2026 HIPAA Notice of Privacy Practices (NPP) – Required Updates

Published on: February 26, 2026

By February 16, 2026, all HIPAA-covered entities, including physician practices, clinics, and hospitals, must update their Notice of Privacy Practices (NPP) to reflect federal rule changes that went into effect last year but which were partially impacted by a subsequent court ruling.

Background

The HIPAA Privacy Rule to Support Reproductive Health Care Privacy (Final Rule) was published by the Department of Health and Human Services Office for Civil Rights (OCR) in April 2024, as a response to the Dobbs v. Jackson Women’s Health Organization decision in 2022 that allowed states to legally prohibit abortion. The Final Rule addressed public concern about protected health information (PHI) being shared with state agencies, law enforcement, and other authorities for the investigation or prosecution of legally provided reproductive care; and it prohibited all HIPAA covered entities and business associates from using or disclosing PHI when requested to investigate or impose liability for such care.

Of particular note, the Final Rule also includes enhanced protections for substance abuse disorder (SUD) records.  While provisions relating to reproductive healthcare and SUD records went into effect immediately in 2025, the Final Rule set an extended deadline of February 16, 2026 for updating the HIPAA Notice of Privacy Practices to reflect these new protections.

In June 2025, a federal court vacated the Final Rule as it applied to the reproductive health privacy provisions, but the court left the SUD protections in place.  Thus, HHS has confirmed that the required protections relating to SUD records remain undisturbed, and related NPP modifications must be implemented by the deadline.

Key Required Changes to the NPP

• Enhanced notice of rights and protections for SUD records: The NPP must explain that certain SUD-related PHI may be subject to additional federal confidentiality protections and must describe the permitted uses/disclosures, individual rights, and the practice’s duties for those records.
• Limits on use/disclosure in legal proceedings: The NPP must state that SUD records (and testimony about them) generally may not be used or disclosed in proceedings against the individual unless the individual consents in writing, or upon the receipt of a valid Court Order.
• Fundraising opt-out (if applicable): If the practice uses PHI for fundraising, the NPP must describe the right to opt out, and the opt-out must clearly describe when SUD records are used for fundraising purposes.
• Redisclosure statement: The NPP must advise patients that information disclosed may be redisclosed by the recipient and may no longer be protected under the HIPAA Privacy Rule (subject to other applicable laws).

Bottom Line

All HIPAA covered entities are required to provide patients with a HIPAA Notice of Privacy Practices upon establishment of care. Even if your practice does not specialize in SUD treatment, you should review and update your HIPAA NPP if you create, receive, or maintain PHI that includes or may include SUD-related information.

Prior to or as soon as possible after February 16, 2026, practices should:

1. Review and update privacy policies and staff training to ensure appropriate handling of SUD-related patient information under the new requirements.
2. Update the NPP in plain language to incorporate the new Part 2-related disclosures and patient rights, consistent with actual policies and procedures.
3. Post and make available the updated NPP: make it available at your practice, post it on your website (if applicable), provide it to new patients, and furnish it upon request.
4. Assess business associate relationships (e.g., EHR, billing, analytics) to confirm responsibilities align with updated requirements when vendors create, receive, maintain, or transmit SUD-related information.

Sample Language for Notice of Privacy Practices:

Note: This is sample language for general compliance support and should be reviewed by legal counsel before final implementation. This language is designed for inclusion in an existing HIPAA NPP and should be customized to reflect your practice’s actual operations.

Special Protections for Substance Use Disorder Records:

Some of the health information we maintain may relate to substance use disorder (SUD) diagnosis, treatment, or referral for treatment. This information may be subject to additional federal confidentiality protections under a law known as 42 C.F.R. Part 2, which provides greater privacy protections than HIPAA for certain records.

When these additional protections apply, we may be more limited in how we use or disclose this information, even for treatment, payment, or health care operations, unless you provide written consent or another legal exception applies. [hipaaguide.net], [bhfs.com]

Uses and Disclosures of SUD Records:

When permitted by law, we may use or disclose SUD‑related records for purposes such as treatment coordination, billing, and health care operations. However, certain uses and disclosures require your specific written consent, and you have the right to limit or revoke that consent as allowed by law. [koleyjessen.com], [hipaajournal.com]

We will not use or disclose SUD records in ways that are prohibited by federal law.

Use of SUD Records in Legal Proceedings:

SUD treatment records and testimony about those records may not be used or disclosed in civil, criminal, administrative, or legislative proceedings against you unless:

• You provide written consent, or
• A court issues an order authorizing the use or disclosure after you have received notice and an opportunity to be heard.

A subpoena or other legal demand alone is not sufficient to permit disclosure of these records. [bhfs.com], [koleyjessen.com]

Fundraising Communications (If Applicable):

If we engage in fundraising activities, you have the right to opt out of receiving fundraising communications at any time. We will not condition treatment or payment on your decision. If SUD‑related information is used for fundraising purposes, you will be given a clear and conspicuous opportunity to opt out before such use occurs. [hipaaguide.net], [natlawreview.com]

Your Rights Regarding SUD Information:

In addition to your rights under HIPAA, you may have the right to:

• Request restrictions on certain disclosures of SUD records
• Receive an accounting of disclosures of your SUD records
• File a complaint with the U.S. Department of Health and Human Services if you believe your privacy rights have been violated

We will not retaliate against you for filing a complaint. [hipaajournal.com]

Notice of Potential Redisclosure:

Information disclosed by us may be redisclosed by the recipient and may no longer be protected under HIPAA or other federal privacy laws, unless another law applies. This applies to both general health information and, where permitted by law, SUD‑related information. [koleyjessen.com]

Changes to This Notice:

We reserve the right to change the terms of this Notice at any time. Any changes will apply to all protected health information we maintain. The updated Notice will be available upon request, in our office, and on our website, if applicable.