4 blurry doctors walking down hall

Health Care Client Alert - Updated HIPAA Privacy Notices Required

Alert
Circle Arrow Get the Story

Updated HIPAA Privacy Notices Required by February 16

Healthcare providers subject to HIPAA must revise their Notice of Privacy Practices (NPP) by February 16, 2026, to comply with recent federal regulatory changes. The changes align substance use disorder (SUD) record confidentiality with HIPAA/HITECH rules to improve care coordination. Failure to update your NPP by the deadline could result in noncompliance with federal privacy regulations.

What Changed and Why

The Department of Health and Human Services published amendments to the HIPAA Privacy Rule in April 2024, taking effect February 16, 2026. The principal objective is aligning HIPAA with modifications to 42 CFR Part 2, the federal regulation protecting confidentiality of substance use disorder patient records. Part 2 imposes stricter limitations on disclosures than standard HIPAA rules, and healthcare organizations that handle these records must now reflect these heightened protections in their privacy notices.

Key Updates Required

Your revised NPP must incorporate the following elements:

  • Enhanced Notice for Substance Use Disorder Records: If your organization creates or maintains records protected under Part 2, you must provide patients with adequate notice explaining how these specific records may be used and disclosed, along with patient rights and your legal obligations regarding such records. While Part 2 programs traditionally provide a separate patient notice, HHS has confirmed this information may be consolidated into your HIPAA NPP if it contains all elements required by Part 2.
  • Restrictions on Use in Legal Proceedings: Your NPP must include a distinct statement clarifying that substance use disorder treatment records obtained from Part 2 programs—or testimony about such records—cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings against a patient unless the patient provides written consent or a court issues an order following proper notice and a hearing. Any court order must be accompanied by a subpoena or other legal mandate before disclosure is permitted.
  • Fundraising Opt-Out for Part 2 Records: If your organization maintains Part 2 records and intends to use them for fundraising purposes, patients must receive a clear and prominent opportunity to opt out of fundraising communications before such use occurs.
  • More Restrictive Laws Take Precedence: When describing permissible uses and disclosures in your NPP, you must acknowledge that other laws may impose greater restrictions than HIPAA. For substance use disorder records protected by Part 2, your notice must explain that, unlike other health information, these records generally require written patient consent before being used or disclosed for treatment, payment, or healthcare operations.
  • Redisclosure Warning: Your NPP must now alert patients that once their information is disclosed pursuant to HIPAA, it may be subject to redisclosure by recipients and will no longer receive HIPAA protection. This warning has been required in patient authorizations but must now appear in the NPP as well.

What About the Reproductive Health Rule?

The NPP amendments were published alongside broader changes known as the Reproductive Health Rule. However, a federal court in Texas struck down most provisions of that rule in 2025, and the current administration declined to appeal. Therefore, no changes are required to NPPs at this time with respect to the Reproductive Health Rule.

Additional Considerations and Next Steps

  • Revise and Publish Updated NPP: Revise your NPP to include the new required language, and update your website, patient portals, and physical postings with the revised NPP by February 16.
  • Comprehensive NPP Review: While updating your NPP for the February 16 deadline, take the opportunity to review all other required elements to ensure full compliance with 45 CFR 164.520. Verify that your NPP accurately describes your actual privacy practices.
  • Consistency Across Documents: Confirm that your NPP aligns with other privacy-related documents, including website privacy policies and website terms of use, vendor management policies, Business Associate Agreement terms, and training programs. Inconsistencies between these documents could create confusion and often increase an organization’s exposure for legal and regulatory compliance.
  • Language Access: Federal nondiscrimination laws require covered entities to make privacy notices accessible to individuals with disabilities and those with limited English proficiency. Consider whether you need to translate your NPP or provide it in alternative formats.

K&C’s Health Care Practice Group attorneys are available to assist with reviewing and updating your Notice of Privacy Practices, conducting comprehensive assessments of data privacy, security and incident response compliance, and ensuring your organization meets the February 16, 2026, deadline. Please contact us if you have questions or need assistance with this important requirement.

The contents of this publication are intended for general information only and should not be construed as legal advice or a legal opinion on specific facts and circumstances. Copyright 2026.

Jump to Page

Kaufman & Canoles, P.C. Cookie Preference Center

Your Privacy

When you visit our website, we use cookies on your browser to collect information. The information collected might relate to you, your preferences, or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. For more information about how we use Cookies, please see our Privacy Policy.

Strictly Necessary Cookies

Always Active

Necessary cookies enable core functionality such as security, network management, and accessibility. These cookies may only be disabled by changing your browser settings, but this may affect how the website functions.

Functional Cookies

Always Active

Some functions of the site require remembering user choices, for example your cookie preference, or keyword search highlighting. These do not store any personal information.

Form Submissions

Always Active

When submitting your data, for example on a contact form or event registration, a cookie might be used to monitor the state of your submission across pages.

Performance Cookies

Performance cookies help us improve our website by collecting and reporting information on its usage. We access and process information from these cookies at an aggregate level.

Powered by Firmseek