Updates to the Health Insurance Portability and Accountability Act (HIPAA) notice of privacy practices (NPP) are required by February 16, 2026. Below is an overview of what changes are required and how health plan sponsors can comply.
Background
HIPAA requires covered entities, including group health plans, to maintain and distribute NPPs that outline how a covered entity may use and disclose an individual’s protected health information (PHI), along with other required content and disclosures.
In April 2024, the Department of Health and Human Services (HHS) issued a final rule that (1) strengthened HIPAA privacy protections related to reproductive healthcare; and (2) revised the NPP requirements for consistency with other HHS regulations concerning substance use disorder treatment records (known as part 2 records).
In June 2025, the U.S. District Court for the Northern District of Texas vacated the reproductive healthcare privacy protections. However, the ruling didn’t affect the requirement that health plan sponsors update NPP requirements for part 2 records.
Impact on Plan Sponsors
Fully insured plans. Although insurance carriers typically manage the NPP, fully insured plan sponsors must make the required updates by February 16, 2026, if the employer creates or receives PHI beyond summary health information or information used for enrollment.
Self-insured plans. Employers sponsoring self-insured plans are responsible for updating their NPPs by the February 16 deadline.
Plans must distribute the updated NPP to participants within 60 days of making the changes. However, if a plan typically posts its NPP on a website where participants can access plan documents, the plan sponsor may post the updated NPP online and include the revised notice in its next annual mailing. Plans must also provide the updated NPP to all new participants and anytime an existing participant requests it.
Required Changes
Here are the new privacy protections for the part 2 records concerning substance use disorder treatment, which health plan sponsors must implement and provide notice for:
- Notice of rights. Your updated NPP must reference part 2 records, including how the records may be used or disclosed, the individual’s rights, and the covered entity’s duties related to the records.
- Higher standard. It must include an explanation that part 2 records are not treated like other PHI and generally cannot be disclosed for treatment, payment, and healthcare operations without specific patient consent.
- Limitations on use. It must state that covered entities may not use or disclose part 2 records in a civil, criminal, administrative, or legislative proceeding against the individual without written consent from the individual or a court order.
- Fundraising. Organizations that maintain part 2 records for use or disclosure related to its own fundraising must update the NPP to clearly and conspicuously inform individuals of their right to opt out of receiving fundraising communications.
Takeaways
Health plans that previously updated their NPP to comply with the now-vacated reproductive healthcare protections should consider revising or removing that language accordingly. Also, policies and procedures should be updated as needed to ensure that consistent authorization forms and related practices align with the new disclosure requirements.
Malerie Bulot, a shareholder of The Kullman Firm, may be reached at mlb@kullmanlaw.com. Emily Tastet, an associate of The Kullman Firm, may be reached at eet@kullmanlaw.com. Dwayne Littauer, a shareholder of The Kullman Firm, may be reached at dl@kullmanlaw.com. Martin J. Regimbal, a shareholder of The Kullman Firm, may be reached at mjr@kullmanlaw.com.