HIPAA Privacy Notices Must Include Substance Use Disorder (SUD) Language by February 16, 2026

HIPAA Privacy Notices Must Include Substance Use Disorder (SUD) Language by February 16, 2026

The HIPAA Notice of Privacy Practices (NPP) must be updated by February 16, 2026 to reflect enhanced protections for Substance Use Disorder (SUD) records. While the government has not yet issued model language, employers should consider consulting benefits counsel to ensure their NPP is compliant before the deadline.

Applies to

  • Employers sponsoring fully insured medical plans that provide claims analytics or other access to Protected Health Information (PHI).
  • Employers sponsoring self-insured medical plans, including level-funded plans, FSAs, HRAs, or ICHRAs. This also applies to any carve-out or bolt-on benefit that is not fully insured but is “integrated” with the employer’s medical plan (e.g., telemedicine, fertility, or Rx carve-outs).

Note: Only self-insured, self-administered health plans with fewer than 50 eligible employees are exempt from HIPAA Privacy & Security rules and NPP requirements.

Compliance Requirements

SUD providers, referred to in HIPAA as Part 2 providers, are subject to stricter privacy rules. Claims submitted to health plans are considered Part 2 data and must be handled accordingly.

When an employer distributes an NPP for a plan receiving Part 2 SUD data, the updated NPP must include:

  1. Enhanced privacy for SUD records – Explain the stricter rules governing uses and disclosures of SUD records from Part 2 programs and how these interact with other laws.
  2. Restricted access for legal proceedings – Disclosure for civil, criminal, administrative, legislative, or other legal proceedings requires specific consent or a court order. (SUD counseling notes are treated like psychotherapy notes under HIPAA.)
  3. Redisclosure warning – Alert recipients that properly disclosed SUD PHI may not remain protected from redisclosure.
  4. Fundraising opt-out – Provide a clear, conspicuous way for individuals to opt out of fundraising communications linked to SUD records.

Penalties for Non-Compliance

Standard HIPAA penalties apply if the NPP is not updated by the deadline. Given that HHS promised to provide model language, enforcement would allow a grace period before imposing penalties.

Practical Impact on Employers

Time is running out for model language from HHS. For cautious employers, it may be worth engaging benefits counsel to update the NPP and distribute the updated version by the February 16, 2026, deadline. This may also require updates to some policies and procedures and some training for those handling PHI to understand the extra rights and restrictions for SUD PHI.