As we move closer to the February 16 deadline, this is a reminder for HIPAA covered entities to confirm they are on track to update their Notice of Privacy Practices (“NPP”) to comply with the finalized federal requirements governing substance use disorder (“SUD”) records under 42 C.F.R. Part 2 (read the Fact Sheet here).

The underlying rules are not new. However, the compliance deadline is approaching, and for many organizations, the required updates will touch more than just the notice itself.

Why This Update Is Required

In February 2024, the U.S. Department of Health and Human Services (“HHS”) finalized revisions to 42 C.F.R. Part 2, aligning portions of the SUD confidentiality regulations with the HIPAA Privacy Rule pursuant to the CARES Act.

While the rule expanded certain permitted uses and disclosures of SUD records for treatment, payment, and health care operations, it retained heightened confidentiality protections and introduced additional notice obligations. As part of that framework, covered entities that handle Part 2 records must ensure their NPP accurately reflects these requirements.

The deadline to comply with the notice-related provisions is February 16, 2026.

Who This Applies To

The NPP update requirement applies to any HIPAA covered entity that creates, receives, maintains, or transmits SUD records protected by Part 2, even if the entity is not a SUD treatment program.

This can include:

  • Health care providers
  • Group health plans
  • Employer-sponsored health plans
  • Health plans and insurers
  • Care coordination and integrated care arrangements
  • Digital health platforms and vendors operating within covered entity workflows

Importantly, some organizations may be subject to Part 2 notice obligations simply because SUD records pass through their systems, even if SUD treatment is not their primary function.

That said, not all group health plans are required to issue their own NPP. Fully insured plans may generally rely on their insurer’s NPP if they do not receive PHI beyond enrollment data or summary health information. Plans that receive more extensive PHI remain responsible for maintaining and updating their own notice.

What the Updated NPP Must Address

An updated NPP must accurately describe how SUD records are used and disclosed under Part 2 and must reflect the more stringent protections that apply to those records.

At a high level, the revised NPP should address:

  • Uses and disclosures of SUD records, including when written patient consent is required
  • Patient rights specific to SUD information
  • The covered entity’s legal duties with respect to Part 2 records
  • A clear statement that SUD records and related testimony cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings against the patient, absent a written consent or qualifying court order
  • Fundraising opt-out rights, if applicable

Part 2 patient notice requirements may be incorporated into a HIPAA NPP, provided all required disclosures are included.

Practical Compliance Considerations

For many covered entities, this update should be treated as more than a document refresh.

As the deadline approaches, organizations should consider:

  • Whether their current NPP accurately reflects Part 2 handling in practice
  • How SUD records move through internal systems and workflows
  • Whether vendors or business associates handle Part 2 records
  • Whether business associate agreements need to be updated to address Part 2 obligations
  • Whether workforce training or subpoena response procedures need adjustment

While updating the NPP alone does not automatically require changes to business associate agreements, BAAs should be reviewed if vendors create, receive, or maintain Part 2 records on the covered entity’s behalf.

Bottom Line

This is not a new requirement, but February 16 is a firm compliance date. Covered entities that handle SUD records should confirm now whether Part 2 applies to their operations and ensure their NPP updates are underway and that policies, vendor relationships, and operational practices are all aligned.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Adam Appleberry Adam Appleberry

Adam is a healthcare attorney focusing on compliance, credentialing, peer review, reimbursement, contracts, HIPAA, and telehealth issues for physicians.

As a former business executive and U.S. Army officer, Adam brings a unique, real-world perspective to the practice of law. He focuses his legal…

Adam is a healthcare attorney focusing on compliance, credentialing, peer review, reimbursement, contracts, HIPAA, and telehealth issues for physicians.

As a former business executive and U.S. Army officer, Adam brings a unique, real-world perspective to the practice of law. He focuses his legal practice on helping physicians, medical professionals, and healthcare organizations proactively address legal and regulatory challenges—whether forming a private practice, navigating employment and partnership agreements, or preparing for a sale or acquisition.

Read more about Adam AppleberryAdam's Linkedin Profile
Show more Show less

Med Law Blog Editor

About Our Practice Group

Tucker Arensberg’s Healthcare Practice Group includes some of the most experienced health law attorneys in the region. We handle the legal problems so our clients can handle the important work of caring for patients. We work with physicians, physical therapists, dentists, optometrists, and all other professional care givers to help them avoid the many legal traps of running a practice. Tucker Arensberg lawyers have experience in all major health law issues.