Health care providers and health plans (Covered Entities) required to maintain HIPAA Notice of Privacy Practices (NPPs) must update their NPPs by Feb. 16, 2026, to address the handling of substance use disorder (SUD) records. These updates reflect recent changes to the HIPAA Privacy Rule intended to align HIPAA with the stricter federal confidentiality protections that apply to SUD records under 42 USC § 290dd-2 and 42 CFR Part 2.
While HIPAA has long required covered entities to provide individuals with an NPP describing how protected health information is used and disclosed, the updated rule requires additional, specific disclosures for entities that create or maintain SUD records. These changes are intended to ensure that individuals clearly understand their enhanced privacy rights and the heightened restrictions on the use and disclosure of SUD information.
Background
HIPAA requires covered entities to provide individuals with an NPP no later than the first date services are delivered. The NPP must be written in plain language and describe, among other things, (1) how protected health information may be used or disclosed without an individual’s authorization (such as for treatment, payment, and health care operations); (2) when individual authorization is required; (3) the individual’s privacy rights; (4) how to exercise those rights; and (5) how to contact the covered entity with questions or complaints.
Required Updates for SUD Records
By Feb. 16, 2026, Covered Entities that create or maintain SUD records must update their NPPs to include additional information addressing the special treatment of those records. Specifically, the updated NPP must clearly explain the following:
- Enhanced Privacy Protections. SUD records are subject to stricter federal confidentiality rules than other health information. In many cases, these records may not be used or disclosed, even for treatment, payment or health care operations, without the individual’s written authorization.
- Limits on Use in Legal Proceedings. The NPP must include a separate statement explaining that SUD treatment records generally may not be used or disclosed in civil, criminal, administrative or legislative proceedings against the individual unless the individual provides written authorization or a court issues a qualifying order after notice and an opportunity to be heard.
- Interaction with Other Laws. If another law (such as 42 CFR Part 2) is more restrictive than HIPAA, the NPP must reflect the stricter standard. Covered entities must clearly indicate that certain uses and disclosures permitted under HIPAA do not apply to SUD records.
- Fundraising Restrictions. If a covered entity intends to use or disclose SUD records for fundraising purposes, the NPP must explain that individuals will be given a clear and conspicuous opportunity to opt-out of fundraising communications.
What Did Not Change
Although these NPP updates were issued alongside changes related to reproductive health information, those provisions were largely invalidated by federal court action and are not currently being enforced. Covered Entities do not need to update their NPPs to reflect the reproductive health rules at this time.
Practical Impact
The updated NPP requirements are intended to promote transparency and ensure that individuals clearly understand the heightened protections afforded to SUD records. The Feb. 16 deadline provides an important opportunity for Covered Entities to review not only NPP language, but also internal privacy practices and public-facing privacy statements to confirm consistency with actual operations and applicable laws and regulations.
Implementation Considerations
Before Feb. 16, 2026, Covered Entities should take the following action:
- Determine whether they create or maintain SUD records subject to 42 USC § 290dd-2 and 42 CFR Part 2.
- Update their NPPs to include the required disclosures addressing SUD records.
- Confirm that NPP language accurately reflects current privacy practices and restrictions.
- Ensure electronic delivery methods comply with federal consent and disclosure requirements.
Article courtesy of Warner Norcross + Judd