February 16, 2026, is the deadline for each HIPAA covered entity to update its Notice of Privacy Practices (NPP) to incorporate new regulatory requirements enacted in 2024. Specifically, HIPAA-covered entities (including health care providers and health plans) are required to review and revise their NPPs as necessary to ensure compliance with a 2024 federal rulemaking related to records of treatment and referral for substance use disorder services under 42 C.F.R. Part 2 (Part 2 Records). 

We previously discussed the 2024 Part 2 Records regulatory changes here, and the HIPAA regulatory rule addressing NPP updates and reproductive health care here (note that the reproductive health care regulations were subsequently vacated, as discussed here, but the NPP changes were upheld).

Accordingly, by February 16, 2026, HIPAA-covered entities are obligated to update NPPs to address the protections afforded to Part 2 Records that may be created, received, or disclosed by HIPAA covered entities (including those who may have Part 2 programs as components of their organization). The required changes include, without limitation:

  • For uses or disclosures that are prohibited or materially limited by Part 2, the NPP description of such use or disclosure must reflect the more stringent legal requirement;
  • NPPs must include a statement to put individuals on notice of the potential that, once information is disclosed pursuant to the NPP, it may be subject to redisclosure by the recipient and no longer subject to HIPAA protection;
  • NPPs must explain that Part 2 Records may now be used or disclosed pursuant to a single consent for treatment, payment, and health care operations purposes consistent with HIPAA (but subject to limited exceptions);
  • NPPs must add a statement indicating that Part 2 Records (and testimony regarding such Records) cannot be used or disclosed in civil, criminal administrative or legislative proceedings without individual written consent, or pursuant to a court order after notice and an opportunity to be heard is given to the individual or the holder of the Records, and any such court order must be accompanied by a subpoena or other legal requirement compelling disclosure before the Records can be used or disclosed; and
  • NPPs must explain that, for covered entities that create or maintain Part 2 Records and intended to use such Records for fundraising purposes, each individual patient must be given the opportunity to opt out of fundraising communications in advance.

Now is the time for all HIPAA covered entities to review and confirm that their NPPs comply with federal law and, if not, to reach out to advisors to make the necessary changes. We are available to assist covered entities with all matters related to HIPAA, including NPP drafting and compliance.

Photo of Conor Duffy Conor Duffy

Conor Duffy is co-chair of Robinson+Cole’s Health Law Group and a member of the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters…

Conor Duffy is co-chair of Robinson+Cole’s Health Law Group and a member of the firm’s Data Privacy + Security Team. Mr. Duffy advises hospitals, physician groups, accountable care organizations, community providers, post-acute care providers, and other health care entities on general corporate matters and health care issues. He provides legal counsel on a full range of transactional and regulatory health law issues, including contracting, licensure, mergers and acquisitions, the False Claims Act, the Stark Law, Medicare and Medicaid fraud and abuse laws and regulations, HIPAA compliance, state breach notification requirements, and other health care regulatory matters. Read his full rc.com bio here.

Read more about Conor Duffy
Show more Show less