- On February 10, 2026
Employers with self-insured medical plans (including health care FSAs, HRAs, and level funded arrangements) must update their HIPAA Notice of Privacy Practices (NPP) by February 16, 2026, to include additional protections for certain substance use disorder (SUD) records. For employers sponsoring fully insured medical plans, the insurers are responsible for updating the NPP.
In 2024, federal regulators amended the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2 (Part 2) and HIPAA privacy regulations. The goal was to better align these rules to make it easier for providers and plans to coordinate care and manage benefits, while preserving heightened privacy protections for individuals receiving treatment from a Part 2 SUD program.
As part of this alignment, HIPAA covered entities (including group health plans) that create, receive, maintain, or transmit SUD treatment information that is protected by Part 2 must update their NPP to explain how they handle these records.
What Must the Updated NPP Include?
The NPP needs to explain, in plain language, that records the health plan receives from a Part 2 SUD program are subject to additional rules, including:
- The patient’s written consent is required to use or disclose the record for treatment, payment, and health care operations.
- Disclosures to business associates (e.g., TPA, PBM, care management vendors) must also comply with Part 2.
- Certain disclosures are allowed without consent (e.g., emergencies, some research/oversight, limited court orders), subject to strict conditions.
- These records, or testimony relaying the contents of these records, cannot be used or disclosed in any law enforcement or legal proceedings, including civil, administrative, criminal, or legislative proceedings against the patient, without the patient’s written consent or an authorizing court order along with a subpoena or similar legal mandate.
- Recipients of SUD records are prohibited from redisclosure unless the patient consents, Part 2 allows it, or the new recipient is itself bound by Part 2.
Other Client Recommendations
- Update business associate agreements and internal policies to explicitly require compliance with Part 2 for SUD records.
- Train internal staff who have access to PHI on how Part 2 SUD information must be handled and when it can or cannot be disclosed.
The NPP must be distributed to plan participants within 60 days of being updated, which means no later than April 17, 2026. For employees who access a computer as part of their normal workday, the NPP can be emailed to them or posted to the intranet (with a notice of availability sent). For participants that do not access a computer regularly for work (including retirees, COBRA participants, and employees on a leave of absence), the NPP should be mailed to their home address.