THERE ARE SEVERAL pending and proposed changes to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its implementing regulations that have not yet been finalized or taken legal effect, including proposed updates to the HIPAA Security Rule addressing protections for electronic protected health information.
At present, however, there is one area in which compliance with new federal standards is mandatory on or before February 16, 2026. Specifically, entities that qualify as federal Part 2 programs for the treatment of substance use disorders, as well as entities that create, maintain, or receive Part 2 records, must update their notices of privacy practices to reflect new regulatory requirements.
Background: Substance Use Disorder Records Final Rule
The final rule that revised protections for substance use disorder (SUD) records under 42 C.F.R. Part 2 also included provisions intended to strengthen privacy protections for reproductive health information. However, the reproductive health provisions were subsequently determined to exceed the Department of Health and Human Services’ statutory authority in Purl v. United States Dep’t of Health & Hum. Servs., 787 F. Supp. 3d 284, 331 (N.D. Tex. 2025).
Importantly for healthcare providers, this decision did not affect the remaining changes related to Part 2 substance use disorder records. The notice of privacy practices requirements applicable to Part 2 programs and lawful holders therefore remain in effect and are still scheduled to take legal effect.
Who Is Affected: Part 2 Programs and “Lawful Holders”
Part 2 programs are entities that:
- Hold themselves out as providing diagnosis, treatment, or referral for treatment of substance use disorders, and
- Receive federal assistance (directly or indirectly).
These programs are subject to the most comprehensive notice requirements under the revised regulations.
“Lawful Holders” of Part 2 Records are entities that may not themselves meet the definition of a Part 2 program but that create, receive, or acquire records from a Part 2 program. For example, a primary care physician may not advertise or present themselves as providing substance use disorder treatment and therefore may not qualify as a Part 2 program. However, if that physician receives SUD treatment records from a Part 2 program as part of care coordination, the physician becomes a lawful holder of Part 2 records and is subject to certain compliance obligations.
New Requirements for “Notice of Privacy Practices”
Part 2 programs were previously required to provide patients with a summary of federal confidentiality laws and regulations. Under the revised regulations, this summary must be replaced with a more detailed and structured Notice of Privacy Practices (NPP).
The regulations at 42 C.F.R. § 2.22 specify required headings and content elements for the Part 2 notice, including a variety of topics, restrictions, and obligations. Guidance and sample resources are also available through the Substance Abuse and Mental Health Services Administration (SAMHSA)–sponsored Center for Excellence for Protected Health Information.
While a detailed, regulation-by-regulation review is essential for compliance, at a minimum, the Part 2 notice must:
- Describe permitted and required uses and disclosures of Part 2 records under federal law
- Identify the types of uses and disclosures that require the patient’s written consent, including at least one example
- State clearly that Part 2 records may not be used or disclosed in civil, administrative, criminal, or legislative proceedings against the patient without:
- The patient’s written consent, or
- An appropriate court order issued after the patient has received notice and an opportunity to object to the proposed disclosure
The notice must also inform patients of their rights with respect to their Part 2 records, many of which parallel HIPAA rights, including:
- The right to an accounting of most disclosures
- The right to opt out of fundraising communications
If the Part 2 notice is provided electronically, it must be available and prominently posted on the entity’s website.
Notice Requirements for “Lawful Holders” Who Are Not Part 2 Programs
Entities that qualify as “lawful holders,” but are not themselves Part 2 programs, are not required to create a new Part 2 notice of privacy practices. However, “lawful holders” must update their existing HIPAA Notice of Privacy Practices to accurately reflect how they handle Part 2 records differently than other protected health information.
The full details are set out in federal laws, most particularly 45 C.F.R. § 164.520. Broadly-speaking, the updates should address and describe any Part 2 requirements that are more stringent than HIPAA. Updated notices should define how and under what circumstances Part 2 records are subject to different use and disclosure requirements from the patient’s other protected health information.
For example, Part 2 records have different standards for their use and disclosure in civil, criminal, and administrative matters. This may mean changes throughout existing notices or including a section specific to Part 2 records in the notice.
Operational Considerations and Next Steps
Of course, any changes to a notice of privacy practices should be consistent with how records are handled by the entity. Implementing these changes may impact not only the language of a commonly-used document but also internal policies and procedures for how entities handle the use and disclosure of patient records, particularly for “lawful holders” who are not themselves Part 2 programs but create, maintain, or transmit Part 2 records. Entities who have not already adjusted to these requirements will need to determine the best ways to identify and protect Part 2 records in their possession in a reasonable manner consistent with what is described in their updated notice of privacy practices.
Entities that have not yet implemented these changes should act promptly to ensure that their notices of privacy practices, internal procedures, and record-handling practices are aligned before the February 16, 2026, compliance deadline.
Jamie Wilhite Dittert is Member Attorney practicing in medical negligence and insurance liability defense at Sturgill Turner. She can be reached at jdittert@sturgillturner.com or (859) 255-8581. This article is intended as a summary of state and/or federal law and does not constitute legal advice.