NAME]**  
**This Notice Describes How Medical Information About You May Be Used and Disclosed and How You Can Get Access to This Information. Please Review It Carefully.**

---

## 1. OUR COMMITMENT TO YOUR PRIVACY

At [PRACTICE NAME], we understand that information about your health and dental care is personal. We are committed to protecting the privacy and security of your Protected Health Information (“PHI”). PHI includes information that identifies you and relates to your past, present, or future physical or mental health or condition, the health care you receive, or payment for your health care.

This Notice of Privacy Practices (“Notice”) describes:

1. How we may use and disclose your PHI;
2. Your rights regarding your PHI;
3. Our legal duties with respect to your PHI; and
4. How you can contact us for more information or to file a complaint.

We are required by federal law, including the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), to maintain the privacy of your PHI, provide you with this Notice of our legal duties and privacy practices, and follow the terms of the Notice currently in effect.

This Notice applies to all records of your care created or maintained by [PRACTICE NAME], including records in paper, electronic, and other formats.

---

## 2. USES AND DISCLOSURES OF PROTECTED HEALTH INFORMATION (PHI)

We may use and disclose your PHI without your written authorization for purposes of treatment, payment, and health care operations, as described below.

### 2.1 Treatment

We may use and disclose your PHI to provide, coordinate, or manage your dental and related health care services. For example, we may use your PHI to:

- Review your dental and medical history before treatment;
- Discuss your condition and treatment plan with you;
- Share information with another dentist, physician, oral surgeon, orthodontist, periodontist, endodontist, dental laboratory, pharmacy, or other health care provider involved in your care;
- Refer you to a specialist and send records, x-rays, images, or chart notes needed for your care.

**Example:** If we refer you to a dental specialist, we may send that provider relevant records so they can evaluate and treat you.

### 2.2 Payment

We may use and disclose your PHI to bill and collect payment for the services and items we provide to you. For example, we may use or disclose your PHI to:

- Submit claims to your dental plan, health insurer, Medicaid, Medicare, or other payer;
- Verify your insurance coverage or benefits;
- Obtain prior authorization for treatment;
- Review services for medical necessity or coverage purposes;
- Bill you or the responsible party for amounts due;
- Use collection services, if permitted by law.

**Example:** We may send information about your examination, x-rays, or procedures to your insurance company so it can pay all or part of your claim.

### 2.3 Health Care Operations

We may use and disclose your PHI for our health care operations, which are activities necessary to run our practice and ensure quality patient care. For example, we may use or disclose your PHI for:

- Quality assessment and improvement activities;
- Reviewing the competence or qualifications of dental professionals;
- Staff training and education;
- Licensing, accreditation, certification, and credentialing activities;
- Audits, compliance reviews, and risk management;
- Business planning, management, and administrative services;
- Customer service and resolution of complaints;
- Limited fundraising communications, if permitted by law.

### 2.4 Appointment Reminders and Treatment Information

We may use or disclose your PHI to contact you with:

- Appointment reminders;
- Information about treatment alternatives;
- Information about health-related benefits or services that may be of interest to you.

We may contact you by [PHONE], [TEXT MESSAGE], [EMAIL], [PATIENT PORTAL], or mail, using the contact information you provide, unless you ask us to communicate with you in a different way as allowed by law.

### 2.5 Individuals Involved in Your Care or Payment for Your Care

Unless you object, we may disclose relevant PHI to a family member, close friend, personal representative, or another person you identify if that person is involved in your care or payment for your care. We may also disclose PHI to notify, or help notify, such persons of your location, general condition, or death.

If you are unavailable, incapacitated, or in an emergency situation, we may use our professional judgment to determine whether a disclosure is in your best interest.

### 2.6 Required by Law

We may use or disclose your PHI when required to do so by federal, state, or local law.

### 2.7 Public Health Activities

We may disclose your PHI for public health activities permitted or required by law, such as:

- Preventing or controlling disease, injury, or disability;
- Reporting adverse events or product problems;
- Reporting abuse, neglect, or domestic violence, as permitted or required by law;
- Notifying appropriate authorities if we believe a patient has been the victim of abuse, neglect, or domestic violence.

### 2.8 Health Oversight Activities

We may disclose your PHI to health oversight agencies for activities authorized by law, such as audits, investigations, inspections, licensure, and disciplinary actions.

### 2.9 Judicial and Administrative Proceedings

We may disclose your PHI in response to a court order, subpoena, discovery request, or other lawful process, when permitted or required by law.

### 2.10 Law Enforcement

We may disclose your PHI to law enforcement officials in certain circumstances permitted or required by law, including in response to legal process, to identify or locate a suspect, fugitive, material witness, or missing person, or to report certain crimes.

### 2.11 Coroners, Medical Examiners, and Funeral Directors

We may disclose PHI to a coroner, medical examiner, or funeral director as authorized by law.

### 2.12 Organ and Tissue Donation

If applicable, we may disclose PHI to organizations involved in organ, eye, or tissue procurement, banking, or transplantation.

### 2.13 Research

We may use or disclose your PHI for research purposes only when permitted by HIPAA and other applicable laws, such as with your authorization or when an Institutional Review Board or Privacy Board has approved a waiver.

### 2.14 To Avert a Serious Threat to Health or Safety

We may use or disclose your PHI when necessary to prevent or lessen a serious and imminent threat to the health or safety of a person or the public, consistent with applicable law and ethical standards.

### 2.15 Specialized Government Functions

If applicable, we may disclose PHI for specialized government functions, such as military, national security, or protective services activities, as permitted by law.

### 2.16 Workers’ Compensation

We may disclose your PHI as authorized by and to the extent necessary to comply with workers’ compensation laws and similar programs.

### 2.17 Business Associates

We may disclose your PHI to third parties that perform services on our behalf, such as billing companies, claims processors, IT providers, shredding services, legal counsel, consultants, and cloud or electronic record vendors. These third parties are called “business associates” and are required by law and contract to protect your PHI.

---

## 3. USES AND DISCLOSURES REQUIRING YOUR AUTHORIZATION

For uses and disclosures other than those described in this Notice or otherwise permitted or required by law, we will obtain your written authorization before using or disclosing your PHI.

In most cases, your written authorization is required for:

1. **Psychotherapy notes**, if applicable;
2. **Marketing** communications, where HIPAA requires authorization; and
3. **Sale of PHI**, meaning disclosures where we receive remuneration in exchange for your PHI, unless an exception applies.

We will also obtain your written authorization for other uses and disclosures when required by applicable law.

You may revoke an authorization at any time by submitting a written revocation to [PRIVACY OFFICER/TITLE] at [CONTACT INFORMATION]. Your revocation will not apply to actions we already took in reliance on your authorization.

---

## 4. YOUR RIGHTS REGARDING YOUR PHI

You have the following rights regarding your PHI. To exercise any of these rights, please contact [PRIVACY OFFICER/TITLE] at the contact information listed in Section 8.

### 4.1 Right to Inspect and Obtain a Copy

You have the right to inspect and obtain a copy of your PHI maintained in a designated record set, with limited exceptions. This may include dental records, billing records, and other records used to make decisions about your care.

You may request:

- A paper copy;
- An electronic copy, if the information is maintained electronically; and/or
- That we transmit a copy to another person or entity you designate in writing.

We may charge a reasonable, cost-based fee as allowed by law for copies, mailing, or supplies.

We may deny your request in certain limited circumstances. If your request is denied, you may have the right to have the denial reviewed, depending on the reason for the denial.

### 4.2 Right to Request an Amendment

If you believe the PHI we maintain about you is incorrect or incomplete, you have the right to request that we amend it. Your request must be in writing and must explain why the amendment is needed.

We may deny your request if, for example:

- We did not create the information, and the originator is available to make the amendment;
- The information is not part of the records we keep;
- The information is not part of the information you would be permitted to inspect or copy; or
- We determine the
Judge notes: The output is cut off mid-sentence in Section 4.2, leaving the document incomplete and missing Sections 4.3–9 (accounting of disclosures, restrictions, confidential communications, paper copy, complaints, responsibilities, breach notification, changes, contact information, effective date, and legal disclaimer) — all required elements per the explicit prompt.
Grok 4.1 Fast Reasoning 8/10 
# NOTICE OF PRIVACY PRACTICES

**Bright Smiles Dental**  
[Insert Full Street Address]  
Austin, TX [Insert ZIP Code]  
Phone: [Insert Phone Number] | Fax: [Insert Fax Number] | Website: [Insert Website, if applicable]  

**THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.**  

Bright Smiles Dental is required by law to maintain the privacy of your protected health information (PHI), to provide you with this Notice of our legal duties and privacy practices with respect to PHI, and to notify you if there is a breach of your unsecured PHI. We are also required to abide by the terms of the Notice of Privacy Practices currently in effect.  

## 1. Our Commitment to Your Privacy  
At Bright Smiles Dental, we are committed to protecting the privacy and security of your protected health information (PHI). PHI is information about you, including information that may identify who you are or where you live, that relates to your past, present, or future physical or mental health or condition, related health care services, and payment for such services.  

This Notice describes our privacy practices, your privacy rights, and how we may use and disclose your PHI. We are a covered dental practice under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Parts 160 and 164).  

## 2. Uses and Disclosures of Protected Health Information (PHI)  
We may use and disclose your PHI for purposes of **treatment**, **payment**, and **health care operations** without your authorization. Here are some examples:  

### For Treatment  
We may use and disclose your PHI to provide, coordinate, or manage your dental health care and related services. For example:  
- To share your x-rays, treatment notes, or exam results with other dentists or specialists (such as orthodontists or oral surgeons) for referrals or consultations.  
- To consult with dental laboratories about crowns, bridges, or other appliances.  

### For Payment  
We may use and disclose your PHI to obtain payment for services we provide to you. For example:  
- To submit claims to your dental insurance company, including details about your diagnosis, treatment, and services provided.  
- To determine your insurance coverage or eligibility for benefits.  

### For Health Care Operations  
We may use and disclose your PHI to run our practice and improve the quality of care we provide. For example:  
- To review the quality of services provided (e.g., chart audits).  
- For training new staff or credentialing our dentists.  
- To manage our office operations, such as compliance reviews or business planning.  

### Other Permitted Uses and Disclosures Without Your Authorization  
We may also use or disclose your PHI without your authorization in the following situations:  
- **As Required by Law**: Such as reporting to public health authorities, responding to valid judicial or administrative orders, or reporting to law enforcement.  
- **Public Health Activities**: For example, reporting certain diseases or conditions as required by Texas law.  
- **Health Oversight Activities**: Such as audits or investigations by government agencies.  
- **Abuse or Neglect**: To report suspected abuse, neglect, or domestic violence.  
- **Coroner’s or Medical Examiner’s**: To identify a deceased person or determine cause of death.  
- **Organ or Tissue Donation**: If you are an organ donor.  
- **Research**: Under certain conditions to contribute to public health research (de-identified information only, or with approval).  
- **To Prevent a Serious Threat**: To law enforcement or others if needed to prevent serious harm.  
- **Military and Veterans**: If you are in the Armed Forces.  
- **Workers’ Compensation**: For work-related injuries or illnesses.  

Any other uses or disclosures not described in this Notice will be made only with your written authorization, as described in Section 3.  

## 3. Uses and Disclosures Requiring Your Authorization  
For any use or disclosure of PHI other than those permitted by law (as described above), we are required to obtain your written authorization. Examples include:  
- Use or disclosure of psychotherapy notes (if any are maintained).  
- Use or disclosure of your PHI for marketing purposes.  
- Use or disclosure of your PHI for the sale of PHI.  
- Most uses of genetic information or family health history.  

You may revoke any authorization in writing at any time. Revocation will not affect any uses or disclosures already made. Authorizations are voluntary and you may refuse to sign one without affecting your treatment or payment.  

## 4. Your Rights Regarding PHI  
You have the following rights regarding your PHI. To exercise any right, contact our Privacy Officer (see Section 8). We will respond within [Insert Timeframe, e.g., 30 days; up to 60 days if extension needed].  

- **Right to Access**: You may inspect and obtain a copy of your PHI (paper or electronic) for up to 6 years. We may charge a reasonable fee for copies.  
- **Right to Amend**: You may request an amendment if you believe your PHI is incorrect or incomplete. We may deny the request but will provide a reason.  
- **Right to Accounting of Disclosures**: You may request a list of disclosures of your PHI (not for treatment, payment, or operations) for up to 6 years.  
- **Right to Request Restrictions**: You may ask us to restrict uses or disclosures (e.g., not sharing with your insurance). We are not required to agree but will consider it.  
- **Right to Confidential Communications**: You may request that we communicate with you by alternative means or at alternative locations (e.g., home phone instead of work).  
- **Right to Paper Copy**: Even if you receive this Notice electronically, you may request a paper copy.  
- **Right to Complain**: See Section 5 for complaint procedures.  

## 5. Our Responsibilities  
We are required to:  
- Maintain the privacy of your PHI and provide you with this Notice.  
- Abide by the terms of this Notice currently in effect.  
- Notify you if we make material changes to this Notice (see Section 7).  
- Notify you if there is a breach of your unsecured PHI (see Section 6).  

**Complaints**: If you believe your privacy rights have been violated, you may file a complaint with us or the U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Complaints must be in writing. We will not retaliate against you for filing a complaint. Contact information is in Section 8.  

## 6. Breach Notification  
If we discover a breach of your unsecured PHI that may have compromised the security or privacy of the information, we will notify you without unreasonable delay, but no later than 60 days after discovery. The notification will describe the breach, what we are doing to investigate, and steps you can take to protect yourself. We will also notify HHS if required.  

## 7. Changes to This Notice  
We reserve the right to change our privacy practices and to make the new terms effective for all PHI we maintain. We will post a copy of the revised Notice in our office and provide it to new patients. You may request a copy of the revised Notice at any time.  

## 8. Contact Information and Privacy Officer  
If you have any questions about this Notice or our privacy practices, please contact:  

**Privacy Officer**  
[Insert Name and Title, e.g., Jane Doe, Office Manager]  
Bright Smiles Dental  
[Insert Full Street Address]  
Austin, TX [Insert ZIP Code]  
Phone: [Insert Phone Number]  
Email: [Insert Email Address]  

You may also contact the U.S. Department of Health and Human Services at 1-877-696-6775 or www.hhs.gov/ocr.  

## 9. Effective Date  
This Notice is effective [Insert Date, e.g., January 1, 2024].  

---

**DISCLAIMER: This is a template Notice of Privacy Practices provided for informational purposes only and is based on HIPAA requirements as of the date of creation. It is not legal advice. Bright Smiles Dental should have this template reviewed and customized by qualified legal counsel familiar with HIPAA and Texas state law before use or distribution to ensure full compliance. We recommend annual review and updates as needed.**
Judge notes: Strong, production-near template covering all required HIPAA NPP elements with appropriate dental-specific examples, but the "Right to Access" section incorrectly states "for up to 6 years" (the 6-year limit applies to recordkeeping of the accounting, not access itself), and the breach notification window should clarify the 60-day limit applies to the outer bound after discovery, not from when breach occurred—minor but legally meaningful inaccuracies that require counsel correction before use.

What makes these work

  1. 01
    Specify your entity type upfront

    Covered entity, Business Associate, and hybrid entity each have different HIPAA obligations. If you do not state your entity type in the prompt, the AI will default to assumptions that may produce the wrong document structure. A BA should not have a patient rights section the same way a covered entity does.

  2. 02
    List every PHI category you actually collect

    The more specific your input about what data you collect, the more accurate the output. Mention whether you handle psychotherapy notes, genetic information, HIV status, or substance use records, as these have heightened protections under federal or state law that the AI needs to flag in the output.

  3. 03
    Name your Business Associates and their roles

    HIPAA requires disclosing categories of third parties you share PHI with. Naming your billing company, EHR vendor, cloud provider, and any other BA in your prompt ensures the draft reflects your actual data-sharing relationships. Generic outputs that say 'third-party service providers' are weaker from a compliance standpoint.

  4. 04
    Include your state alongside federal requirements

    Several states, including California, Texas, and New York, have medical privacy laws stricter than HIPAA. Mentioning your operating states in the prompt triggers the AI to flag potential state law layers, giving your attorney something specific to review rather than a federal-only document that misses state obligations.

More example scenarios

#01 · Solo primary care physician practice
Input
Write a HIPAA-compliant Notice of Privacy Practices for a solo family medicine physician in Texas. We collect patient names, dates of birth, diagnoses, treatment records, and insurance information. We share PHI with referring physicians, our billing company (a Business Associate), and labs. Patients can request access, amendment, and restrictions on their records. We do not sell PHI. Contact: privacyofficer@drsmiths practice.com.
Expected output
The draft NPP covers the required elements: how PHI is used for treatment, payment, and operations; disclosures to Business Associates under signed agreements; patient rights including access, amendment, accounting of disclosures, and the right to request restrictions; and a complaint process through both the practice and HHS. It includes the effective date field, the required header statement, and the designated privacy officer contact.
#02 · Telehealth mental health platform
Input
Generate a HIPAA privacy policy for a telehealth platform that connects licensed therapists with patients via video. We store session notes, diagnoses, and payment data. Psychotherapy notes are stored separately and have extra protections. We use AWS as our cloud provider under a BAA. Patients consent digitally. We operate in all 50 states. We do not use PHI for marketing without explicit authorization.
Expected output
The output addresses standard PHI as well as the heightened protections for psychotherapy notes under 45 CFR 164.508, noting that their use requires separate patient authorization beyond the standard NPP. It discloses the cloud storage arrangement under a Business Associate Agreement, explains the digital consent process, and lists all 50-state applicability. It includes a section on how patients can revoke authorization.
#03 · Healthcare SaaS company acting as a Business Associate
Input
Write a privacy policy for a healthcare analytics SaaS company that processes de-identified and limited dataset PHI on behalf of hospital clients. We are a Business Associate, not a covered entity. Our clients sign a BAA with us. We do not have direct patient relationships. We store data in encrypted databases in the US only. Our privacy contact is legal@healthanalytics.io.
Expected output
The policy clarifies the Business Associate role, explains that the company does not have a direct patient relationship, and describes the BAA framework through which it receives and processes PHI. It outlines the company's obligations under the HIPAA Security Rule for data in transit and at rest, specifies US-only data storage, and provides a contact channel for covered entity clients with compliance questions. It does not include a patient-facing rights section, which is appropriate for a BA-only entity.
#04 · Dental practice adding patient portal
Input
Update our existing dental practice privacy policy to add a section covering our new patient portal. The portal lets patients view records, request appointments, and message the office. It is built on Dentrix Ascend, which has a signed BAA with us. Patients log in with two-factor authentication. We are in California, so we also need to address CMIA alongside HIPAA.
Expected output
The added section describes the patient portal's data access scope, the Dentrix Ascend Business Associate relationship, and the authentication process. It also includes a California Confidentiality of Medical Information Act (CMIA) addendum noting that California law may provide broader patient rights than federal HIPAA minimums and that the practice complies with both, including stricter California rules on the sale and disclosure of medical information.
#05 · Urgent care chain with multiple locations
Input
Write a HIPAA Notice of Privacy Practices for an urgent care chain with 12 locations across 3 states (FL, GA, SC). We are an organized health care arrangement. We share PHI across locations for coordinated treatment. We use Epic as our EHR with a BAA in place. We send appointment reminders via text after obtaining patient consent. We have a centralized privacy officer.
Expected output
The NPP identifies the organization as an Organized Health Care Arrangement (OHCA) and explains that PHI may be shared across all 12 locations for treatment coordination without requiring individual authorizations for each site. It discloses the Epic BAA, addresses text-based communication with the note that consent was obtained, and provides the centralized privacy officer's contact information as the single point of contact for all locations and states listed.

Common mistakes to avoid

  • Using a generic privacy policy template

    A standard website privacy policy covers cookies, analytics, and marketing data. It does not address PHI, patient rights, Notice of Privacy Practices requirements, or disclosures for treatment, payment, and operations. Publishing one of these for a healthcare entity does not satisfy HIPAA and could be cited as a violation.

  • Skipping the required NPP header statement

    45 CFR 164.520 requires that your Notice of Privacy Practices begin with a specific header stating patients have a right to receive the notice. Many AI outputs omit this or bury it. If the required header language is missing, the document does not satisfy the HIPAA NPP rule on its face.

  • Not getting legal review before publishing

    AI outputs are drafts. They can miss jurisdiction-specific rules, recent OCR guidance updates, or nuances in your specific business model. Publishing an unreviewed AI-generated policy and later facing an audit creates a paper trail of due diligence failure. A one-hour attorney review is far cheaper than a corrective action plan.

  • Treating the document as set-and-forget

    HIPAA requires that your NPP reflect your current practices. If you add a new EHR, a telehealth service, a new Business Associate, or a new state of operation, the policy needs to be updated and redistributed to patients. Outdated policies are a common finding in OCR audits.

  • Confusing a privacy policy with a BAA

    A privacy policy or NPP is a patient-facing disclosure document. A Business Associate Agreement is a contract between your organization and a vendor. You need both. Assuming your privacy policy covers your BA relationships without executed BAAs in place is a significant HIPAA gap.

Related queries

AdSense Privacy Policy Generator App Store Privacy Policy Requirements Privacy Policy Generator for Bloggers CCPA Privacy Policy Template Generator Writing a Privacy Policy with ChatGPT Cookie Policy Generator with AI

Frequently asked questions

Is a HIPAA privacy policy the same as a Notice of Privacy Practices?

They are closely related but not identical. A Notice of Privacy Practices (NPP) is the specific HIPAA-required document that covered entities must give to patients explaining how their PHI is used and disclosed. A privacy policy on your website may incorporate NPP language but can also cover non-PHI data like web analytics. For HIPAA compliance, the NPP is the required document; the website privacy policy is supplemental.

Can I use a free HIPAA privacy policy template I found online?

You can use one as a reference, but most free templates are either too generic or out of date with current OCR guidance. They often miss state-specific requirements, do not reflect your actual data practices, and use placeholder language that can look negligent in an audit. Any template, free or AI-generated, needs to be reviewed by a qualified healthcare attorney before it becomes your official policy.

Does my health app need a HIPAA privacy policy?

It depends on whether you are a covered entity or business associate. If your app is used by a covered entity to handle PHI, or if you are a healthcare provider delivering care through the app, HIPAA likely applies. If your app collects health data directly from consumers without a covered entity relationship, HIPAA may not apply, but the FTC Act and state laws like CCPA still govern how you handle that data. Consult an attorney to determine your regulatory category.

How often do I need to update my HIPAA privacy policy?

You must update your NPP whenever your privacy practices materially change. Common triggers include adding new services, changing EHR vendors, entering new states, updating your Business Associate roster, or when HHS issues new guidance. Best practice is to review your policy annually even if no obvious changes have occurred, since regulatory interpretations evolve.

What happens if my HIPAA privacy policy is missing required elements?

Missing required NPP elements, such as the patient rights section, the complaint procedure, or the required header statement, can be cited as a HIPAA violation during an OCR audit or complaint investigation. Penalties range from $100 to $50,000 per violation depending on the level of culpability, with annual caps. Corrective action plans typically require you to remediate the document, retrain staff, and submit to monitoring.

Do Business Associates need their own HIPAA privacy policy?

Business Associates are not required to issue a Notice of Privacy Practices to patients because they do not have a direct patient relationship. However, BAs must have internal HIPAA policies and procedures, and their public-facing privacy policy should accurately describe how they handle PHI received from covered entities. A BA privacy policy looks different from a covered entity NPP, focusing on the BA's obligations under signed agreements rather than patient rights.