Action Required By February 16, 2026 - HIPAA Updated Notice Of Privacy Practices To Include Part 2 SUD Records Deadline Is Fast Approaching—Is Your Organization Ready?

Covered Entities are aware of the requirement under the Health Insurance Portability and Accountability Act ("HIPAA") to provide its patients with a Notice of Privacy Practices ("NPP") detailing the manner in which Protected Health Information ("PHI") may be used or disclosed, as well as the individual's right and the Covered Entity's legal obligations related PHI. 42 CFR § 164.520. However, any Covered Entity that creates, maintains, receives, or transmits Substance Use Disorder Records ("SUD Records") must update their NPPs by February 16, 2026, to address 2024 changes to the HIPAA Rules related to SUD Records.

On April, 26, 2024, the HIPAA Rules were amended as required by the 2020 Coronavirus Aid, Relief, and Economic Security ("CARES") Act, which required the Department of Health & Human Services ("DHHS") to align the HIPAA regulations and the Confidentiality of SUD Records Substance Use Disorder Patient Records regulations found at 42 CFR part 2 ("Part 2"). While most of the CARES Act's mandate for the harmonization of HIPAA and Part 2 were contained in a Final Rule issued on February 16, 2024, by DHHS' Substance Abuse and Mental Health Services Administration ("SAMHSA") and the Office for Civil Rights ("OCR"), finalization of the NPP proposed rules applicable to Part 2 SUD records were delayed.¹

Under the April Final Rule, Covered Entities, including SUD Treatment Programs ("Part 2 Programs"), are required to issue or integrate Part 2 SUD record protections into their Notice of Privacy Practices no later than February 16, 2026.² This integration ensures that patients receive comprehensive information about the enhanced confidentiality protections that apply specifically to SUD Records, beyond the standard HIPAA notice of privacy practices regulations set forth in 45 CFR 164.520. The enhanced notice requirements, set forth in 42 CFR2.22, reflect the heightened sensitivity and legal protections afforded to SUD treatment information, ensuring patients understand both their rights and the limitations on disclosure of such records.

What Revisions are Required for NPPs of Part 2 Programs and Covered Entities?

With the issuance of the April Final Rule, Part 2 Programs and Covered Entities must revise their NPPs to address the following elements beyond what is required generally under Section 164.520:

• How the SUD Records may be Used or Disclosed: The NPP must describe the purposes for which the Part 2 Program is permitted or required to use or disclosure records without the patient's consent, with sufficient detail to advise the patient of type of such uses and disclosures. The NPP must also advise the patient of circumstances when their written consent is required, with at least one example of such use or disclosure, as well as notice that a single consent is sufficient for all treatment, payment, and health care operations ("TPO") purposes. For any use or disclosure that is not described in the NPP, a statement that disclosure will only be with the patient's consent. In addition, the NPP must advise the patient of the following:
  • Right to revoke a consent previously given;
  • The prohibition on disclosing SUD records—or testimony related to them—in any civil, administrative, criminal, or legislative proceeding against the patient without their explicit consent or court order, and the patient's right to challenge disclosure pursuant to a court order;
  • Any use or disclosure pursuant to the single consent for TPO purposes may be further disclosed by the Part 2 Program, Covered Entity, and/or Business Associate; and
  • If stricter state laws affect the use and disclosure of SUD Records, the description of disclosures must reflect these stricter laws.
• The Patient's Rights: The NPP must provide a description of the rights the patient has regarding their SUD Records, including:
  • Right to request restriction on disclosures for TPO purposes;
  • Right to request restriction on disclosures to the patient's health plan when paid in full by the patient;
  • Right to an accounting of all disclosures of SUD Records in the prior three years, including right to list of disclosure made by an intermediary;
  • Right to obtain a paper or electronic copy of the NPP and right to discuss the NPP with the SUD Program contact; and
  • Right to opt out of fundraising communications.
• Part 2 Program's Duties: The NPP must also describe the Part 2 Program's legal obligations regarding privacy of SUD Records, including the Part 2 Program's legal duties and privacy practice regarding SUD Records and their obligations regarding notice to a patient of any breach of unsecured records. Further, the NPP must include a statement that the SUD Program must abide by the terms of the NPP currently in effect, that the SUD Program has the right to revise the NPP and how any changes will be provided to the patient.
• Impact of Stricter State Laws: If the state laws have more stringent protections for use or disclosure of SUD Records, the NPP must be drafted to reflect those laws. As noted in Section 2.20, Part 2 ''does not preempt the field of law which they cover to the exclusion of all state laws in that field.''
• Complaint Process: The NPP must include a statement about how the patient may complain about violations of their privacy rights to the SUD Program and the Secretary of DHHS, as well as how such complaint can be filed and notice that the patient will not be retaliated against for filing a complaint.

While a group health plan that is a covered entity is not a Part 2 Program, the updated HIPAA Rules require such group health plans to update their NPPs primarily to advise participants and dependents of the material limitations on the use or disclosure of their PHI which includes a SUD Record, and that PHI which includes a SUD Record cannot be used in a legal proceeding absent written consent or a court order.

With the February 16 deadline fast approaching, Covered Entities that are not Part 2 Programs need to determine if they receive SUD records of their patients. If so, updated NPPs addressing SUD Records must be in place. If those same records are disclosed to Business Associates, Covered Entities should consider updating their Business Associate Agreements to address the enhanced protections afforded SUD Records.

Footnotes

1 The first set of regulations were contained in the February 16, 2024, Final Rules, issued jointly by the DHHS's Substance Abuse and Mental Health Services Administration ("SAMHSA") and the Office for Civil Rights ("OCR") issued aligning the Confidentiality of Substance Use Disorder ("SUD") Patient Records regulations found at 42 CFR part 2 ("Part 2") with the HIPAA Rules. However, the updated NPP Rules were delayed pending a future HIPAA final rule. See 89 FR 12483.

2 As noted in the Final Rule, "We have stated both in HIPAA and part 2 guidance that notices for different purposes may be separate or joint/combined so long as the required elements are included. Thus, either using separate HIPAA, state law, or part 2 notices or combining these notices into one form would be acceptable so long as all required elements are included." 89 FR 12528.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.