//WebSights Header HTML Script
Speak to an Advisor: 800.727.4114
phone location_on
Blog

Deadline for Updating HIPAA Privacy Notices Is Approaching

Posted: in HIPAA , Deadlines, Requirements & Notices


The HIPAA Privacy Rule generally requires covered entities (health plans, health care providers and health care clearinghouses) to provide individuals with a Notice of Privacy Practices (or Privacy Notice) to ensure they understand how their protected health information (PHI) may be used and disclosed, as well as their rights with respect to PHI.

A final rule issued by the U.S. Department of Health and Human Services (HHS) in April 2024 requires covered entities to update their Privacy Notices if they receive or maintain patient records regarding substance use disorder (SUD) treatment provided by a federally assisted treatment program (i.e., a “Part 2 program”). Covered entities that receive or maintain Part 2 program records must update their Privacy Notices to include:

  • A statement that SUD treatment records received from Part 2 programs (or testimony related to the content of such records) cannot be used or disclosed in a civil, criminal, administrative or legislative proceeding against the individual without either the individual’s written consent or a court order after the individual is provided notice and an opportunity to be heard; and
  • If a covered entity intends to use or disclose Part 2 program records for fundraising purposes, a statement that the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.

The deadline for updating Privacy Notices for the additional privacy protections for Part 2 program records is Feb. 16, 2026.

Privacy Notice Requirements

  • Self-insured health plans must maintain and provide their own Privacy Notice at enrollment time, when there is a material change and upon request.
  • Fully insured health plans that do not have access to PHI (other than enrollment and summary health information) are not required to maintain or provide a Privacy Notice.
  • Fully insured health plans that have access to PHI must maintain a Privacy Notice and provide it upon request.

Model Notices

  • HHS maintains model privacy notices for health care providers and health plans to use.
  • Health plans that use the model notices should update them to incorporate the new requirements for SUD records.
  • It is uncertain if HHS will update its model notices to incorporate the new requirements before the compliance deadline.

Employer Action Steps

Employers that maintain Privacy Notices for their health plans should update them with the changes to SUD treatment records by Feb. 16, 2026. Employers with self-insured health plans should also distribute their updated Privacy Notices by this deadline.

For help understanding and strategically managing your benefit's plan, contact a SSG Advisor.

Previous Icon Prev
See All News See All News Icon
Next Next Icon
Employee Benefits
Health Benefits Consulting Market Management Plan Administration HR Advocacy Workplace Wellness
Explore
Company Blog Webinars Careers
Resources
Compliance Support Insurance Providers Privacy
Connect
Contact Us
We know you’re busy, but you still need to be informed.
No spam, just straight-forward, valuable benefits related content and important compliance updates.
Subscribe