NPP

Notice of Privacy Practices Update
Abyde News, HIPAA, Legislation

2026 HIPAA Deadline: How to Update Your Notice of Privacy Practices (NPP) for SUD Records (42 CFR Part 2)

February 16, 2026 No comments yet

February 16, 2026 The latest HIPAA change is the latest updates to the Notice of Privacy Practices (NPP).        As of February 16, 2026, the newest version of the NPP must include further information about how Substance Use Disorder (SUD) Protected Health Information (PHI) is handled and secured. While this was initially ruled under the Biden administration in 2024, the updated content has seen significant changes, including the removal of proposed legislation that would treat reproductive healthcare PHI differently. However, while some states still have additional requirements for handling reproductive care PHI, those requirements were struck down at the federal level by a court ruling in 2025. Now that the deadline is here, it’s essential to understand what these changes actually mean for your practice. What’s Actually Changing in the Document? The Final Rule requires practices to update this document for patients (posted on the website and provided in-person) by February 16, 2026. Your practice must also review whether your state has additional legislation regarding reproductive healthcare PHI. Expanded Scope for SUD Information: SUD records must now be included in the NPP for all Covered Entities, regardless of whether the practice focuses specifically on SUD treatment. Standard Disclosure Language: The notice must explicitly state how the practice discloses SUD records for Treatment, Payment, and Healthcare Operations (TPO). Legal Proceeding Protections: The NPP must state that SUD records cannot be disclosed in legal proceedings without specific written patient consent or a formal court order. Single consent for TPO: The rule does allow patients to sign one consent for all future uses/disclosures of TPO. Previously, SUD records were discussed in a separate document for patients to review. Fundraising Opt-Outs: If your practice uses SUD records for fundraising communications, the NPP must clearly provide patients with the opportunity to opt out. For example, if a rehabilitation center is seeking to raise money for a new facility, it cannot reach out to former patients who have clearly opted out. Redisclosure Warning: The notice must highlight that once PHI (including SUD records) is shared with an outside party, it may be subject to redisclosure by the recipient. In other words, once it’s shared, it’s tough to control how it is shared again by third parties. Universal Accessibility: To remain compliant, practices must ensure the NPP is accessible to all patients, which includes providing translated copies. State-Specific Requirements: Depending on your state, additional protections for reproductive health PHI may still be in place. Where do I start? First, ensure your Notice of Privacy Practices (NPP) is already specific to your practice. Your final notice must be specific, include your office address, and provide clear contact information for your Compliance or Privacy Officer. To remain compliant, this notice must also be prominently displayed on your website so patients can easily access and understand their rights. Your NPP should now include a section that addresses these SUD records directly. The federal government provides model language similar to this: When applicable, we may use or disclose 42 CFR Part 2 substance use disorder records for treatment, payment, and health care operations as permitted by law. Part 2 records will not be used or disclosed in legal or administrative proceedings against you without your specific written consent or a court order. Your NPP should now include a section that mentions fundraising as well. The federal government provides model language similar to this: If we were to use or disclose substance use disorder records protected by 42 CFR Part 2 in connection with fundraising, you have the right to opt out of receiving fundraising communications in advance, before any such communications are sent. Simplify Compliance Updating your NPP can feel like just another complicated task on an already full plate. For practices where you’re wearing many hats, finding the resources for a legal deep-dive is tough. The simplest way to handle the February 16, 2026, deadline is to lean on experts. Abyde has already done the heavy lifting, automating the necessary HIPAA and SUD record updates so you can focus on what you do best: take care of patients. Reach out to our team of experts to learn more about HIPAA updates affecting your practice. Disclaimer: This post is for informational purposes only and does not constitute legal advice. Health care privacy laws are subject to frequent change and vary by state. Consult with a qualified health care attorney or compliance officer to ensure your Notice of Privacy Practices meets all current federal and state requirements.

HIPAA Notice of Privacy Practices
HIPAA

What is a HIPAA Notice of Privacy Practices & Why Do You Need One?

June 10, 2021 Comments Off on What is a HIPAA Notice of Privacy Practices & Why Do You Need One?

June 10, 2021 Whether you’re a self-appointed 5 star chef or an Uber Eats connoisseur, you know that skipping one small ingredient (or forgetting the guacamole on your Chipotle burrito) can throw the whole meal off. And while there aren’t many similarities between cooking up your famous casserole dish and implementing a complete HIPAA program – both require various steps that are each essential to the final product. So amongst the exhaustive list of HIPAA essentials like the Security Risk Analysis (SRA), annual staff training, business associate agreements, and more –  falls an important and often overlooked ingredient in achieving compliance, the Notice of Privacy Practices (NPP).  What is it?  Under the HIPAA Privacy Rule, covered entities are required to provide patients with a notice that states how their protected health information (PHI) will be used and shared. In a nutshell, the purpose of the document is to clearly outline the practices you have in place to protect the privacy of sensitive data (hence the name Notice of Privacy Practices) along with your organizations’ legal responsibilities and patients’ rights to their own PHI.  What’s in it?  Creating a proper notice requires a little prep work, so in looking at the meat and potatoes of what goes into this important HIPAA document, the NPP should include a description of the following:  How do I provide it? It’s one thing to have all of the ingredients needed for the NPP but the part that often gets healthcare organizations in a pickle is determining how to properly securely serve it to patients. Typically, the notice is given to a patient at their first appointment along with other important documents like the HIPAA authorization form. But simply getting a copy signed once isn’t all that’s needed. Most practices don’t understand it’s a HIPAA requirement to also post the notice in a clear and easily accessible location to the patient. Additionally, if your practice has a website, a copy of the NPP should be posted and readily available there as well.  Why is it so important?  Compared to the many other more complex pieces of a complete HIPAA program, putting together a Notice of Privacy Practices seems almost as easy as whipping up a box of Kraft Mac and Cheese. However, according to the most recent HIPAA Audit Results, only 2% of covered entities fully met the NPP requirements while two-thirds failed to or made minimal or negligible efforts to comply. So why is there such an overwhelming amount of noncompliance for a relatively easy standard to meet? Well, the report found that many entities audited were able to submit some type of document but the majority could not provide a notice that was written in plain language and most were missing required content often related to individual rights. In addition to the widespread lack of proper content within the notice, the report also found that many entities failed to meet the prominently posted requirement. This meant that even if the entities had the notice and posted it on their website – if it wasn’t easily accessible from the website’s homepage it didn’t cut it in the OCR’s books.  Some food for thought? Having a complete compliance program in place starts with following the recipe of HIPAA requirements. Ensuring that your practice has a properly written and accessible NPP might one be a small piece of the whole HIPAA pie – but just like forgetting to add yeast when baking the crust, missing one requirement – even if you have everything else in place – can cause all of your other compliance efforts to fall flat.

Want an inside look at how the OCR operates? Join Iliana Peters, former Acting Deputy Director for HIPAA at the HHS OCR, and Abyde experts for a live discussion.

 

REGISTER NOW
X