Update Your HIPAA Notice of Privacy Practices by February 16, 2026

Recent changes to the HIPAA Privacy Rule require that healthcare providers update their Notice of Privacy Practices (NPP) by February 16, 2026.¹ Most of the changes are intended to align HIPAA with the revised regulations governing substance use disorder records (see 42 CFR part 2), but other changes will apply to all covered entities.² A redlined version of 45 CFR 164.520 showing the changes to the rule is available here.

Background.  HIPAA requires covered entities to post and provide individuals with a copy of the provider’s NPP no later than the first day services are delivered.³ The NPP must contain the elements, information and statements specified in 45 CFR 164.520, including but not limited to:

• The required header, i.e., “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”⁴
• A description of the uses or disclosures that the entity may make without the patient’s written authorization,⁵ g., those uses or disclosures permitted under 45 CFR 164.502 to 164.512.
• A statement that other uses or disclosures will only be made with the individual’s authorization, and that the individual has the right to revoke her/his authorization subject to certain limitations.⁶
• A summary of certain specified rights the individual has concerning his/her information.⁷
• The contact information for a person who may respond to questions.
• The NPP’s effective date.⁸

For more information concerning these continuing requirements, see our article at https://www.hollandhart.com/checklist-for-hipaa-notice-of-privacy-practices.

Required Updates. By February 16, 2026, covered entities must update their NPP to also address the following:

a. Substance Use Disorder Records. If the covered entity “creates or maintains” substance use disorder (SUD) records⁹ covered by 42 CFR part 2 (Part 2), the covered entity must ensure that “an individual who is the subject of records protected under 42 CFR part 2 [receives] adequate notice of the uses and disclosures of such records, and of the individual's rights and the covered entity's legal duties with respect to such records.”¹⁰ Importantly, Part 2 limits the use or disclosure of SUD records that would otherwise be permissible under HIPAA without the patient’s authorization, including but not limited to uses or disclosures for purposes of treatment, payment or healthcare operations. Typically, notice of such restrictions on SUD records would be given by the SUD program through a separate Patient Notice required by 42 CFR 2.22, but HHS commentary accompanying the new rule confirms that the Part 2 Patient Notice may be combined with an NPP so long as the NPP contains all the information required by 42 CFR 2.22.¹¹ 

Also, under the new regulations, the NPP must contain a separate statement explaining that:

[SUD] treatment records received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed….¹²

b. Impact of Other Laws. If the permissible uses or disclosures of information described in the NPP are limited by other laws that are more restrictive than HIPAA (e.g., SUD records protected by Part 2), the description of such uses or disclosures “must reflect the more stringent law.”¹³ Similarly, if another law permits or (more importantly) requires disclosures of the information, then the description of uses and disclosures in the NPP “must include sufficient detail to place the individual on notice of the uses and disclosures that are permitted or required by [the HIPAA Privacy Rule] subpart and other applicable law, such as 42 CFR part 2.”¹⁴ For example, covered entities that “receive or maintain” SUD records protected by Part 2 will need to explain that, unlike other protected health information, use or disclosure SUD records for treatment, payment and/or healthcare operations generally require the patient’s written consent.¹⁵ 

c. Required Authorizations. As amended, the NPP must include “[a] description of the types of uses and disclosures that require an authorization under § 164.508(a)(2)-(a)(4) [i.e., psychotherapy notes, marketing, and sale of protected health information], a statement that other uses and disclosures not described in the notice will be made only with the individual's written authorization, and a statement that the individual may revoke an authorization as provided by § 164.508(b)(5).”¹⁶ Although these basic concepts were in the prior version of the rule, providers will need to tweak their NPPs to address the specific items identified by HHS.

d. Redisclosure. The NPP must now contain “[a] statement adequate to put the individual on notice of the potential for information disclosed pursuant to [the Privacy Rule] to be subject to redisclosure by the recipient and no longer protected by [the Privacy Rule].”¹⁷ This is already a requirement for effective authorizations,¹⁸ but must now be added to the NPP.

e. Fundraising. If the covered entity intends to engage in fundraising, the NPP must include a separate statement informing the individual that it may contact the individual for such activities and that “the individual has a right to opt out of receiving such communications.”¹⁹ The “opt out” language is new. In addition, “[i]f a covered entity that creates or maintains records subject to 42 CFR part 2 intends to use or disclose such records for fundraising for the benefit of the covered entity, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.”²⁰

No Updates re Reproductive Health Rule. The updated NPP requirements were published as part of the Biden administration’s HIPAA Reproductive Health Rule. The current published version of 45 CFR 164.520 includes certain additional NPP requirements specific to the Reproductive Health Rule (see, e.g., 45 CFR 164.520(1)(b)(ii)(F)-(G)); nevertheless, that Rule was largely struck down by a Texas federal court and the Trump administration chose not to challenge the court’s decision. Accordingly, covered entities may ignore those changes to the NPP relevant to the Reproductive Health Rule.²¹ 

Compliance with Discrimination Laws. In its commentary accompanying the final NPP rule, HHS emphasized that “covered entities are required to comply with all Federal nondiscrimination laws, including laws that address language access requirements.”²² Thus, covered entities are likely required to translate the NPP into other languages or otherwise make the NPP accessible to persons with disabilities, although it does not appear that the Trump administration has been very active in enforcing such requirements.

Reconciling NPP with Policies and Practices. Although this article focuses on the new NPP requirements, this would be a good time to review your entire NPP to ensure compliance with all the requirements in 45 CFR 164.520. In addition, you may want to compare the NPP requirements to your actual practices to ensure that what you do is consistent with what you say you will do. Also, you may want to compare your NPP against the privacy policies associated with your website. Provider websites often contain terms of use or website privacy policies that may be drafted by vendors or others, and which may conflict with HIPAA requirements as summarized in the provider’s NPP. The February 16 deadline provides a good opportunity to evaluate all of your privacy practices and policies, not just the NPP.

¹ 45 CFR 164.520; 89 FR 32976, 33045-48 (4/26/24).

² Additional rules apply to health plans covered by HIPAA; this article will focus on rules applicable to healthcare providers covered by HIPAA. 

³ 45 CFR 164.520(c)(2)-(3).

⁴ 45 CFR 164.520(b)(1)(i).

⁵ 45 CFR 164.520(b)(1)(ii).

⁶ 45 CFR 164.520(b)(1)(ii).

⁷ 45 CFR 164.520(b)(1)(iv)-(vii).

⁸ 45 CFR 164.520(b)(1)(viii).

⁹ It is not entirely clear from the regulations and commentary whether this particular notice requirement applies only to SUD programs covered by Part 2 or extends to other non-Part 2 entities that “create or maintain” Part 2 SUD records. The language in 45 CFR 164.520(a)(2) and accompanying HHS commentary suggests that it applies to any covered entity that “creates or maintains” SUD records protected by Part 2 (see, e.g., 89 FR 33046, in which HHS stated, “we are requiring in 45 CFR 164.520(a)(2) that covered entities that create or maintain Part 2 records provide notice to individuals of the ways in which those covered entities may use and disclose such records, and of the individual’s rights and the covered entities’ responsibilities with respect to such records.”); nevertheless, 45 CFR 164.520(a)(2) prefaces the notice requirement with “As provided in 42 CFR 2.22….” Section 2.22(a) only requires that a Part 2 program provide the required notice. Accordingly, covered entities that are not Part 2 programs likely do not need to provide the expanded Patient Notice otherwise required by 42 CFR 2.22, and likely satisfy the new NPP requirement so long as their NPPs describe the additional limits on uses or disclosures discussed in the next section.

¹⁰ 45 CFR 164.520(a)(2).

¹¹ 89 FR 33047.

¹² 45 CFR 164.520(b)(1)(iii)(D). Technically, the regulation states that this separate statement concerning use of SUD records in government proceedings is only required “[i]f the covered entity intends to engage in [such] activities….” (45 CFR 164.520(b)(1)(iii)). However, the HHS commentary suggests a broader application: “the Department is requiring that covered entities provide notice to individuals that a Part 2 record, or testimony relaying the content of such record, may not be used or disclosed in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order, consistent with the requirements of 42 CFR part 2.” 89 FR 33046-47.

¹³ 45 CFR 164.520(b)(1)(ii)(C).

¹⁴ 45 CFR 164.520(b)(1)(ii)(D).

¹⁵ 89 FR 33046.

¹⁶ 45 CFR 164.520(b)(1)(ii)(E).

¹⁷ 45 CFR 164.520(b)(1)(ii)(H).

¹⁸ 45 CFR 164.508(c)(2)(iii).

¹⁹ 45 CFR 164.520(b)(1)(iii).

²⁰ 45 CFR 164.520(b)(1)(iii)(E).

²¹ As of the date of this Article, the OCR’s webpage states, in relevant part:

On June 18, 2025, the U.S. District Court for the Northern District of Texas issued an order declaring unlawful and vacating most of the HIPAA Privacy Rule to Support Reproductive Health Care Privacy at 89 Federal Register 32976 (April 26, 2024). With regard to the modifications to the HIPAA Privacy Rule Notice of Privacy Practices (NPP) requirements at 45 CFR 164.520, the court vacated only the provisions that were deemed unlawful, namely 164.520(b)(1)(ii)(F), (G), and (H). The remaining modifications to the NPP requirements are undisturbed and remain in effect, see Carmen Purl, et al. v. U.S. Department of Health and Human Services, et al., No. 2:24-cv-00228-Z (N.D. Tex. June 18, 2025). Compliance with the remaining NPP modifications is required by February 16, 2026….

(https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html). 

²² 89 FR 33047; see also 78 FR 5566, 5625 (1/25/13).