Healthcare Providers Must Update Their Notice of Privacy Practices by February 16, 2026

Healthcare Providers Must Update Their Notice of Privacy Practices by February 16, 2026 - Healthcare Law Alert - February 2026 - Brach Eichler
BACK TO INSIGHTS     Alerts

2/11/2026

HIPAA covered entities must update their Notice of Privacy Practices by February 16, 2026 in order to comply with a final rule published by the U.S. Department of Health and Human Services (DHHS) on April 26, 2024.

While portions of the final rule were struck down by a federal court ruling in June 2025 (regarding reproductive healthcare data), other provisions of the final rule remain enforceable. This includes the requirement to update a covered entity’s Notice of Privacy Practices (NPP) to put individuals on notice of certain rights and protections concerning substance use disorder (SUD) treatment records originated from SUD programs under federal law at 42 CFR Part 2 (referred to below as “Part 2 Programs”). This federal law protects the confidentiality of SUD treatment records and, in some instances, provides greater privacy protections than HIPAA.

The compliance deadline is February 16, 2026.

Updates to NPP

If a healthcare provider creates or maintains records subject to 42 CFR Part 2, the Notice of Privacy Practices must put individuals on notice that:

  • SUD treatment records will not be used or disclosed in legal proceedings against the individual unless there is a written consent from the individual or the request is accompanied by a court order and subpoena that mees the requirements of 42 CFR Part 2.
  • If the healthcare provider intends to use or disclose SUD records for fundraising activities, the individual will be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.

Compliance with 42 CFR Part 2

Non SUD-treatment providers may become obligated to comply with both HIPAA and 42 CFR Part 2 under certain circumstances.

By way of example, if an internal medicine practice receives copies of a patient’s records that include records originally created by a Part 2 Program, then the internal medicine practice will be bound to protect such records as a “lawful holder” under 42 CFR Part 2. Therefore, while the final rule requires HIPAA covered entities to update their NPP with respect to the use and disclosure of SUD records, covered entities also must be cognizant of the fact that SUD treatment records from a Part 2 Program may have become incorporated into the records maintained by such covered entities, triggering compliance not only with HIPAA but also with 42 CFR Part 2.

Enforcement

Just prior to publication of the final rule discussed above, DHHS published another final rule amending the regulations at 42 CFR Part 2, in order to better align such regulations with HIPAA. That final rule became effective on April 16, 2024.

On February 2, 2026, DHHS sent an email to its listserv “in recognition of Substance Use Disorder Treatment Month,” in which DHHS announced that “[b]eginning on February 16, 2026, the public may file complaints alleging violations of Part 2, breaches of unsecured Part 2 records must be reported, and OCR may begin investigation and enforcement activities.”

HIPAA covered entities should consider reviewing their HIPAA compliance programs and policies, and update their training programs, to ensure they include protections under 42 CFR Part 2 in the event such covered entities receive and maintain SUD treatment records in their files.

Business Associate Arrangements

In light of the amendments to both HIPAA and 42 CFR Part 2, as well as the anticipated enforcement activities of DHHS, health care providers and other covered entities should consider reviewing their business associate relationships and the responsibilities undertaken by their business associates. In that review, consideration should be given to whether business associate agreements should be amended to add protections relating to Part 2 records and the business associate’s legal obligations with respect thereto.

We Can Assist

For additional information or assistance with your privacy and security program, including your business associate relationships and contracts, contact:

Lani M. Dornfeld, Esq., CHPC, Member, Healthcare Law, ldornfeld@bracheichler.com, 973.403.3136

*This is intended to provide general information, not legal advice. Please contact the authors if you need specific advice.

Related Practices:   Healthcare Law

Related Attorney:   Lani M. Dornfeld

Related Industry:   Healthcare