The clock is ticking for businesses required to maintain a HIPAA-compliant Notice of Privacy Practices (NPP). By February 16, 2026, all covered entities must update their NPPs to align with new confidentiality rules for substance use disorder (SUD) treatment records, as mandated by the Department of Health and Human Services (HHS). These updates stem from changes introduced in a 2024 final rule, which strengthened privacy protections and modified existing requirements.
Understanding the NPP Updates
The HIPAA Privacy Rule, established under the Health Insurance Portability and Accountability Act of 1996, sets national standards to protect individuals' "protected health information" (PHI). Entities such as health plans, healthcare providers, and certain business associates are required to comply with these regulations. One key obligation under the rule is maintaining an NPP, which informs individuals how their PHI is used and disclosed, and outlines their rights.
In April 2024, HHS issued a final rule that enhanced HIPAA protections for reproductive healthcare and revised NPP requirements to safeguard SUD treatment records under the "Part 2" regulations. However, while the reproductive healthcare provisions were later struck down by a federal court, the changes to NPP requirements for SUD records remain in effect.
These updates specifically apply to any covered entity that creates or maintains PHI tied to SUD treatment provided by a Part 2 program. To comply, entities must modify their NPP to include critical information by the February 16 deadline.
sbb-itb-02f5876
Key Changes to the NPP
Covered entities must ensure their updated NPPs address the following elements:
- Inclusion of Part 2 records: The NPP must detail how these records can be used or disclosed, outline individual rights, and define the entity’s responsibilities regarding such records.
- Reference to Part 2 regulations: The NPP must specify that Part 2 is an "other applicable law" that imposes stricter requirements than the HIPAA Privacy Rule.
- Prohibition on unauthorized use or disclosure: The NPP must explicitly state that Part 2 records cannot be used in civil, criminal, administrative, or legislative proceedings without explicit written consent or a court order.
- Clarification for health arrangements: The NPP must explain how Part 2 applies to organized health care arrangements containing Part 2 records.
For entities that choose to use or disclose Part 2 records for fundraising purposes, the NPP must clearly inform individuals of their right to opt out of receiving fundraising communications. However, this provision is typically not relevant for health plans.
Distribution and Compliance Deadlines
Once the revised NPPs are finalized, covered entities must distribute them within legally specified timeframes. The method and timing depend on whether the entity posts its NPP on a website:
- For entities with a website: The updated NPP must be prominently posted by the effective date of the changes. Additionally, the revised notice (or information about the changes) must be included in the next annual mailing to covered individuals.
- For entities without a website: The revised NPP (or information about the changes) must be provided to covered individuals within 60 days of the updates.
Steps for Employers and Covered Entities
Employers sponsoring group health plans that fall under these requirements should act now to ensure compliance. Revising the NPP in accordance with these rules is essential, and employers should also take the opportunity to review their overall privacy practices for adherence to HHS regulations. Legal counsel is recommended to address any compliance questions and assist in drafting updates.
HHS has not yet issued sample NPP language for these changes, adding urgency for covered entities to independently review and modify their notices before the February 16 deadline. Timely compliance is critical to avoid potential penalties.
Covered entities must remain vigilant and proactive to meet these new standards while ensuring the confidentiality and privacy of individuals seeking SUD treatment. The upcoming deadline is a compelling reminder of the importance of keeping privacy practices current and compliant with evolving federal regulations.
