Required HIPAA notice deadline approaches for healthcare providers

Healthcare providers and health plans have until February 16, 2026 to update their HIPAA Notice of Privacy Practices to address the handling of substance use disorder (SUD) records. This mandatory compliance deadline comes from recent changes to the HIPAA Privacy Rule that align HIPAA with stricter federal confidentiality protections under 42 USC § 290dd-2 and 42 CFR Part 2. The updated Notices must include; enhanced privacy protections for SUD records, limits on use in legal proceedings, clarification of interactions with other laws, and fundraising restrictions. These changes don't only affect specialized SUD treatment programs but any HIPAA covered entity that creates or maintains SUD records.

Learn more: Understanding HIPAA's notice of privacy practices and authorization

The scope

The updated regulations apply to all HIPAA covered entities that create or maintain SUD records, including hospitals, primary care providers, emergency departments, behavioral health providers, and other facilities that may receive Part 2 protected records as "lawful holders."

Healthcare providers don't need to operate a dedicated SUD program to fall under these requirements. Any covered entity that has received Part 2 records, whether from other covered entities or business associates, must update their Notice of Privacy Practices to reflect the special handling requirements for this information. Given that Part 2 contains no requirement to keep these records separate from other health information, many providers may possess Part 2 protected data without knowing.

Understanding the regulatory changes

The Department of Health and Human Services published these revisions in response to Section 3221 of the CARES Act, which Congress enacted in March 2020 to harmonize Part 2 confidentiality requirements with the HIPAA Privacy Rule.

As noted in Updates Needed to HIPAA Notice of Privacy Practices by Warner Norcross + Judd on JD Supra, HIPAA has historically required covered entities to provide individuals with a Notice of Privacy Practices no later than when services are first delivered. The Notice must use plain language to describe how protected health information may be used or disclosed without authorization for purposes such as treatment, payment, and health care operations, when individual authorization is required, the individual's privacy rights, how to exercise those rights, and how to contact the covered entity with questions or complaints.

What must change in your notice

Covered entities that create or maintain SUD records must incorporate these elements into their updated Notices of Privacy Practices:

Enhanced privacy protections

The Notice must clearly explain that SUD records face stricter federal confidentiality rules than other health information. This is a change in how HIPAA-covered entities communicate about protected health information. In many cases, SUD records may not be used or disclosed, even for treatment, payment, or health care operations, without the individual's written authorization.

Limits on use in legal proceedings

Warner Norcross + Judd note that the Notice must include a separate statement explaining that SUD treatment records generally may not be used or disclosed in civil, criminal, administrative or legislative proceedings against the individual. The only exceptions are when the individual provides written authorization or when a court issues a qualifying order after providing notice and an opportunity to be heard. This protection ensures that individuals seeking SUD treatment can do so without fear that their health information will be used against them in legal matters.

Interaction with other laws

The Notice must acknowledge that when another law, such as 42 CFR Part 2, imposes more restrictive standards than HIPAA, the stricter standard applies. Covered entities must indicate that certain uses and disclosures otherwise permitted under HIPAA do not apply to SUD records. This requires providers to distinguish between standard protected health information and the more stringently protected SUD records.

Fundraising restrictions

If a covered entity intends to use or disclose SUD records for fundraising purposes, the Notice must explain that individuals will be given a clear and conspicuous opportunity to opt out of fundraising communications. This provision recognizes the sensitive nature of SUD information and ensures individuals maintain control over how this data is used, even for things like institutional fundraising.

Why this matters now

The updated Notice requirements serve multiple purposes. First, as Warner Norcross + Judd notes, they promote transparency, ensuring that individuals clearly understand the heightened protections afforded to their SUD records. This transparency can reduce barriers to treatment by alleviating concerns about privacy and potential misuse of sensitive information.

Second, the February 16 deadline provides covered entities with an opportunity to conduct a review of their privacy practices. Warner Norcross + Judd recommends that organizations examine not only their Notice language but also their internal privacy practices and public-facing privacy statements to confirm consistency with actual operations and applicable laws and regulations.

Third, these changes show an understanding of how stigma affects healthcare access. By creating enhanced protections for SUD information, the regulations acknowledge that individuals may avoid seeking necessary treatment if they fear their health information could be disclosed without their consent or used against them in legal proceedings.

Steps to take before February 16

According to Warner Norcross + Judd, covered entities should take the following actions immediately:

• Determine your status: Assess whether your organization creates or maintains SUD records subject to 42 USC § 290dd-2 and 42 CFR Part 2. Remember that receipt of Part 2 records from other providers may trigger these requirements even if you don't operate an SUD program.
• Update your notice: Revise your Notice of Privacy Practices to include all required disclosures addressing SUD records. Ensure the language clearly explains the enhanced protections, legal proceeding limitations, interaction with other laws, and fundraising restrictions.
• Verify accuracy: Confirm that your Notice language accurately reflects your current privacy practices and restrictions. Inconsistencies between your Notice and actual practices can create compliance vulnerabilities.
• Review distribution methods: Ensure your electronic delivery methods comply with federal consent and disclosure requirements. Most covered entities are required to provide the Notice to patients, obtain acknowledgement of receipt, display it at service locations, and prominently post it on their websites.
• Assess related documents: Beyond the Notice itself, evaluate consent forms and related policies to ensure compliance with both Part 2 and HIPAA Privacy Rule requirements.

FAQs

Does this HIPAA notice update require approval from HHS or OCR before publication?

No prior government approval is required, but covered entities are responsible for ensuring the Notice language complies with HIPAA and Part 2 requirements.

Do business associates need to update their own privacy notices?

Business associates are not required to issue Notices of Privacy Practices but must ensure their agreements and handling of SUD records align with Part 2 restrictions.

Can providers use different Notices for different service lines or departments?

HIPAA allows flexibility in formatting, but all required Part 2 disclosures must be communicated wherever SUD records are created or maintained.

Does this deadline apply to small practices and solo providers?

Yes, the Notice update requirement applies regardless of organization size if the provider creates or maintains SUD records.