Approaching Deadline: Updates Required For HIPAA Privacy Notices Regarding Substance Use Disorder Records
- SiekmannCo
- Oct 30
- 3 min read
Updated: 15 hours ago
The U.S. Department of Health and Human Services (HHS) has mandated significant enhancements to privacy protections for substance use disorder (SUD) treatment records through recent regulatory changes. These updates, driven by the CARES Act of 2020 and finalized in 2024, aim to better align the confidentiality requirements of 42 CFR (Part 2) with the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule while maintaining strong safeguards for sensitive information.
Covered entities, including group health plans that create, receive, or maintain protected health information (PHI) related to SUD treatment from federally assisted Part 2 programs, must revise their HIPAA privacy notices, also known as Notices of Privacy Practices (NPPs), to reflect these heightened protections. The compliance deadline for these updates is Feb. 16, 2026.
Understanding The Regulatory Changes
In February 2024, HHS, through the Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA), issued a final rule modifying Part 2 regulations. This rule implements Section 3221 of the CARES Act, which sought to harmonize Part 2's stricter confidentiality standards with HIPAA to facilitate better care coordination while preserving patient privacy.
Key alignments include:
Permitting a single patient consent for future uses and disclosures of SUD records for treatment, payment, and health care operations (TPO).
Allowing redisclosure of Part 2 records by HIPAA-covered entities and business associates in accordance with HIPAA rules (when obtained via proper consent).
Applying HIPAA Breach Notification Rule requirements to breaches of Part 2 records.
Granting patients rights similar to those under HIPAA, such as requesting restrictions on disclosures and obtaining an accounting of disclosures.
A separate modification to the HIPAA Privacy Rule requires covered entities to include specific statements in their privacy notices about the handling of Part 2 records.
Required Content In Updated HIPAA Privacy Notices
Covered entities that receive or maintain SUD treatment records from Part 2 programs must update their HIPAA privacy notices to include:
A description of how Part 2 records are used and disclosed, emphasizing stricter consent requirements and restrictions on use in legal proceedings without patient consent or a court order.
Patient rights specific to these records, including the right to an accounting of disclosures and options for filing complaints with HHS.
The entity's legal duties regarding these highly protected records.
Part 2 programs themselves (including those that are also HIPAA-covered entities) must provide a separate patient notice detailing these protections.
As of late 2025, HHS has not released updated model privacy notices incorporating these requirements. Entities should monitor the HHS website for guidance or templates, such as those provided by the Center of Excellence for Protected Health Information.
Implications For Group Health Plans
HIPAA obligations for privacy notices vary based on the plan's funding structure:
Self-Insured Health Plans
Must maintain and distribute their own HIPAA privacy notices.
Required to update and redistribute revised notices by February 16, 2026, if the plan may receive SUD-related PHI (e.g., through claims processing or coordination with Part 2 providers).
Distribution requirements include providing notices at enrollment, upon material changes, at least every three years (or notifying participants of availability), and upon request.
Fully Insured Health Plans
If the plan receives only summary health information or enrollment/disenrollment data (no individual PHI), no privacy notice is required—the insurer handles this.
If the plan has access to PHI beyond these exceptions, it must maintain and provide a privacy notice upon request, and update it for Part 2 changes if applicable.
Plan sponsors should review their access to PHI and consult with administrators to determine if updates are needed.
Action Steps For Compliance
To prepare for the February 16, 2026, deadline:
Assess whether your plan or entity receives or maintains Part 2 SUD records.
Revise HIPAA privacy notices to include required statements on SUD record protections.
Update policies, procedures, consent forms, and business associate agreements as needed.
Train staff on the aligned requirements.
Plan for the redistribution of updated notices during open enrollment or via other communications.
Failure to comply could result in enforcement actions by OCR, which now oversees Part 2 violations with penalties aligned to HIPAA.
These changes reflect a balanced approach to improving care integration for individuals with SUD while safeguarding sensitive information.
For personalized assistance with updating HIPAA privacy notices, ensuring compliance with Part 2 alignments, or managing retirement and employee benefits programs, contact The Siekmann Company. Our experts provide tailored guidance to help organizations navigate complex regulatory requirements effectively.
