HIPAA Notice of Privacy Practices Update Deadline: February 16, 2026 — Requirements and Next Steps

Key Updates to Notice of Privacy Practices

The HHS 2024 Final Rule requires HIPAA-covered entities to revise the Notice of Privacy Practices (NPP) to address 42 CFR Part 2 compliance for substance use disorder (SUD) information. Your privacy policy revision must explain, in plain language, how SUD records are protected, used, and disclosed.

By February 16, 2026, ensure the NPP clearly communicates:

• What SUD information is protected under 42 CFR Part 2 and how it differs from general PHI.
• Patient consent requirements for using and disclosing SUD records, including a single consent that can cover treatment, payment, and health care operations.
• Redisclosure restrictions and the requirement to include a prohibition-on-redisclosure notice when sharing SUD information.
• Specific situations when SUD records may be disclosed without consent (for example, a bona fide medical emergency or as allowed by court order meeting Part 2 standards).
• Patient rights related to SUD confidentiality, including access, amendment, restrictions, confidential communications, breach notification, and how to revoke consent without retaliation.
• How to contact your privacy office and how to file a complaint with HHS.

State laws that are more protective of substance use disorder confidentiality still apply. Reflect any stricter state requirements in your NPP and supporting procedures.

Use and Disclosure of Substance Use Disorder Records

Under the updated framework, you may use or disclose SUD records if the patient has given a valid consent that specifies who may receive the information and for what purpose. With appropriate consent, HIPAA-covered entities and business associates may use SUD information for treatment, payment, and health care operations, subject to the minimum necessary standard where applicable.

Disclosures without consent remain limited. Commonly applicable allowances include:

• Medical emergencies when the patient’s prior informed consent cannot be obtained in time.
• Research, audit, or evaluation as permitted by Part 2, including documented oversight where required.
• Reporting suspected child abuse or neglect to appropriate authorities.
• Crimes on program premises or against program personnel, consistent with Part 2.
• Court orders that meet 42 CFR Part 2’s heightened criteria, which differ from standard HIPAA subpoenas.

Implement role-based access controls and data segmentation so SUD-designated records are shared only when a valid consent or specific Part 2 exception allows it.

Patient Rights Concerning SUD Records

Patients retain HIPAA rights and receive additional clarity for SUD information under the NPP. You should explain how patients can:

• Access, inspect, and obtain copies of their SUD records in a timely, reasonable manner.
• Request amendments to correct or complete their records.
• Request restrictions on certain uses or disclosures and ask for confidential communications (for example, alternate addresses or phone numbers).
• Grant, limit, or revoke consent for use and disclosure of SUD information, and understand the effect of revocation.
• Receive breach notifications when unsecured SUD information is compromised.
• File complaints with your organization and with HHS without fear of retaliation.

Make the process to exercise these rights simple, with clear instructions, forms, and contact details in your NPP and on intake materials.

Limitations on Redisclosure of Information

Redisclosure restrictions are a core feature of 42 CFR Part 2 compliance. When you disclose SUD information, include the required notice informing recipients that further disclosure is prohibited unless permitted by Part 2 or authorized by the patient.

When a HIPAA-covered entity or its business associate receives SUD records pursuant to a valid consent, it may generally use and disclose that information consistent with HIPAA for the consented purpose. However, disclosures for civil, criminal, administrative, or legislative proceedings against the patient remain tightly limited and typically require a Part 2–compliant court order.

Strengthen safeguards by:

• Embedding redisclosure warnings in headers or cover pages and within EHR transmission templates.
• Contracting for downstream protections with business associates and qualified service organizations.
• Auditing outbound transmissions to confirm required notices and consent scopes are applied.

Compliance Policy Review and Updates

Align your privacy policy revision with operational practices so your NPP reflects what you actually do. A practical approach includes:

• Inventory and classify SUD-designated data across EHR, patient portals, data warehouses, and third-party tools.
• Update consent forms to capture single, durable TPO consent for SUD information, explicit recipients, purpose, expiration, and revocation steps.
• Revise policies on minimum necessary, emergency disclosures, court order handling, research, and audit/evaluation access.
• Refresh incident response and breach notification procedures to address SUD content explicitly.
• Amend business associate and vendor agreements to reflect redisclosure restrictions and required Part 2 safeguards.
• Document version control for your NPP, approvals, go-live dates, and archival of prior versions.

Distribution of Updated Notice of Privacy Practices

Once finalized, distribute the revised NPP through all standard HIPAA channels and ensure prominent visibility:

• Post in a clear location at service sites and on your homepage; make printed copies available on request.
• Present the updated NPP during registration and electronically through patient portals and telehealth workflows.
• Provide the effective date on the first page and retain previous versions for your records.
• Offer language access consistent with your patient population and accessibility standards.
• Communicate material changes through patient messaging, appointment reminders, and front-desk scripts.

Workforce Training on Updated Privacy Requirements

Train your workforce so 42 CFR Part 2 compliance is routine, not exceptional. Prioritize scenarios where errors are most likely and tailor modules by role.

• Explain differences between HIPAA and Part 2, emphasizing patient consent requirements and redisclosure restrictions.
• Walk through real-world cases: emergency treatment, court documents, care coordination, and research requests.
• Demonstrate how to check for valid consent, apply minimum necessary, and attach prohibition-on-redisclosure notices.
• Assess comprehension with quizzes, document attendance, and refresh training when policies or systems change.
• Provide quick-reference guides and EHR prompts to reduce mistakes at the point of action.

Conclusion

The February 16, 2026 deadline cements new expectations for NPP content and daily handling of SUD information. By updating your notice, tightening consent-driven workflows, honoring patient rights, enforcing redisclosure limits, and training your teams, you meet the rule’s requirements and strengthen patient trust in substance use disorder confidentiality.

FAQs.

What information must be added to the NPP by February 16, 2026?

Add a clear explanation of what SUD records are, how 42 CFR Part 2 protects them, when you may use or disclose them with patient consent, limited circumstances for disclosure without consent, redisclosure restrictions, how patients can exercise their rights (access, amendment, restrictions, confidential communications, breach notification, and consent revocation), and how to contact your privacy office or file a complaint.

How do the revisions impact disclosure of SUD records?

The revisions allow a single patient consent to authorize use and disclosure of SUD information for treatment, payment, and health care operations by HIPAA-covered entities and business associates. Disclosures without consent remain narrow—such as bona fide medical emergencies, specific research/audit scenarios, crimes on premises, mandated reports, or court orders that meet Part 2’s heightened standards—and redisclosure restrictions continue to apply.

What are the patient rights under the updated NPP?

Patients have rights to access and obtain copies of SUD records, request amendments and restrictions, receive communications through confidential channels, revoke consent, receive breach notifications, and file complaints with your organization and HHS without retaliation. Your NPP should explain how to exercise each right and where to submit requests.

What steps must covered entities take to comply with the February 2026 deadline?

Complete an inventory of SUD data, update the NPP and consent forms, revise policies for minimum necessary, emergencies, court orders, research, and breach response, amend vendor agreements, implement EHR safeguards and redisclosure notices, roll out workforce training, and distribute the updated NPP across all patient touchpoints with an effective date and archival of prior versions.