HIPAA Privacy Notices Require SUD Language by February 16, 2026

The HIPAA Notice of Privacy Practices (NPP) must be updated by February 16, 2026, to reflect stricter Substance Use Disorder (SUD) rights and protections. The government has yet to provide model language, therefore as the deadline draws near, it may be time for employers to ask benefits counsel for help amending their NPP.

Purpose: SUD health care providers are referred to in HIPAA as Part 2 providers. When they submit claims for payment to a health plan, that is considered Part 2 data subject to stricter requirements on uses and disclosures. When the employer is responsible for distributing the NPP for a health plan receiving Part 2 SUD data, they must ensure the NPP is updated by February 16, 2026, to reflect new rights and restrictions that apply to SUD data, including the following:

• Enhanced privacy for SUD records: Must explain the stricter rules that apply to uses and disclosures of SUD records received from a Part 2 program, and interactions with other laws
• Restricted access for legal proceedings: Must require specific consent or a court order to disclose SUD records for a civil, criminal, administrative, legislative, or other legal proceeding (SUD counseling notes are subject to the same legal restrictions that apply to psychotherapy notes)
• Redisclosure warning: Must warn that properly disclosed SUD PHI may not be protected from redisclosure
• Fundraising opt-out: Must provide a clear and conspicuous way to opt-out of fundraising communications tied to SUD records

As stated, with the deadline just next month and no model language from the government, employers may want to explore having benefits counsel update their NPP to meet the deadline.

Applies To:

• Employers sponsoring a fully insured medical plan that includes claims analytics drill-down data feeds or other access to Protected Health Information (PHI).
• Employers sponsoring a self-insured medical plan to include a level-funded plan, FSA, HRA, or ICHRA. The requirement also includes any carve-out/bolt-on benefit which is not fully insured and must be “integrated” with the employer’s medical plan (telemedicine, fertility, Rx carve-out, etc.)

(Note, only a self-insured, self-administered health plan with fewer than 50 eligible employees is exempt from HIPAA Privacy & Security rules and NPP.)

Penalties for Non-Compliance:

Standard HIPAA penalties apply for failing to comply with the new requirements by the deadline, but given HHS promised employers they would provide model language, it seems reasonable that potential enforcement actions would not go straight to penalty assessment.

Practical Impact to Employers:

Time is running out in awaiting model language from HHS. For cautious employers, it may be worth engaging benefits counsel to update the NPP and distribute the updated version by the February 16, 2026, deadline. This may also require updates to some policies and procedures and some training for those handling PHI to understand the extra rights and restrictions for SUD PHI.