Resources
Chevron rightEmployee compliance

HIPAA privacy notices require substance use disorder (SUD) language by February 16, 2026

February 3, 2026
Federal

The HIPAA Notice of Privacy Practices (NPP) must be updated by February 16, 2026 to reflect stricter Substance Use Disorder (SUD) rights and protections. The government has yet to provide model language, so as the deadline draws near, it may be time for employers to ask benefits counsel for help amending their NPP.

Who this applies to:

  • Employers sponsoring a fully insured medical plan that includes claims analytics drill-down data feeds or other access to Protected Health Information (PHI)
  • Employers sponsoring a self-insured medical plan to include a level-funded plan, FSA, HRA, or ICHRA. The requirement also includes any carve-out/bolt-on benefit which is not fully insured and must be “integrated” with the employer’s medical plan (telemedicine, fertility, Rx carve-out, etc.)

Note: Only a self-insured, self-administered health plan with fewer than 50 eligible employees is exempt from HIPAA Privacy & Security rules and NPP.

Key details:

SUD health care providers are referred to in HIPAA as Part 2 providers. When they submit claims for payment to a health plan, that is considered Part 2 data subject to stricter requirements on uses and disclosures. When the employer is responsible for distributing the NPP for a health plan receiving Part 2 SUD data, they must ensure the NPP is updated by February 16, 2026, to reflect new rights and restrictions that apply to SUD data, including the following:

  • Enhanced privacy for SUD records: Must explain the stricter rules that apply to uses and disclosures of SUD records received from a Part 2 program and interactions with other laws
  • Restricted access for legal proceedings: Must require specific consent or a court order to disclose SUD records for a civil, criminal, administrative, legislative, or other legal proceeding (SUD counseling notes are subject to the same legal restrictions that apply to psychotherapy notes)
  • Redisclosure warning: Must warn that properly disclosed SUD PHI may not be protected from redisclosure
  • Fundraising opt-out: Must provide a clear and conspicuous way to opt-out of fundraising communications tied to SUD records

With the deadline soon and no model language from the government, employers may want to explore having benefits counsel update their NPP to meet the deadline.

Penalties for non-compliance:

Standard HIPAA penalties apply for failing to comply with the new requirements by the deadline, but given HHS promised employers they would provide model language, it seems reasonable that potential enforcement actions would not go straight to penalty assessment.

Impact to employers:

Time is running out in awaiting model language from HHS. For cautious employers, it may be worth engaging benefits counsel to update the NPP and distribute the updated version by the February 16, 2026, deadline. This may also require updates to some policies and procedures and some training for those handling PHI to understand the extra rights and restrictions for SUD PHI.

Compliance update brought to you by Benefit Compliance Solutions (BCS) in partnership with Nava Benefits. The information contained in this update, including any attachments, is presented solely in the capacity of Nava as compliance consultants. Nothing contained herein should be construed as tax or legal advice or opinion or used as a substitute for consultation with professional legal counsel. Nava is not authorized to practice law, is not an attorney or law firm, and is not rendering legal advice. Communications with Nava are not subject to attorney-client privilege.

See the latest compliance resources
2026 federal poverty level (FPL) updated, increasing FPL affordability safe harbor
2026 silver rates lookup table published for ICHRAs to determine affordability
IRS guidance on HSAs changes under One Big Beautiful Bill Act (OBBB)
IRS initial thoughts on Trump Accounts in preparation for rulemaking
IRS indexes highly compensated and key employee thresholds
IRS finalizes instructions for ACA reporting (1094/1095-B & 1094/1095-C)
PCORI fee amount adjusted for 2025-2026