New Part 2 Compliance Deadline for NPP Updates: Healthcare Organizations Must Revise Privacy Notices by February 16, 2026

We are writing to alert you to a significant and time-sensitive compliance obligation affecting healthcare providers, health plans, and other HIPAA-covered entities. Recent federal regulatory changes aligning the confidentiality requirements for substance use disorder (“SUD”) records under 42 C.F.R. Part 2 with the HIPAA Privacy Rule now require covered entities to update their Notice of Privacy Practices (“NPP”) no later than February 16, 2026.

This requirement applies broadly and is not limited to organizations that regularly treat patients for substance use disorders. Even entities that do not believe they maintain Part 2 records may still receive such information through referrals, care coordination, health information exchanges, or integrated care models. As a result, we recommend treating this as a required update.

The updated NPP must explain that Part 2 records are subject to stricter limitations than other protected health information. In particular, it must describe that SUD records generally cannot be used or disclosed for treatment, payment, or healthcare operations without patient consent, that such information cannot be used against a patient in legal proceedings absent authorization or court order, and that recipients of Part 2 records may not be subject to the same confidentiality restrictions. If Part 2 records may be used for fundraising, the notice must clearly and conspicuously inform individuals of their right to opt out of receiving any fundraising communication.

Covered entities must also comply with HIPAA’s distribution rules when revising their NPP. If your organization maintains a website, the updated NPP must be posted online by February 16, 2026. If the NPP is not posted on your website, the revised notice or a summary of material changes must be distributed to patients within 60 days of the update’s effective date. The revised notice must also be made available to new patients and included in any routine NPP distribution going forward.

Because this rule applies even to entities that only incidentally receive SUD information, failure to update the NPP may create regulatory risk and potential enforcement exposure. We recommend that healthcare organizations begin reviewing and revising their NPP now to ensure timely compliance.

The new provisions required in NPPs are:

• A statement that an individual subject of SUD records has a right to adequate notice of the uses and disclosures of such records and the covered entity’s legal duties with respect to such records;
• A statement describing the special protections afforded to SUD records and that, except as permitted by law otherwise, unlike other protected health information, SUD records generally are not used or disclosed for treatment, payment, and health care operations, without the subject’s written consent;
• A statement that SUD treatment records received from SUD treatment programs, or testimony relaying such content, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual subject of such records or testimony unless the subject provides written consent or in response to a court order after the subject has had notice and an opportunity to be heard, and such court order authorizing the use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure prior to use or disclosure by the covered entity;
• A statement that puts the subject on notice about the potential for subsequent use and disclosure by a recipient who is not subject to the Privacy Rule and therefore no longer afforded the protections of the Privacy Rule; and
• A statement that, if the covered entity intends to use SUD records for fundraising for the covered entity’s benefit, the subject of such SUD records must be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.

At this time, the U.S. Department of Health and Human Services has not issued model or sample language for these required updates. As a result, organizations must draft compliant language on their own or with the assistance of counsel. If you would like assistance reviewing or updating your Notice of Privacy Practices or assessing how the Part 2 changes apply to your organization, please contact your Dykema attorney or a member of our Healthcare team.