The HIPAA Guide - Celebrating Over 15 Years Online

The Deadline for Updating Notices of Privacy Practices Has Passed

February 16, 2026HIPAA Regulatory Updates0

The compliance deadline for updates to HIPAA Notice of Privacy Practices (NPPs), as mandated by a recent update to the HIPAA Privacy Rule, was February 16, 2026. OCR has already established an enforcement program for compliance with the Part 2 regulations, and as of February 16, 2026, OCR is accepting complaints about potential breach notification violations relating to SUD records, and complaints alleging violations of the regulation that protect the confidentiality of SUD patient records.

On February 16, 2024, a Final Rule was published in the Federal Register by the HHS Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA). The final rule implemented section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, modifying the 42 CFR Part 2 – Confidentiality of Substance Use Disorder (SUD) Patient Records regulations to align them more closely with the Health Insurance Portability and Accountability Act (HIPAA). The final rule took effect on April 16, 2024, and entities subject to the Part 2 regulations must ensure compliance by February 16, 2026.

The key changes to the Part 2 regulations include a single consent covering all future uses and disclosures of SUD records; permitted re-disclosure of SUD records by HIPAA-regulated entities; additional protections for SUD counseling session notes; the right to restrict disclosures of SUD records; the right to opt out of fundraising communications; prohibition of uses and disclosures of SUD records in legal proceedings; civil monetary penalties for violations of the Part 2 regulations; alignment of the Part 2 regulations with the HIPAA Breach Notification Rule; permitted disclosure of SUD records for public health purposes; and alignment of the Part 2 regulations with the patient notice requirements of HIPAA.

While the Part 2 regulations primarily apply to Part 2 programs, certain changes apply to HIPAA-covered entities, even if they do not provide SUD treatment services to patients and are therefore not covered by the Part 2 regulations.

The NPP is a document that HIPAA-covered entities must make available to patients and plan members in their place of business and in a prominent position on their website, that explains in clear, user-friendly language, the rights of individuals with respect to their protected health information as well as the privacy practices of the covered entity.

The required update to NPPs was published as part of a separate, unrelated HIPAA Privacy Rule update concerning reproductive healthcare privacy – The HIPAA Privacy Rule to Support Reproductive Health Care Privacy. While the bulk of that rule – the parts concerning reproductive healthcare information – was vacated by a Texas Judge, the rule also contained a requirement to update NPPs, the compliance date for which was February 16, 2026.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

Entities covered by the Part 2 regulations and HIPAA are required to have a HIPAA NPP and a Part 2 NPP, although the two notices may be combined. The NPP must be updated, clearly explaining the new patient rights, including the right to request restrictions on disclosures for treatment, payment, and healthcare operations. Patients also have the right to file a complaint with the HHS about potential privacy violations and must be advised as such in the NPP.

Any HIPAA-covered entity that may receive Part 2-regulated data must state in the NPP that while certain uses and disclosures of protected health information may be permitted by HIPAA, the rules covering Part 2-regulated data are more limited. The NPP must be updated to state that Part 2-covered data may not be used or disclosed in civil, criminal, administrative, or legislative proceedings against an individual, except with a Part 2 form of patient consent or a court order.

Patients have the right not to receive fundraising communications for the benefit of the covered entity, and must be provided with a clear and conspicuous opportunity to choose not to receive those communications. The NPP should also clearly state that any records disclosed pursuant to the HIPAA Privacy Rule, may be redisclosed by the recipient and would no longer be protected by HIPAA.

In summary, for the majority of HIPAA-covered entities, the required NPP changes are:

  • Update the NPP to cover uses and disclosures of SUD records
  • Update the NPP to cover disclosure of SUD records in legal proceedings
  • Update the NPP to cover the right to restrict fundraising communications
  • Update the NPP to cover the redisclosure of records

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/

The HIPAA Guide is a registered trademark. Copyright © 2007-2026 The HIPAA Guide. All rights reserved.