New Legislation

Notice of Privacy Practices Update
Abyde News, HIPAA, Legislation

2026 HIPAA Deadline: How to Update Your Notice of Privacy Practices (NPP) for SUD Records (42 CFR Part 2)

February 16, 2026 No comments yet

February 16, 2026 The latest HIPAA change is the latest updates to the Notice of Privacy Practices (NPP).        As of February 16, 2026, the newest version of the NPP must include further information about how Substance Use Disorder (SUD) Protected Health Information (PHI) is handled and secured. While this was initially ruled under the Biden administration in 2024, the updated content has seen significant changes, including the removal of proposed legislation that would treat reproductive healthcare PHI differently. However, while some states still have additional requirements for handling reproductive care PHI, those requirements were struck down at the federal level by a court ruling in 2025. Now that the deadline is here, it’s essential to understand what these changes actually mean for your practice. What’s Actually Changing in the Document? The Final Rule requires practices to update this document for patients (posted on the website and provided in-person) by February 16, 2026. Your practice must also review whether your state has additional legislation regarding reproductive healthcare PHI. Expanded Scope for SUD Information: SUD records must now be included in the NPP for all Covered Entities, regardless of whether the practice focuses specifically on SUD treatment. Standard Disclosure Language: The notice must explicitly state how the practice discloses SUD records for Treatment, Payment, and Healthcare Operations (TPO). Legal Proceeding Protections: The NPP must state that SUD records cannot be disclosed in legal proceedings without specific written patient consent or a formal court order. Single consent for TPO: The rule does allow patients to sign one consent for all future uses/disclosures of TPO. Previously, SUD records were discussed in a separate document for patients to review. Fundraising Opt-Outs: If your practice uses SUD records for fundraising communications, the NPP must clearly provide patients with the opportunity to opt out. For example, if a rehabilitation center is seeking to raise money for a new facility, it cannot reach out to former patients who have clearly opted out. Redisclosure Warning: The notice must highlight that once PHI (including SUD records) is shared with an outside party, it may be subject to redisclosure by the recipient. In other words, once it’s shared, it’s tough to control how it is shared again by third parties. Universal Accessibility: To remain compliant, practices must ensure the NPP is accessible to all patients, which includes providing translated copies. State-Specific Requirements: Depending on your state, additional protections for reproductive health PHI may still be in place. Where do I start? First, ensure your Notice of Privacy Practices (NPP) is already specific to your practice. Your final notice must be specific, include your office address, and provide clear contact information for your Compliance or Privacy Officer. To remain compliant, this notice must also be prominently displayed on your website so patients can easily access and understand their rights. Your NPP should now include a section that addresses these SUD records directly. The federal government provides model language similar to this: When applicable, we may use or disclose 42 CFR Part 2 substance use disorder records for treatment, payment, and health care operations as permitted by law. Part 2 records will not be used or disclosed in legal or administrative proceedings against you without your specific written consent or a court order. Your NPP should now include a section that mentions fundraising as well. The federal government provides model language similar to this: If we were to use or disclose substance use disorder records protected by 42 CFR Part 2 in connection with fundraising, you have the right to opt out of receiving fundraising communications in advance, before any such communications are sent. Simplify Compliance Updating your NPP can feel like just another complicated task on an already full plate. For practices where you’re wearing many hats, finding the resources for a legal deep-dive is tough. The simplest way to handle the February 16, 2026, deadline is to lean on experts. Abyde has already done the heavy lifting, automating the necessary HIPAA and SUD record updates so you can focus on what you do best: take care of patients. Reach out to our team of experts to learn more about HIPAA updates affecting your practice. Disclaimer: This post is for informational purposes only and does not constitute legal advice. Health care privacy laws are subject to frequent change and vary by state. Consult with a qualified health care attorney or compliance officer to ensure your Notice of Privacy Practices meets all current federal and state requirements.

Major Changes to 42 CFR Part 2
HIPAA, Legislation

What You Need to Know: Major Changes to 42 CFR Part 2

February 28, 2024 Comments Off on What You Need to Know: Major Changes to 42 CFR Part 2

February 28, 2024 For practices offering treatment for a substance use disorder (SUD), some major compliance changes have been rolled out. The Substance Abuse and Mental Health Services Administration, or the much easier-to-remember SAMHSA, and the Office of Civil Rights, or OCR, have announced changes to 42 CFR Part 2. 42 CFR Part 2 is a document that rules how substance use disorder patient records need to be handled.  Some major changes include:  One OK: A single consent is valid for all future uses, forgoing repeated permissions and simplifying the process for your practice.  Sharing with Care: Information about a patient can be shared with public health authorities without specific consent. However, the documents need to be revised to make the patient anonymous.  Enforcement Streamlined: Previously, 42 CFR Part 2 had separate penalties. Now, it adopts the same civil and criminal enforcement as HIPAA violations, ensuring consistency and clear expectations. Breach Notification and Patient Notice: Will follow the same Breach Notification Rule and Patient Notice of Privacy Practices as standard HIPAA requirements.  Safe Harbor: The Safe Harbor rule in the 42 CFR Part 2 creates a limit on the liabilities investigative agencies that follow proper procedures can face. So, simply put, if an investigative agency has accessed protected health information about someone in substance abuse treatment by following the proper procedures, they will be protected.  What this means for your Practice If you work for a practice that offers treatment for substance use disorder, knowing the changes to this legislation is imperative.  With Abyde, we’re here for you to simplify compliance, with our revolutionary software keeping you up to date and accountable. Review your organization’s risks and vulnerabilities with our variety of resources, including our state-of-the-art Security Risk Analysis (SRA) which can be completed in minutes.  To learn more about how your practice can be compliant, email us at info@abyde.com and schedule a consultation today.

HHS Resources on Telehealth Privacy and Security
Cybersecurity, HIPAA, Legislation

Understanding the New HHS Resources on Telehealth Privacy and Security: A Guide for Healthcare Providers and Patients

October 19, 2023 Comments Off on Understanding the New HHS Resources on Telehealth Privacy and Security: A Guide for Healthcare Providers and Patients

October 20, 2023 The telehealth usage surge has revolutionized healthcare delivery, particularly amid the COVID-19 pandemic. While the technology offers numerous benefits, it also raises questions about the privacy and security of Protected Health Information (PHI). Addressing this, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently released two essential resources to educate healthcare providers and patients. In this article, we delve into the key takeaways from these resources and discuss their implications for HIPAA compliance. What Has Been Released? OCR has issued two resource documents: For Healthcare Providers Although HIPAA doesn’t mandate healthcare providers to educate patients about the risks involved in telehealth, the new resource provides valuable guidelines for those who choose to do so. Topics covered include: For Patients Patients are provided with recommendations to protect and secure their health information, such as: Why Is This Important? “Telehealth is a wonderful tool that can increase patients’ access to health care and improve health care outcomes,” says OCR Director Melanie Fontes Rainer. By educating patients and providers about privacy and security risks, OCR aims to build confidence and encourage the responsible use of telehealth technologies. Practical Tips for Health Care Providers Recommendations for Patients Final Thoughts The newly released resources by OCR offer a comprehensive guideline for navigating telehealth’s privacy and security aspects. Healthcare providers should seize this opportunity to improve their practices and educate their patients, enhancing the telehealth experience. For more information on how to stay compliant with HIPAA and other regulations in the healthcare sector, feel free to contact Abyde, your trusted partner in HIPAA and OSHA Compliance.

HIPAA Safe Harbor Law
HIPAA, Legislation

What is the New HIPAA Safe Harbor Law?

January 14, 2021 Comments Off on What is the New HIPAA Safe Harbor Law?

January 14, 2021 There’s a lot of legislative changes coming in 2021 (including changes to the HIPAA Privacy Rule) that affect your practice’s HIPAA program, but there’s at least one change we think you should be pretty thrilled about. We’re usually pretty happy about HIPAA (we know, we’re weird, but we’ve accepted it) – but what should make your practice just as happy? Well, after an unprecedented year of cyber threats and HIPAA enforcement, recently ratified changes to the HITECH Act include some really good news – reduced HIPAA fines and penalties for data breaches if practices have proper security measures in place. What Changed HR 7898, or the HIPAA Safe Harbor Bill, was officially signed on January 5th, 2021, and amends the HITECH act to require the Department of Health and Human Services (HHS) to take into account if practices have “recognized cybersecurity practices” in place when investigating a data breach, and to be lenient with their fines or other enforcement actions if the practice has met all the basic technical safeguard requirements.  Translation: if you have the right HIPAA Security Rule basics down, and appropriate technical safeguards to mitigate your identified threats, you’ll be able to stress less when a breach occurs – and see a lot fewer $$$ from the HHS. See why it’s not just us that should be happy about this one?  What Else to Know So smaller fines is a major plus – but what’s the fine print? Like any law, there are a few caveats to make sure your practice gets to enjoy these incentives:    The next question – what does “recognized cybersecurity practices” mean?  What to do NOW To put it frankly, if you don’t have the required security standards in place already – it’s time to get a move on. Implementing these recognized security practice’s could mean the difference between a hefty fine or enforcement effort in the case that your practice ever falls victim to a data breach or other HIPAA violation – which is often out of your control.  What’s really important about this law change is that having some cyber security measures in place does not cut it – if you don’t have the specific measures required under the HIPAA Security Rule (that Security Risk Analysis, documentation, and more) you will not meet the requirements outlined in HR 7898. This is another way compliance and security go hand in hand – and to get the benefits of reduced fines, you’ll need both.

Want an inside look at how the OCR operates? Watch our latest webinar with Iliana Peters, former Acting Deputy Director for HIPAA at the HHS OCR.

WATCH RECORDING
X