Healthcare providers, health plans, and other HIPAA-covered entities should take note of an important compliance deadline. By February 16, 2026, covered entities must update their Notice of Privacy Practices (“NPP”) to reflect significant changes in federal privacy requirements, particularly regarding protections for substance use disorder (“SUD”) records and expanded disclosures of patient rights.
These updates stem from recent federal regulatory amendments aligning the confidentiality rules governing SUD treatment records under 42 C.F.R. Part 2 more closely with HIPAA’s general framework. Historically, Part 2 imposed stricter limits on the use and disclosure of SUD-related information, often requiring specialized consent procedures beyond HIPAA. The revised rules modernize these requirements while continuing to provide heightened protections for individuals receiving substance use disorder treatment.
Key Updates Required in the Notice of Privacy Practices
Covered entities must revise their NPPs to include new or modified disclosures addressing:
•Enhanced protections for SUD records, including limitations on re-disclosure and restrictions on the use of SUD-related information in certain legal or administrative proceedings.
•Patient rights regarding confidentiality, including clearer explanations of how sensitive health information may be used or shared.
•New rights related to complaints and enforcement, reflecting increased federal focus on privacy compliance and patient transparency.
•Expanded descriptions of permissible disclosures, particularly where information is used for treatment, payment, and healthcare operations under updated consent standards.
Who Is Impacted?
The February 2026 deadline applies broadly to HIPAA-covered entities, including:
•Hospitals and health systems
•Physician practices
•Behavioral health and addiction treatment providers
•Health plans and managed care organizations
•Any entity that maintains or transmits protected health information electronically
Even organizations that do not specialize in addiction treatment may still hold SUD-related information and should evaluate whether Part 2 considerations apply.
Next Steps for Compliance
Healthcare organizations should begin reviewing their existing NPPs now, coordinating with legal counsel, compliance leadership, and privacy officers to ensure updated language is implemented, distributed appropriately, and incorporated into patient-facing workflows. Failure to update the NPP by the compliance deadline may increase regulatory exposure and patient complaint risk.
