HIPAA Guidelines for Privacy Officers: Essential Duties, Policies, and Compliance Checklist (2026 Update)

Understanding HIPAA Privacy Rule Updates

What changed by 2026—and what didn’t

Two federal rulemakings drive 2026 priorities. First, HHS finalized extensive updates to 42 CFR Part 2 to align many protections for Substance Use Disorder (SUD) Records with HIPAA. Highlights include a single patient consent for treatment, payment, and health care operations (TPO); permission for HIPAA covered entities and business associates to redisclose Part 2 records consistent with HIPAA; application of the HIPAA Breach Notification Rule; and a new right to opt out of fundraising. Compliance was required by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Second, HHS issued the HIPAA Privacy Rule to Support Reproductive Health Care Privacy in 2024. In June 2025, a federal court vacated most of that rule. However, the decision left certain Notice of Privacy Practices (NPP) modifications in effect, with compliance for the remaining NPP changes due by February 16, 2026. You should treat those NPP elements as current obligations while HHS evaluates next steps. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Practical implications for privacy officers

• Update your NPP to clearly explain Part 2 protections, permitted uses/disclosures, the prohibition on use in legal proceedings against a patient absent consent or court order, and the patient’s rights under Part 2. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Adjust consent workflows to support a single TPO consent for SUD Records and processes to honor revocation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Incorporate HIPAA Breach Notification procedures for Part 2 records. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))

Managing Substance Use Disorder Treatment Records

Consent, scope, and documentation

Use the new single TPO consent for ongoing care coordination. When disclosing SUD Records with consent, include either a copy of the consent or a clear explanation of its scope with each disclosure so downstream recipients understand the limits. Maintain revocation procedures and retain consent documentation per policy. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

SUD counseling notes, segmentation, and notices

Recognize SUD counseling notes as a distinct record category, protected similarly to psychotherapy notes and requiring a separate, specific consent. The rule clarifies that segregating or segmenting SUD Records is not required, but you must still apply Part 2 protections and supply the “Notice to Accompany Disclosure” under § 2.32 as applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Breach notification and vendor management

Extend HIPAA Breach Notification Rule processes to SUD Records and verify that business associates can meet these obligations. Update business associate agreements and incident playbooks to reflect Part 2 alignment. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))

Addressing Redisclosure Risks

When redisclosure is allowed—and when it isn’t

After a valid TPO consent, HIPAA covered entities and business associates may redisclose SUD Records consistent with HIPAA. However, records still cannot be used in civil, criminal, administrative, or legislative proceedings against the patient without specific consent or a court order—an important bright line you must preserve in policies, contracts, and training. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Operational controls to reduce exposure

• Attach the required Notice to Accompany Disclosure under § 2.32 and include the consent or a clear explanation of its scope with each disclosure; build these steps into release-of-information tools and templates. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))
• Map recipients to determine when HIPAA redisclosure permissions apply versus when additional Part 2 consent or de-identification is needed (for example, disclosures to non-HIPAA recipients for non-TPO purposes). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Protecting Patient Rights and Fundraising Communications

Patient rights to know, restrict, and complain

Part 2 now expressly allows patients to file complaints directly with the HHS Secretary and request restrictions on certain disclosures—rights you must reflect in your NPP and internal workflows. Ensure front-line staff can explain these rights and route complaints appropriately. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Fundraising under HIPAA and Part 2

Under HIPAA, you may use limited PHI (for example, demographics and dates of service) for fundraising if your NPP says so and you offer a clear, no-cost opt-out with each communication. Part 2 adds a new patient right to opt out of fundraising communications; a TPO consent alone does not authorize use of SUD Records for fundraising. Build unified opt-out tracking that honors both HIPAA and Part 2. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol-edited/index.html?utm_source=openai))

Revising Internal Policies and Training

Policy modernization

Refresh Internal Privacy Policies to reflect TPO consent, redisclosure limits, the § 2.32 notice, breach notification for Part 2, complaint handling, and fundraising opt-outs. Align records management, retention, and minimum necessary standards across HIPAA and Part 2 to avoid conflicting directives. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Role-based training and tracking technologies

Deliver targeted training for privacy, HIM, legal, revenue cycle, development, and marketing teams. Reinforce OCR’s expectations on web and mobile tracking technologies to prevent impermissible disclosures of PHI to vendors, and document those decisions and configurations. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html?_cldee=lPZ1lOU9AuHulJ0xqModDJuyExHQY6_wqJ4C6DsPCabicfXRKDOJUzmsIhOE52Rw&esid=7c836209-e52f-ef11-840a-000d3a36cb89&recipientid=contact-e224ab3ac7cfe81180d102bfc0a80172-1fd998d7b4884ba8a419b2663c1759da&utm_source=openai))

Preparing for Compliance Deadlines

2026 compliance checklist

• Update NPPs to incorporate required Part 2 content and any remaining 2024 reproductive health NPP revisions still in effect; publish online and post on-site. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Adopt a single TPO consent for SUD Records; implement the “copy-of-consent or scope explanation” requirement for every disclosure. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))
• Implement the § 2.32 Notice to Accompany Disclosure and related downstream redisclosure controls. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))
• Extend HIPAA Breach Notification processes, BAAs, and incident response to cover Part 2. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))
• Enable fundraising opt-outs under both HIPAA and Part 2 and reconcile with your donor systems. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Finalize workforce training and documentation, then verify go‑live readiness with audit trails and spot checks before February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Timeline and governance

By February 16, 2026, regulated entities had to comply with the Part 2 final rule. OCR’s Civil Enforcement Program for Part 2 began accepting complaints and breach notifications on that date, so your board or compliance committee should retain formal evidence (policies, training logs, NPP versions, ROI templates, vendor attestations) showing timely implementation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Navigating Enforcement and Security Rule Updates

OCR enforcement focus in 2026

OCR launched a Civil Enforcement Program for SUD confidentiality that aligns penalties with HIPAA and signals heightened scrutiny of how you handle SUD Records, complaint intake, and breach notifications. Maintain investigative readiness across privacy, security, and development functions. ([hhs.gov](https://www.hhs.gov/press-room/hhs-announce-civil-enforcement-program-sud-patient-records.html))

Security Rule trajectory and cybersecurity expectations

HHS proposed substantial HIPAA Security Rule updates (NPRM issued December 27, 2024) to strengthen cybersecurity for ePHI, informed by the Healthcare and Public Health Sector Cybersecurity Performance Goals. Even as HHS advances rulemaking, OCR continues to enforce existing Security Rule requirements—especially risk analysis, patch management, and vendor oversight—so align your safeguards now. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html?utm_source=openai))

Conclusion

For 2026, center your program on Part 2–HIPAA alignment: modernize NPPs and Internal Privacy Policies, operationalize consent and redisclosure rules, extend breach notification and BAAs, and harden cybersecurity controls. Treat fundraising and patient rights with particular care, and maintain robust documentation to demonstrate compliance during OCR reviews. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

FAQs.

What are the key updates to the HIPAA Notice of Privacy Practices for 2026?

Covered entities must revise NPPs to address Part 2 protections and remaining reproductive‑health NPP changes that survived the June 18, 2025 court decision, with compliance due by February 16, 2026. HHS has also released model language to help incorporate SUD confidentiality into HIPAA NPPs. Confirm your posted and web versions match the final requirements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

How should privacy officers manage consent for substance use disorder treatment records?

Adopt the single TPO consent for SUD Records and ensure every disclosure made with consent includes either a copy of the consent or a clear explanation of its scope. Keep a separate, specific consent for SUD counseling notes. After a valid consent, HIPAA covered entities and business associates may redisclose consistent with HIPAA, but never for proceedings against the patient without consent or court order. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

What are the risks of redisclosure under the updated HIPAA guidelines?

The main risks arise when disclosures extend beyond HIPAA‑regulated recipients or permitted purposes. Even with a TPO consent, you must attach the § 2.32 notice and ensure recipients understand consent scope; redisclosure for legal proceedings against the patient remains prohibited without specific consent or a qualifying court order. Audit redisclosures and contracts to prevent violations. ([govinfo.gov](https://www.govinfo.gov/content/pkg/FR-2024-02-16/pdf/2024-02544.pdf))

How can organizations ensure compliance by the February 16, 2026 deadline?

Use a formal project plan: finalize NPP updates; deploy the single TPO consent and attach consent scope to each disclosure; implement the § 2.32 notice; extend HIPAA Breach Notification processes to Part 2; refresh BAAs; and complete workforce training. Retain evidence of completion and monitoring, as OCR’s Civil Enforcement Program began on February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))