Resources
Health Care: Reminder to Providers and Health Plans: Upcoming Compliance Deadline for Updates to HIPAA Notices of Privacy Practice
Many providers and health plans are aware that recent regulatory changes to the HIPAA Privacy Rule from 2024 were invalidated in court on June 18, 2025. However, as a reminder, one Privacy Rule change that survived and remains in effect is the requirement that providers and health plans that create or receive substance use disorder (SUD) treatment-related records update their HIPAA Notices of Privacy Practices (NPP). The compliance date for this requirement is coming up on February 16, 2026.
While health care providers and health plans have long been required to provide patients or enrollees with their NPP explaining individual privacy rights under HIPAA (and in some cases, state law), NPPs must now align with the stricter confidentiality requirements for SUD treatment-related records under 42 USC § 290dd-2 and 42 CFR Part 2, if applicable. Most importantly, SUD treatment-related records, including those received from a SUD treatment provider covered by Part 2, will in many instances be subject to Part 2 protections, even if the health care provider or health plan recipient does not itself operate a SUD treatment program regulated under Part 2.
For the many providers and health plans to which the new requirement applies, several NPP updates are necessary. Specifically, your NPP must include a separate statement that all SUD treatment-related records received from SUD providers regulated under Part 2, or any testimony conveying the contents of such records, cannot be “used or disclosed in civil, criminal, administrative, or legislative proceedings against” the person who received such treatment without his or her consent, or upon a court order issued after notice and hearing, as provided in Part 2. Any court order authorizing the use or disclosure of SUD treatment-related records must be accompanied by a subpoena or other legal requirement compelling disclosure before any such disclosure is made.
Furthermore, if you intend to utilize or disclose SUD treatment-related records as part of fundraising efforts, your NPP must also be updated to notify the person who received SUD treatment “with a clear and conspicuous opportunity” to opt out of receiving any fundraising communications. Similarly, your NPP must comply with any other applicable privacy requirements that provide stricter protections than HIPAA, including state privacy laws, and your NPP’s description of permissible uses and disclosures must reflect those more stringent requirements.
Before February 16, 2026, you should determine whether your organization creates or receives SUD records subject to the requirements of Part 2 and, if so, you should update your NPP to include the now-required disclosures relating to SUD treatment-related records. We also recommend taking this opportunity to conduct a comprehensive review of your NPP to verify it reflects your current operations and complies with all other applicable HIPAA requirements. Please contact Cal Marshall, Mitch Barton, or a member of our Health Care section if you have any questions about these changes or need support in updating your NPP.
