Issue Alerts

The February 16, 2026, Deadline is Quickly Approaching: Have You Updated Your HIPAA Notice of Privacy Practices?

February 9, 2026

By: Brooke Bennett Aziere

By February 16, 2026, covered entities must update their HIPAA Notice of Privacy Practices to align with HIPAA standards and regulations related to substance use disorder records. This update is required for all covered entities, even if the covered entity is not a substance use disorder program under the 42 C.F.R. Part 2 regulations.

Required Updates to HIPAA Notice of Privacy Practices

• Additional Privacy for Substance Use Disorder Records. Under the new requirement, covered entities must inform individuals that federal law protects the confidentiality of substance use disorder information, and these protections are now more consistent with HIPAA. Although the covered entity is not a substance use disorder program, the covered entity may receive information from a substance use disorder program regarding an individual’s treatment.  Covered entities must inform individuals that the covered entity may not disclose this information so that it can be used in a civil, criminal, administrative, or legislative proceeding against the individual unless (1) the covered entity receives the individual’s consent or (2) a court order accompanied by a subpoena or other legal requirement compelling disclosure was issued after the covered entity, and the individual were given notice and an opportunity to be heard.
  • Fundraising Utilizing Substance Use Disorder Information. If the covered entity elects to use or disclose such information for fundraising purposes to the covered entity’s benefit, the covered entity must first provide the individual with a clear and conspicuous opportunity to elect not to receive the fundraising communication. This requirement does not replace the general fundraising language that is already required to be in the Notice of Privacy Practices. With the new requirement, covered entities will have two statements regarding fundraising: (1) general statement for fundraising and (2) specific statement related to substance use disorder information. 
• Redisclosure Statement. Covered entities must add a statement informing individuals that once an individual’s information is disclosed in accordance with the HIPAA Privacy Rule, the disclosed health information may no longer be protected by HIPAA and may be re-disclosed by the recipient without the individual’s knowledge or authorization. This statement is already a requirement for a valid HIPAA authorization, but now it must be incorporated into the Notice of Privacy Practices.
• Impacts of Other Laws. Covered entities must inform individuals that other federal and state laws may provide privacy protections in addition to HIPAA for certain diagnoses, and the covered entity will follow the more stringent law, where it applies to the covered entity. Covered entities should explain the types of information that may have heightened protections, e.g., alcohol and substance use, genetics, mental health, HIV/AIDS, or minors’ information, and how their uses and disclosures will comply with the more stringent law.
• Nondiscrimination Laws. In its Final Rule, the Department of Health and Human Services (“HHS”) reminded covered entities of their obligation to “comply with all Federal nondiscrimination laws, including laws that address language access requirements.” 89 FR 33047. Therefore, in accordance with 42 C.F.R. 92.11, covered entities should consider including a statement regarding the availability of language assistance services and auxiliary aids in the Notice of Privacy Practices. Additionally, 42 C.F.R. 92.11 requires that such notice be provided in English and at least the 15 languages most commonly spoken by individuals with limited English proficiency in the state where the covered entity is located. Although the Trump administration has not been active in enforcing 42 C.F.R. 92.11, the regulation technically requires inclusion of these elements in the Notice of Privacy Practices. 

The HHS Final Rule was published in 89 Fed. Reg. 32976 and is available here.

Reminder: No Updates Regarding the Reproductive Health Rule

As reported in our June 24, 2025, issue alert, the United States District Court for the Northern District of Texas struck down the Final Rule regarding reproductive healthcare, including, without limitation, the obligation for covered entities to update the Notice of Privacy Practices to address reproductive healthcare information. Therefore, covered entities may ignore those changes reflected in the Final Rule.

Consider Updates to HIPAA Policies and Procedures

With updates to the Notice of Privacy Practices, this may be a good time for covered entities to review their HIPAA policies and procedures, and in particular, any policies and procedures addressing the elements of the Notice of Privacy Practices. 

Additionally, last fall, the Trump administration signaled its intentions to finalize proposed rulemaking for the HIPAA Privacy and Security Rules in May 2026. The HIPAA Privacy Rule Notice of Proposed Rulemaking was published in 86 Fed. Reg. 6446 and is available here. The HIPAA Security Rule Proposed Rulemaking was published in 90 Fed. Reg. 898 and is available here. Covered entities should stay tuned for developments, because once finalized, covered entities will need to make updates to their HIPAA privacy and security policies and procedures.

For More Information

If you have questions or want more information regarding your HIPAA policies and procedures, contact your legal counsel. If you do not have regular counsel for such matters, Foulston Siefkin LLP would welcome the opportunity to work with you to meet your specific needs. For more information, contact Brooke Bennett Aziere at 316.291.9768 or baziere@foulston.com. For more information on the firm, please visit our website at www.foulston.com.

Established in 1919, Foulston Siefkin is the largest Kansas-based law firm. With offices in Wichita, Kansas City, and Topeka, Foulston provides a full range of legal services to clients in the areas of administrative & regulatory; antitrust & trade regulation; appellate law; banking & financial services; business & corporate; construction; creditors’ rights & bankruptcy; e-commerce; education & public entity; elder law; employee benefits & ERISA; employment & labor; energy; environmental; ERISA litigation; estate planning & probate; family business enterprise; franchise & distribution; government investigations & white collar defense; governmental liability; government relations & public policy; healthcare; immigration; insurance regulatory; intellectual property; litigation & disputes; long-term care; mediation/dispute resolution; mergers & acquisitions; noncompete & trade secret litigation; oil, gas & minerals; OSHA; privacy & data security; private equity & venture capital; product liability; professional malpractice; real estate; renewable energy, storage, and transmission; securities & corporate finance; startup/entrepreneurship; supply chain management; tax-exempt/not-for-profit organizations; taxation; and water rights.