Deadline on HIPAA Policy Changes - Providers Subject to Part 2 Substance Use Disorder (SUD) Standards: Notice of Privacy Practices Changes went into effect Monday - February 16, 2026
February 18, 2026
By: Gabriel S. Oberfield, Esq., M.S.J. Kaydeen M. Maitland
Feb.16, 2026, was the regulatory deadline for compliance with Federal health care privacy law revisions (c.f. holiday extension due to President’s Day)[1]. Now is time for health care providers to act if you have not updated your Notice of Privacy Practices (NPP) documentation by today’s deadline and to take related steps to protect Substance Use Disorder (SUD) records. As noted further in this memorandum, good faith matters to ensure compliance before any violations actually in order to avoid more than minimal fines if you have not completed the changes required to your NPP as policy has changed going forward.
The 2020 Coronavirus Aid, Relief, and Economic Security (CARES) Act called for regulatory changes affecting the ongoing implementation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – calling for alignment of HIPAA regulations with the confidentiality of SUD patient records regulations in 42 CFR Part 2 (Part 2). Many of these changes were implemented through 2024 rulemaking, but a provisions concerning changes NPPs was delayed. That wait has ended.
- All HIPAA Covered Entities (CEs) must update their NPPs. The changes are particularly significant for CE’s also regulated under 42 CFR Part 2 due to their work in the SUD space, and for other healthcare providers that receive SUD data from such entities (45 CFR 164.520(a)(2), (b)(1)[2]). NPPs must be updated to: Reflect any more stringent legal requirements for the use and disclosure of information, including requirements under 42 CFR Part 2, concerning when it is permissible to use or disclosure of protected information (45 CFR 164.520(b)(1)(ii)(C)-(D))[3];
- Note that information received from Part 2 Programs will not be “used or disclosed in civil, criminal, administrative or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR Part 2 (45 CFR 164.520(b)(1)(iii)(D))[4]
- Indicate that if a CE intends to use or disclose such Part 2 Program records for fundraising for the CE’s benefit, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications (45 CFR 164.520(b)(1)(iii)(E)[5]);
- Provide notice of the potential that protected health information, if properly disclosed by the CE, may be “redisclosed” by the recipient and eliminating prior protections (45 CFR 164.520(b)(1)(ii)(H)[6]); and
- Notify individuals that CE’s cannot use or disclose PHI for certain prohibited purposes and that in some circumstances, an attestation must be obtained from a person requesting PHI affirming that the use or disclosure is not for such a prohibited purpose (45 CFR 164.520(b)(1)(ii)(F)-(G);
- Disclose heightened protections for SUD counseling notes, where Part 2 related providers are obligated to maintain such notes separately from other records and that require separate patient consent for use or disclosure, paralleling HIPAA’s enhanced protections for psychotherapy notes.
Protections concerning the dissemination of certain reproductive health information[7] – originally part of the approved changes – has been stayed through a federal court challenge.
The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has published revised Model Notices of Privacy Practices (Feb. 2026) to assist with compliance. These models reflect the 2024 Part 2 Final Rule and HIPAA Privacy Rule changes, and are available here.
In addition to the NPP revisions, there are new obligations for the records disclosure process itself. When sharing SUD records protected by Part 2, providers are now required to accompany the disclosure with a specific notice informing the recipient of federal confidentiality rules. The Final Rule provides both a short and long form notice for this purpose, which must include either a copy of the patient’s written consent or a clear explanation of the scope of that consent.
The Final Rule also aligns Part 2 penalties with HIPAA’s civil and criminal enforcement, applies the HIPAA Breach Notification Rule to Part 2 records, and grants new rights to patients – among them to seek accountings of disclosures and to request disclosure restrictions. Streamlining through the Final Rule also permits patients to appeal to the Secretary of HHS for alleged Part 2 violations and to provide a single consent for all future HIPAA-recognized “Treatment Payment and Operations” uses and disclosures of SUD data.
CEs also should consider updating their Business Associate Agreements (BAAs) to hold their BAs to the same rigor concerning SUD records as they as CEs now are held to.
With a regulatory compliance deadline of Feb. 16, 2026, healthcare providers who have not already acted must act promptly to update internal policies, procedures and NPPs – whether digitally or in print. While concerns were raised about underestimating mailing costs for updated NPPs, the Department’s analysis accounts for printing and postage, assuming half of NPPs will be mailed, often with regular mailings.
Good-Faith Efforts Matter: If you are actively working toward compliance, this can be a mitigating factor. OCR’s penalty framework explicitly distinguishes between violations caused by “reasonable cause” versus “willful neglect,” and whether the issue was corrected promptly. A provider that misses the deadline but can demonstrate diligent efforts (e.g. a nearly completed NPP revision and a plan to distribute it imminently) is more likely to be viewed as a Tier 2 (reasonable cause) situation rather than willful neglect. In such cases, OCR might offer technical guidance or require a quick fix without levying a large fine, provided the NPP is updated as soon as possible.
Providers are encouraged to contact Bond’s health care attorneys to ensure their policies align with the updates and to assess any potential risk areas. For questions about your specific needs, please contact attorneys Kaydeen Maitland (kmaitland@bsk.com) or Gabriel S. Oberfield (goberfield@bsk.com), or you may reach out to any other Bond attorney with whom you work regularly.
_____________________
The Story Line: Please see our Firm’s prior related articles on the developing regulatory agenda which started with Congressional mandates under the 21st Century Cures Act on Dec. 13, 2016:
Employee Benefits Update: Changes to HIPAA Notice of Privacy Practices Due By Feb. 16, 2026
New State Guidance Released on Health Care Privacy and Data Sharing
[1] 45 CFR § 16.19 – “In counting days, include Saturdays, Sundays, and holidays; but if a due date would fall on a Saturday, Sunday or Federal holiday, then the due date is the next Federal working day.”
[2] Notice requirements for covered entities creating or maintaining records subject to 42 U.S.C. 290dd-2. As provided in 42 CFR 2.22, an individual who is the subject of records protected under 42 CFR part 2 has a right to adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records. 45 CFR 164.520(a)(2)
[3] “(C) If a use or disclosure for any purpose described in paragraphs (b)(1)(ii)(A) or (B) of this section is prohibited or materially limited by other applicable law, such as 42 CFR part 2, the description of such use or disclosure must reflect the more stringent law as defined in § 160.202 of this subchapter.
(D) For each purpose described in paragraph (b)(1)(ii)(A) or (B) of this section, the description must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by this subpart and other applicable law, such as 42 CFR part 2.”
[4] “Substance use disorder treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.”
[5] “If a covered entity that creates or maintains records subject to 42 CFR part 2 intends to use or disclose such records for fundraising for the benefit of the covered entity, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.”
[6]“A statement adequate to put the individual on notice of the potential for information disclosed pursuant to this subpart to be subject to redisclosure by the recipient and no longer protected by this subpart.”
[7] HIPAA Privacy Rule to Support Reproductive Health Care Privacy, 89 Fed. Reg. 32994 (Apr. 26, 2024) (to be codified at 45 C.F.R. pts. 160, 164). Updates would have included: “Uses and disclosures for which an attestation is required. (a) Standard: Attestations for certain uses and disclosures of protected health information to persons other than covered entities or business associates. (1) A covered entity or business associate may not use or disclose protected health information potentially related to reproductive health care for purposes specified in § 164.512(d), (e), (f), or (g)(1), without obtaining an attestation that is valid under paragraph (b)(1) of this section from the person requesting the use or disclosure and complying with all applicable conditions of this part…”
