HIPAA Privacy Rule Changes Require Action Before February 16, 2026
Recent updates to the HIPAA Privacy Rule require healthcare providers across the United States to revise their Notice of Privacy Practices before February 16, 2026.
As required under HIPAA, a Notice of Privacy Practices must be provided to patients before or on the date healthcare services are delivered. The updated regulations now include expanded language requirements and additional protections, particularly related to substance use disorder records under 42 CFR Part 2.
What Must Be Included in the Updated Notice of Privacy Practices
The revised Notice of Privacy Practices must now include:
- A specific header stating: “This notice describes how medical information about you may be used and disclosed and how you can get access to this information. Please review it carefully.”
- A description of permitted uses and disclosures with authorization under 45 CFR 164.502 to 164.512.
- A statement confirming that protected health information will not be used or disclosed without authorization and that individuals have the right to revoke authorization, subject to regulatory limitations.
- A summary of individual rights related to protected health information.
- Contact information for the individual designated to respond to privacy questions.
- The effective date of the Notice of Privacy Practices.
- Notice of the potential for redisclosure of protected health information.
- A clear and conspicuous opportunity to opt out of fundraising communications, if applicable.
New Requirements for Substance Use Disorder Records Under 42 CFR Part 2
Entities that create or maintain substance use disorder records under 42 CFR Part 2 are subject to additional restrictions and notice requirements.
Patients must receive adequate notice of permitted uses and disclosures of substance use disorder records and of their rights and the covered entity’s legal duties. Disclosure for treatment, payment, or healthcare operations remains limited under Part 2 legislation.
Key limits include:
- Substance use disorder records, or testimony regarding their content, may not be used or disclosed in civil, criminal, administrative, or legislative proceedings against an individual without written consent or a court order following notice and opportunity to be heard.
- Any court order authorizing disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure.
- If state laws are more restrictive than HIPAA regarding substance use disorder information, those requirements must be reflected in the Notice of Privacy Practices.
- Covered entities receiving or maintaining substance use disorder records may not disclose such information for treatment, payment, or healthcare operations without the patient’s written consent.
Why This Matters for Provider Lifecycle Professionals
Even if Provider Lifecycle Professionals are not directly responsible for drafting or revising the Notice of Privacy Practices, these updates remain highly relevant.
Protected health information frequently intersects with credentialing, privileging, peer review, enrollment, and licensing responsibilities. Understanding the 2026 HIPAA changes strengthens a PLP’s ability to ensure that information reviewed, received, or relied upon was obtained legally and in compliance with federal and state regulations.
Compliance awareness is not limited to privacy officers. It is part of responsible governance across the provider lifecycle.