HIPAA Notice of Privacy Practices: Updates Required by Feb. 16, 2026

Feb. 16, 2026, is the deadline for updating and distributing HIPAA Notices of Privacy Practices (“NPP”) that address the confidentiality of information about substance use disorder (“SUD”) treatment received at federally assisted care providers. As a result, covered entities, including health plan sponsors and health care providers, should consider what are appropriate actions to meet the updated notice requirements by this deadline. See 45 C.F.R. §164.520.

In addition to revising the Notice of Privacy Practices, group health plan sponsors and providers should consider whether any revisions are needed to (i) HIPAA privacy policies and practices, (ii) HIPAA training materials, and (iii) business associate agreements with vendors that use or create patient records related to substance use disorder treatment.

Notice Revisions regarding Substance Use Disorder Records

In February 2024, the U.S. Department of Health & Human Services (“HHS”) issued a final rule modifying the Confidentiality of Substance Use Disorder (“SUD”) Patient Records regulations at 42 CFR part 2 (“Part 2”). See 89 Federal Register 12472 (Feb. 16, 2024). The final rule implements section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which increases coordination among providers treating patients for SUDs, strengthens confidentiality protections through civil enforcement, aligns certain Part 2 requirements with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Privacy, Security, and Breach Notification Rules, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.

With respect to substance use disorder records, among other things:

• The NPP of a covered entity that creates or maintains SUD records must give “adequate notice of the uses and disclosures of [these] records, and of the individual’s rights and the covered entity’s legal duties with respect to [those] records.” 45 C.F.R. §164.520(a)(2).
• The NPP must state in plain language that SUD treatment records (and testimony regarding the content of those records) will not be used or disclosed in civil, criminal, administrative or legislative proceedings against the individual, unless (1) the individual consents in writing or (2) a court orders the use or disclosure of the records after the individual is provided with notice and an opportunity to be heard. The court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed. 45 CFR §164.520(b)(1)(iii)(D).
• If the SUD records are going to be used for fundraising for the covered entity that creates or maintains those records, the NPP must advise that the individual has the right to elect, intends to use those records for fundraising, and the NPP state that the individual “must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.” 45 CFR §164.520(b)(1)(iii)(A) and (E).

Remember, if there are other applicable laws that are more restrictive than HIPAA regarding the use or disclosure of SUD records, the NPP must describe the uses and disclosures of SUD records within the context of the more stringent law. 45 CFR §164.520(b)(1)(ii).

Notice Revisions regarding Reproductive Health Information Not Presently Needed

On April 26, 2024, the Office for Civil Rights, Office of the Secretary, Department of Health and Human Services (“OCR”) issued final regulations to limit the circumstances permitting the use or disclosure of an individual’s protected health information about reproductive health care for certain non-health care purposes, particularly where such use or disclosure could be detrimental to privacy of the individual or another person or the individual’s trust in their health care providers. See 89 Federal Register 32976 (April 26, 2024).

However, a federal district court in Texas issued an opinion and order that declared these regulations to be unlawful and vacated most of the regulations. See Carmen Purl, et al. v. U.S. Department of Health and Human Services, et al., Docket No. 2:24-cv-228-Z (N.D. Tex. June 18, 2025). The Trump administration has declined to challenge that order.

As a result, it appears revisions to the NPP for the final reproductive health rule may not be necessary at this time.

If a covered entity already modified its NPP for this rule, they should consult legal counsel regarding whether to retain the language but add a qualifier to indicate these provisions will apply only to the extent the reproductive health regulations are in effect, or to remove the provisions.

Inflation Adjustments to HIPAA Penalties

Effective Jan. 28, 2026, the civil monetary penalties for violations of HIPAA’s administrative simplification provisions have been adjusted for inflation as follows (see, 91 Federal Register 3665, Jan. 28, 2026). HIPAA’s administrative simplification provisions include the privacy rule, the security rule, transactions and code sets and unique identifiers rule. These penalties would apply to violations of the Notice of Privacy Practices requirements.