HIPAA Notice of Privacy Practices Update Required by February 16, 2026

HIPAA Notice of Privacy Practices update deadline: what employer health plans need to do by February 16, 2026

The deadline for covered entities to update their HIPAA Notice of Privacy Practices (Notice) to address substance use disorder (SUD) protections is February 16, 2026.

As a reminder, a HIPAA covered entity is any health care provider, health plan, or health care clearinghouse that handles health information in electronic form as part of standard transactions like billing or claims processing. This includes providers such as doctors, hospitals, pharmacies, and clinics that submit electronic claims; health plans such as insurers, HMOs, Medicare, Medicaid, and employer-sponsored group health plans; and clearinghouses that translate health data between formats.

Final regulations issued in 2024 require new protections for SUD/Part 2 records. An SUD record may contain information about a patient’s identity, diagnosis, treatment, billing, and other information relating to a patient. Part 2 refers to federal confidentiality rules that protect the privacy of SUD treatment records.

Important note: The reproductive-health portions of the 2024 Privacy Rule were vacated and are not required in the Notice. Only the SUD-related updates remain mandatory. If language was previously added to the Notice to reflect reproductive-health provisions, it should be removed.

What must be updated in your HIPAA Notice of Privacy Practices

Every HIPAA covered employer health plan that receives or transmits SUD/Part 2 information should revise its Notice to include the elements below.

1. Explain the extra protections for SUD information

The Notice must explain that certain SUD records are subject to heightened confidentiality protections under federal law and may follow different rules than standard HIPAA protected health information (PHI).

2. Describe stricter limits on use and disclosure

The Notice must describe that:

• Using SUD/Part 2 records in civil, criminal, administrative, or legislative proceedings requires written consent or a court order.
• Other disclosures that may be permitted under HIPAA may not be allowed for Part 2-protected information.

3. Include the required redisclosure statement

The Notice must also notify individuals that PHI disclosed by your plan may be redisclosed by the recipient and may no longer be protected by HIPAA, unless stronger federal confidentiality rules (like Part 2) apply.

4. Update fundraising opt-out language

If PHI is used for fundraising purposes, the Notice must offer a clear and conspicuous opportunity for individuals to opt out of future fundraising communications.

5. Remove reproductive health content previously added

If your Notice includes reproductive-health privacy language added in response to regulations that have since been vacated, that content should be removed.

Who must comply?

This requirement applies to:

• All HIPAA covered employer health plans that create, receive, maintain, or transmit SUD/Part 2 information, regardless of size or funding arrangement.
• Plans that receive SUD/Part 2 information even if they do not operate a Part 2 program.
• Plans that previously updated reproductive health content in response to regulations that have since been vacated.

Next steps employers should take now

• Confirm whether your plan receives or transmits SUD/Part 2 data to determine whether these updates apply.
• Update your Notice so the revised version is available online by February 16, 2026.
• If you mail Notices, note that a new mailing is generally not required until your next regular plan communication.
• Review whether updates to the Notice also require updates to HIPAA policies and procedures, workforce training materials, and Business Associate Agreements (BAAs).
• Coordinate with vendors and partners to confirm they are aware of the changes and, if needed, revise BAAs.

Need help reviewing your compliance obligations?

As federal policies evolve, OneDigital's Compliance Consulting team will help you stay on top of key actions, pending legislation, and regulatory changes that may impact your organization.

Visit OneDigital's resource page for real-time updates: Federal Policy Updates for Employers: What to Watch in 2025. Reach out to your OneDigital representative if you have any questions.

For additional guidance and best practices, review OneDigital's 2025 Guide to HR Compliance made for Employers.