Healthcare Employers: Don’t Miss the Feb. 16, 2026 HIPAA Privacy Notice Deadline

If your business is required to maintain a Notice of Privacy Practices under HIPAA, mark your calendar. You have until February 16 to update your NPP with new requirements related to substance use disorder treatment records.

Here’s what you need to know to stay compliant.

Quick Background on HIPAA Privacy Notices

The federal HIPAA Privacy Rule sets national standards for protecting individuals’ protected health information. If you’re a covered entity like a health plan or healthcare provider, you’re required to maintain and distribute a Notice of Privacy Practices. For employers, this typically applies if you sponsor a self-funded group health plan or a fully insured plan where your organization creates or receives PHI beyond summary information.

For employers with self-insured (self-funded) group health plans, the employer is responsible for ensuring the plan maintains and distributes a compliant Notice of Privacy Practices and for updating that notice when required by changes in HIPAA or other applicable federal law.

What Changed in 2024

In April 2024, the Department of Health and Human Services issued a final rule that strengthened HIPAA privacy protections around reproductive healthcare and modified NPP requirements to align with Part 2 regulations governing substance use disorder treatment records. While a federal judge later struck down the reproductive healthcare provisions, the SUD-related NPP modifications remain in effect.

Who Needs to Update Their NPP by February 16

These new requirements apply to any HIPAA covered entity that creates or maintains protected health information (PHI) that is also a record of substance use disorder (SUD) treatment provided by a Part 2 program. These obligations are particularly relevant for self-insured group health plans, which are HIPAA covered entities and must independently comply with the updated NPP requirements. If a self-insured plan creates or maintains SUD treatment records from a Part 2 program, the plan’s NPP must be updated accordingly, even if a third-party administrator handles day-to-day plan operations.

Covered entities subject to these rules must update their NPP to comply with the heightened confidentiality requirements for Part 2 records.

Required updates include modifying the NPP to address how Part 2 records may be used or disclosed, explaining individuals’ rights and the organization’s duties related to these records, referencing Part 2 as “other applicable law” that is more stringent than HIPAA, and clarifying that covered entities may not use or disclose Part 2 records in legal proceedings without written consent or a court order.

While self-insured employers often rely on third-party administrators or vendors, the legal responsibility for maintaining a compliant NPP remains with the group health plan sponsor, making it critical for employers to confirm that plan documents and privacy notices have been updated appropriately.

If an organization creates or maintains Part 2 records and intends to use those records for fundraising, the NPP must also clearly inform individuals of their right to opt out of fundraising communications.

Distribution Requirements Matter Too

Once you’ve updated your NPP, distribution timing depends on whether your plan posts the notice to a website. If you post online, you must prominently display the changes or revised NPP by the effective date and provide the revised notice or information about material changes in your next annual mailing. If you don’t post online, you need to provide the revised notice or change information within 60 days of the material changes.

For self-insured group health plans, these distribution requirements apply at the plan level, meaning employers must ensure the revised notice is distributed to plan participants in accordance with HIPAA’s timing and delivery rules.

Don’t Wait Until the Last Minute

Now is the time to review your NPP contents and privacy practices to ensure compliance with all applicable HHS rules. As of this writing, HHS hasn’t issued sample language for these updates, so you’ll need to work with counsel to revise your NPP appropriately and address any questions about the HIPAA Privacy Rule.

Need Help Navigating Healthcare Compliance?

Our healthcare team understands the complexity of staying compliant in an ever-changing regulatory environment. We partner with healthcare organizations across Florida to provide strategic guidance on everything from HIPAA requirements to operational best practices. Let’s talk about how we can help your organization meet its compliance obligations while focusing on what you do best: caring for patients.

All content provided in this article is for informational purposes only. Matters discussed in this article are subject to change. For up-to-date information on this subject please contact a James Moore professional. James Moore will not be held responsible for any claim, loss, damage or inconvenience caused as a result of any information within these pages or any information accessed through this site.