Your HIPAA Privacy Notice Needs an Update by Feb. 16, 2026. Here’s the Practical Path.
Let’s talk about the least exciting thing that can still cause very expensive problems: your HIPAA Notice of Privacy Practices.
Federal rules now require many practices to update their NPP by February 16, 2026, largely because of new confidentiality standards for certain SUD-related records under the Part 2 regulations. This is a real compliance deadline. At the same time, enforcement is usually complaint-driven, meaning it often shows up after something else goes wrong. That’s why this update is less about panic and more about positioning your practice well: fix it quickly, document progress, and make sure your notice actually matches how your practice handles records.
What changed, and why this affects more than “addiction treatment” providers.
In 2024, HHS finalized changes that align key Part 2 confidentiality concepts with HIPAA. Part 2 historically imposed stricter rules on SUD treatment records than HIPAA does for other protected health information. The updated rules keep that heightened sensitivity but integrate it into the HIPAA ecosystem, including the content that must appear in your NPP. The takeaway: this is not just for dedicated SUD treatment programs. Many general medical practices and mental health providers receive Part 2-protected information through referrals, discharge summaries, care coordination, or record requests. If your practice ever receives SUD treatment records from a Part 2 program, your NPP likely needs Part 2-related updates.
Deadline reality check: Yes, February 16th is the compliance date, but enforcement is usually reactive.
As of February 16, 2026, the updated NPP requirements are in effect. That means an outdated notice is a technical compliance problem starting that day. At the same time, the federal government is not realistically auditing every small practice on February 16. In practice, NPP issues most often surface when something else happens: a patient complaint, a breach, an OCR inquiry, a payer/partner diligence request, or a lawsuit where privacy practices get scrutinized.
So if your practice is running a little behind but is actively working toward compliance and finalizes the update shortly after the deadline, the practical risk is typically lower than if the practice ignores the requirement. The safest posture is: (1) move fast, (2) document progress, and (3) implement as soon as the language is finalized.
What your updated NPP should cover.
An NPP update is not just “add a paragraph.” Start by confirming your notice contains all baseline HIPAA elements. Then layer in the new Part 2-related content where applicable.
Baseline HIPAA content (many older notices are missing these):
- The required opening statement that explains the notice is about how medical information may be used and disclosed, and how the individual can access it.
- A description of how the practice may use and disclose information without authorization (including treatment, payment, and health care operations, plus other uses permitted or required by law).
- A clear statement that other uses/disclosures generally require written authorization, and that an authorization can be revoked (with standard limitations).
- A plain-language summary of patient rights (access, amendments, accounting of disclosures, restrictions, confidential communications, and the right to a paper copy).
- Current contact information for questions and complaints, including how to contact OCR.
- The effective date of the notice and a statement describing the practice’s duties and the right to change the notice.
Part 2 / SUD-related content (when you create, receive, maintain, or transmit Part 2-protected records):
- A notice of the individual’s rights and your duties with respect to SUD treatment records covered by Part 2.
- A statement (with the required level of specificity) that Part 2 records have additional limits on how they may be used or disclosed, including in legal proceedings.
- Clarity that, unlike most HIPAA-protected information, Part 2-protected records generally require written consent even for routine activities that would otherwise fall under treatment, payment, or health care operations.
- A redisclosure warning explaining that recipients of information may redisclose it and, depending on the recipient, it may no longer be protected by HIPAA.
- If you fundraise using Part 2-protected information, a clear and conspicuous opt-out opportunity must be provided before fundraising communications are sent.
Important note: the Part 2 legal-proceedings protection has very specific regulatory language. Many templates get this wrong. Your NPP should track the rule and reflect your actual workflow (for example, how subpoenas are routed, who evaluates requests, and when a court order is required).
Who is most likely affected?
You should assume these updates matter to you if any of the following are true:
- You provide SUD diagnosis, treatment, or referral services (including medication-assisted treatment or integrated behavioral health).
- You receive records from a Part 2 program (rehab/IOP/PHP programs, MAT clinics, SUD counselors, certain hospital-based programs).
- You coordinate care with other providers where SUD treatment information may be exchanged (care coordination platforms, HIE participation, integrated systems).
- You are a health plan that may receive SUD treatment records regulated by Part 2.
If you are unsure whether you have Part 2-protected information, do not guess. A quick inventory of referral sources, record intake workflows, and EHR document types often answers the question.
What to do now: a “good-faith” action plan.
Here is the practical path that reduces risk and gets you across the finish line:
- Identify whether your practice is a Part 2 program or a “lawful holder” that receives Part 2-protected records.
- Review your existing NPP against the baseline HIPAA checklist and fix any gaps before layering in the new language.
- Update related workflows that the NPP assumes are true (consent forms, staff training, subpoena/legal request procedures, and business associate/vendor expectations).
- Finalize the revised NPP and set an effective date. Keep a simple internal record of your progress (draft dates, review notes, approval date, implementation date).
- Implement: post on your website (if you have one), make paper copies available at your location(s), and provide the notice to new patients at first service delivery.
If you miss the deadline by a short window, the “good-faith” record is your friend. It shows this was a compliance project in motion, not something the practice ignored until an incident forced the issue.
Distribution, acknowledgments, and the “do we have to mail this?” question.
Most practices do not need to mail updated notices to existing patients or collect new acknowledgments solely because the notice changed. The standard HIPAA approach is to make the revised notice available and provide it to new patients at first service delivery, along with posting it prominently if the practice maintains a website.
Language access and accessibility.
Remember that nondiscrimination and accessibility rules can affect how you deliver your NPP. Depending on your patient population and setting, you may need translated versions or accessible formats. This is especially important for multi-site practices and practices serving communities where languages other than English are common.
How Mayer Law can help.
If you want this handled quickly and correctly, Mayer Law can help you:
- Determine whether Part 2 applies to your practice (Part 2 program vs. lawful holder).
- Review your current NPP for baseline HIPAA compliance issues and update it for the Part 2 requirements.
- Align your NPP with your real-world workflows (consents, care coordination, legal requests, and vendor access).
- Identify related policy updates and provide staff-facing guidance so the NPP matches actual practice.
If your current NPP is vendor-generated, outdated, or doesn’t reflect how your practice actually uses and shares information, this is a good moment to fix it, not just patch it. Bottom line: the February 16, 2026, deadline is real, but the smartest move is simple: update your notice, align your workflow, and keep a short record showing you took it seriously. That way, if a complaint, breach, or records dispute ever puts you on OCR’s radar, you’re not explaining why the basics were ignored.