On Feb. 13, 2026, the U.S. Department of Health and Human Services (HHS) released updated model Notices of Privacy Practices (Privacy Notices) under the Health Insurance Portability and Accountability Act (HIPAA) for health plans and health care providers to use. HIPAA-covered entities must update their Privacy Notices if they receive or maintain patient records regarding substance use disorder (SUD) treatment provided by a federally assisted treatment program (i.e., a “Part 2 program”). The deadline for making this update was Feb. 16, 2026.
As background, Part 2 is a federal law that protects the confidentiality of patient records for individuals receiving services for SUDs, which are called Part 2 records. A final rule issued by HHS in April 2024 requires covered entities to update their HIPAA Privacy Notices if they receive or maintain Part 2 records. The updated Privacy Notices must address how the covered entity may use and disclose Part 2 records, the entity’s responsibilities with respect to the records and individuals’ privacy rights. According to HHS, its updated model Privacy Notices reflect the changes for Part 2 records.
Employers with self-insured health plans should ensure their HIPAA Privacy Notices are updated for the new privacy requirements for Part 2 records. Employers with fully insured health plans that have access to protected health information should also ensure their HIPAA Privacy Notices are updated for the new requirements. Health plans that use HHS’ model Privacy Notice should customize it by entering their own information.
Contact us to see how you could minimize risk:
- |