No Items in Cart 
Starting next week, on February 16th, 2026, the U.S. Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) is requiring all health plans and most health care providers to update their Notices of Privacy Practices (NPPs). Additionally, the Substance Abuse and Mental Health Services Administration (SAMHSA) is also reminding employers of the upcoming deadline. Generally, under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must develop and distribute a Notice of Privacy Practices that provides a clear, user-friendly explanation of individuals' rights. Specifically, these rights are governed by the HIPAA Privacy Rule and pertain to personal health information and the privacy practices of health plans and health care providers. Earlier, in May 2025, the HHS joined other federal agencies in granting mental health parity relief within group health plans.
What Is the HIPAA Privacy Rule?
HIPAA is a federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In turn, the HHS issued the HIPAA Privacy Rule to implement HIPAA requirements. Standards under the HIPAA Privacy Rule address the use and disclosure of protected health information (PHI) by covered entities. Additionally, it protects an individual’s rights to understand and control how covered entities use their health information.
What Are Notices of Privacy Practices?
Markedly, NPPs explain to patients how a HIPAA‑covered entity uses and discloses protected health information and outline individuals’ privacy rights. In detail, covered entities include:
- most healthcare providers,
- health plans,
- business associates, and
- healthcare clearinghouses.
These covered entities may disclose PHI only as expressly permitted or required by the HIPAA Privacy Rule.
Required Updates to Notices of Privacy Practices
As shown above, covered entities must update their NPPs by Monday, February 16th, 2026. Most of the required updates are intended to align HIPAA with recently revised regulations governing “substance use disorder” (SUD) records. A SUD record is a confidential document containing information about a patient's diagnosis, treatment, or referral for alcohol or drug abuse. In particular, these records are typically created by a federally assisted program. In any event, these records, including notes, billing records, and electronic records, are protected to prevent discrimination and ensure equitable treatment.
As of February 16, group health plans and health care providers must update their privacy practices notices to include the following:
- How SUD records can be used and disclosed, including any requirement for written consent; and
- A statement on how the use of SUD records is prohibited from being included as testimony in civil, criminal, administrative, and legislative proceedings against a patient, absent a specific patient consent or a court order.
Employer Takeaways
In conclusion, employers should also remember that the HIPAA Privacy Rule protects an employee’s PHI from unlawful disclosure related to employment. Possible instances may include when offering reasonable accommodations or when interviewing and hiring. However, in addition to complying with the Privacy Rule, employers must update their Notices of Privacy Practices by February 16. Previously, to assist employers in creating a compliant NPP, the HHS offered model templates to follow. It is important to note that, as of the date of this blog post, the agency has not updated its model to reflect the SUD requirements. Lastly, it is unclear whether these templates will be updated in the near future.
