Industry News

Did You Meet the February 16 Deadline? What Healthcare Organizations Need to Know About Updated HIPAA and Part 2 Privacy Notices

Alisa Negron | March 2026

Download PDF Download PDF

Healthcare organizations faced an important compliance deadline on February 16, 2026, when updates to the HIPAA Privacy Rule and 42 CFR Part 2 (“Part 2”) became fully enforceable. These changes require covered entities and federally assisted substance use disorder (SUD) treatment programs to revise their Notice of Privacy Practices (NPPs) and patient privacy notices.

The updates stem from a 2024 Part 2 Final Rule issued by the U.S. Department of Health and Human Services (HHS) that modernized the confidentiality protections for substance use disorder treatment records. The rule implemented provisions of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and was designed to better align aspects of Part 2 with HIPAA while maintaining heightened protections for SUD patient information. Although the rule became effective on April 16, 2024, regulated entities were required to comply with the updated provision, including revised notice requirements by February 16, 2026.

Who Must Update Privacy Notices

Several types of organizations may be affected by the updated requirements:

• HIPAA-covered healthcare providers and health plans that create, receive, or maintain SUD patient records must update their Notice of Privacy Practices to reflect the protections and limitations that apply to Part 2 information.
• Federally assisted SUD treatment programs must provide patients with a revised Part 2 patient notice that aligns more closely with HIPAA’s notice framework.
• Organizations that operate as both HIPAA covered entities and Part 2 programs may issue a combined notice that satisfies both regulatory requirements.

Entities that receive or maintain Part 2 records indirectly should also assess how to apply the notice requirements.

Required Notice Updates

Organizations that maintain SUD records subject to Part 2 must include additional disclosures describing how those records may be used and shared. Updated notices should, at a minimum, address:

• Restrictions on Uses and Disclosures: Part 2 Records generally cannot be used in legal proceedings against a patient without written consent or a court order and subpoena.
• Patient Choices: Patients must receive advance notice and the opportunity to opt in or out of fundraising communications that involve their SUD information.
• Enhanced Confidentiality Protections: Notices must explain that Part 2 records cannot be used in civil, criminal, administrative, or legislative proceedings against a patient without appropriate authorization.

To support compliance, HHS released an updated model privacy notices in February 2026, including templates for HIPAA-covered healthcare providers, HIPAA-covered health plans, and Part 2 patient notices. Organizations may adapt these templates or issue a combined notice if subject to both HIPAA and Part 2.

Expanded Federal Enforcement

The February 2026 compliance deadline coincides with expanded federal enforcement authority.  On February 16, 2026, the HHS Office for Civil Rights (OCR) launched a civilian enforcement program for violations of the CARES Act’s increased confidentiality and disclosure safeguards for SUD patient records and the updated Part 2 regulations implementing those safeguards. For the first time, OCR may pursue civil enforcement actions for violations involving the confidentiality of substance use disorder records. Enforcement tools now include:

• Civil monetary penalties
• Corrective action plans
• Settlement agreements

OCR will also accept complaints and breach notifications involving SUD records and may conduct compliance reviews to evaluate adherence to Part 2 requirements.

What to Do If You Missed the Deadline

If your organization has not updated its notices yet, now is the time to act. Key steps include:

1. Review whether your organization creates or maintains Part 2 Records.
2. Update your Notice of Privacy Practices to include required SUD language.
3. Implement the Part 2 patient notice if you operate a federally assisted SUD program.
4. Post the updated notice online and make it available upon request.
5. Review internal privacy policies and training to ensure operational compliance with the rule.

With expanded enforcement authority now in place, timely compliance with the updated notice requirements is increasingly important to mitigate regulatory risk.

For more information on this topic, please contact [email protected].