QUESTION: Our company sponsors a group health plan with several vendors (a third-party administrator, care management vendor, and behavioral health vendor). We understand that HHS has updated one of the model notices of privacy practices (NPPs) and there are new Part 2-related NPP requirements. When did we need to update our HIPAA NPP, are HHS’s model notices required, and what does the new Part 2 enforcement program mean for plan sponsors and business associates?
ANSWER: If your plan (or any of its business associates) creates, receives, maintains, or transmits information that qualifies as Part 2-protected substance use disorder (SUD) patient records, then your plan should treat the Part 2-related NPP revisions as mandatory content requirements that are enforceable as of February 16, 2026. As background, the Part 2 rule refers to 42 CFR Part 2—i.e., the federal regulations governing the confidentiality of SUD patient records. Part 2 primarily applies to SUD treatment programs that are subject to the rule, as well as to “lawful holders” that receive SUD records from a Part 2 program. HIPAA requires certain NPP changes for many HIPAA covered entities—even if they are not Part 2 programs— since many receive SUD records from Part 2 programs for treatment, care coordination, and payment purposes. Key points for plan sponsors, group health plans, and business associates include—
- Model notices are optional; required content is not.HHS has updated one of its model HIPAA NPPs to address how federal law protects the confidentiality of SUD patient records. While this template is a helpful starting point, the compliance obligation is to confirm that the NPP includes all applicable required elements, including Part 2/SUD record information where relevant. Entities that are not subject to Part 2 can choose from other NPPs on the HHS website.
- Determine whether your organization is a Part 2 entity. Organizations that have not historically viewed themselves as “Part 2 entities” still may need to revise their NPPs. Part 2 information may reach the plan in various ways, such as through a behavioral health vendor, care coordinator, employee assistance program (EAP), or specialty provider network.
- Required elements. If the covered entity processes or maintains Part 2 records, then the NPP must notify individuals of the records’ uses and disclosures, describe rights and legal duties specific to Part 2 records, reflect Part 2’s more stringent limits where they differ from HIPAA, and contain a statement explaining certain limitations on the use of SUD records in civil, criminal, administrative, or legislative proceedings. Some group health plans, even if they have not been processing Part 2 records, have added a single section generally describing the more stringent Part 2 requirements, taking a “just in case” approach.
- OCR enforcement.OCR has announced that it will accept complaints alleging violations of the Part 2 rule and alleged breach notification related to SUD patient records beginning February 16, 2026. Those subject to the Part 2 rule must comply with all applicable requirements, with penalties aligned to those available under HIPAA. OCR investigations may result in resolution agreements, monetary settlements, corrective action commitments, or civil money penalties.
- Coordinate NPP updates.Updating an NPP often requires coordination across legal, compliance, privacy, IT, and operational teams to ensure that the updated language reflects actual data use and disclosure practices. In some cases, other changes (e.g., to internal policies, consent workflows, training materials, or vendor arrangements) may also be needed. The HIPAA breach notification rule requirements apply to Part 2 records, which increases the urgency for regulated entities to determine whether they handle Part 2 records and whether their incident response and breach reporting processes can identify and address Part 2 records.
For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections II.M (“Core Privacy Requirements”), XXVII.G (“Right to Receive Notice of Privacy Practices”), and XXXIV.E (“Federal Substance Use Disorder Rule”).
Contributing Editors: Thanks to attorney Rebecca L. Williams for her contributions to this article, with final editing by EBIA staff. Ms. Williams is a partner at Davis Wright Tremaine LLP in Seattle, www.dwt.com, and is a contributing author of EBIA’s HIPAA Portability, Privacy & Security manual.
Take your tax and accounting research to the next level with Checkpoint Edge and CoCounsel. Get instant access to AI-assisted research, expert-approved answers, and cutting-edge tools like Advisory Maps and State Charts. Try it today and transform the way you work! Subscribe now and discover a smarter way to find answers.
