HIPAA’s February 16 Deadline: A Strategic Moment for Privacy Governance

As most health care entities are already aware, a February 16, 2026, deadline from the U.S. Department of Health and Human Services’ (“HHS”) Office for Civil Rights (“OCR”) and the Substance Abuse and Mental Health Services Administration (“SAMHSA”) requires health plans and most health care providers to update their Notices of Privacy Practices (“NPPs”).  This update must reflect the new federal rules for handling substance use disorder (“SUD”) information protected under 42 C.F.R. Part 2. Although the task may appear administrative, the revisions present a strategic opportunity to evaluate privacy practices, modernize internal systems, and reinforce protections for sensitive health information.

A Quick Primer

NPPs explain to patients how a HIPAA‑covered entity uses and discloses protected health information and outlines individuals’ privacy rights. Covered entities include health plans (including employer plans), health care clearinghouses, and health care providers—all of which must provide an NPP to individuals whose information they create or receive. Although HHS offers model NPP templates, they have not yet been updated to reflect the new requirements. It is also unclear when they will be revised, as HHS has not published any statement or timeline regarding such updates.

However, not all plans must issue their own NPP. Fully insured group health plans may rely on their insurer if they do not create or receive Protected Health Information (“PHI”) beyond enrollment data or “summary health information.”[1] Plans that handle more extensive PHI must update and distribute their own NPP.[2]

The following sections outline the key regulatory updates prompting the revisions and the broader operational considerations they raise.

1. Heightened Requirements for SUD Information

Updated NPPs must now address how entities use and disclose SUD records originating from federally assisted treatment programs, as required by the 2024 Final Rule aligning 42 C.F.R. Part 2 with the HIPAA Privacy Rule.[3] Because these records carry stricter, consent‑driven protections than standard PHI, organizations may need to reassess data‑handling workflows, vendor arrangements, and internal policies to ensure alignment with these enhanced requirements.

2. Reproductive‑Health Provisions on Hold—But Still Relevant

Although federal reproductive‑health privacy requirements have been vacated by a district court, the regulatory environment remains fluid. HIPAA‑covered entities are not currently required to update their NPPs for this category of information, but continued monitoring—especially of state‑level developments—remains important.

3. Implications Beyond the Notice: Policies, Vendors, and Infrastructure

The required NPP update should prompt a broader review of how sensitive data moves through systems and partners. In addition to updating the document itself, entities should evaluate:

• Vendor and partner arrangements: Downstream partners must understand and honor SUD‑specific consent limitations to ensure compliant handling of sensitive data. Covered entities are responsible for taking reasonable steps to ensure such compliance.
• Data‑segregation practices: Many entities may need to better track and segment SUD‑originating information to prevent unauthorized or impermissible use or disclosure.
• Member and patient communications: Organizations should plan for timely posting of updated notices, updates in annual mailings, and accommodations for multilingual or accessible formats.

Bottom Line

By treating the update as a moment for thoughtful reassessment rather than a technical exercise, health plans and providers can position themselves for more resilient, compliant, and future‑ready privacy governance.

---

[1] See  45 C.F.R. § 164.520(a)(3)(iii).

[2] See  45 C.F.R. § 164.520(a)(3)(ii).

[3] See Confidentiality of Substance Use Disorder Patient Records, 42 C.F.R. pt. 2 (providing federal restrictions on the use and disclosure of SUD records maintained by federally assisted treatment programs); Fact Sheet: 42 CFR Part 2 Final Rule, U.S. Dep’t of Health & Hum. Servs. (Feb. 8, 2024), https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html (announcing the 2024 Final Rule aligning Part 2 with the HIPAA Privacy Rule and describing modifications requiring updated patient notices).