New HIPAA Requirement: Updated Notice of Privacy Practices

By Janice Suchyta

Healthcare providers, health plans, and other HIPAA-covered entities should take note of an important compliance deadline. By February 16, 2026, covered entities must update their Notice of Privacy Practices (“NPP”) to reflect significant changes in federal privacy requirements, particularly regarding protections for substance use disorder (“SUD”) records and expanded disclosures of patient rights.

These updates stem from recent federal regulatory amendments aligning the confidentiality rules governing SUD treatment records under 42 C.F.R. Part 2 more closely with HIPAA’s general framework. Historically, Part 2 imposed stricter limits on the use and disclosure of SUD-related information, often requiring specialized consent procedures beyond HIPAA. The revised rules modernize these requirements while continuing to provide heightened protections for individuals receiving substance use disorder treatment.

Key Updates Required in the Notice of Privacy Practices

Covered entities must revise their NPPs to include new or modified disclosures addressing:

• Enhanced protections for SUD records, including limitations on re-disclosure and restrictions on the use of SUD-related information in certain legal or administrative proceedings.
• Patient rights regarding confidentiality, including clearer explanations of how sensitive health information may be used or shared.
• New rights related to complaints and enforcement, reflecting increased federal focus on privacy compliance and patient transparency.
• Expanded descriptions of permissible disclosures, particularly where information is used for treatment, payment, and healthcare operations under updated consent standards.

Who Is Impacted?

The February 2026 deadline applies broadly to HIPAA-covered entities, including:

• Hospitals and health systems
• Physician practices
• Behavioral health and addiction treatment providers
• Health plans and managed care organizations
• Any entity that maintains or transmits protected health information electronically

Even organizations that do not specialize in addiction treatment may still hold SUD-related information and should evaluate whether Part 2 considerations apply.

Next Steps for Compliance

Healthcare organizations should begin reviewing their existing NPPs now, coordinating with legal counsel, compliance leadership, and privacy officers to ensure updated language is implemented, distributed appropriately, and incorporated into patient-facing workflows. Failure to update the NPP by the compliance deadline may increase regulatory exposure and patient complaint risk.

Buchalter’s Healthcare Regulatory team is available to assist covered entities in updating privacy notices, revising policies, and navigating the evolving intersection of HIPAA and Part 2 confidentiality requirements.

This communication is not intended to create or constitute, nor does it create or constitute, an attorney-client or any other legal relationship. No statement in this communication constitutes legal advice nor should any communication herein be construed, relied upon, or interpreted as legal advice. This communication is for general information purposes only regarding recent legal developments of interest, and is not a substitute for legal counsel on any subject matter. No reader should act or refrain from acting on the basis of any information included herein without seeking appropriate legal advice on the particular facts and circumstances affecting that reader. For more information, visit www.buchalter.com.