ARTICLE
28 January 2026

Employee Benefits Update: Changes To HIPAA Notice Of Privacy Practices Due By February 16, 2026

BS
Bond, Schoeneck & King PLLC

Contributor

Bond, Schoeneck & King PLLC logo

Bond is a full-service law firm counseling individuals, companies, not-for-profits and public sector entities in a wide spectrum of practice areas.

With over 300 lawyers, we represent clients in agribusiness and natural resources; commercial lending and transactions; real estate development and construction; defense and high-tech; energy and chemicals; health care and long-term care; manufacturing and electronics; hospitality, sports, entertainment and tourism; municipalities and school districts; higher education; and other exempt and nonprofit organizations. We maintain ten offices in New York State as well as locations in Florida, Kansas, Massachusetts and New Jersey.

Explore Firm Details
In 2024, the Department of Health and Human Services (HHS) amended the Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices regulations under 45 CFR § 164.520...
United States Food, Drugs, Healthcare, Life Sciences
Hailey S. Trippany
Hailey S. Trippany’s articles from Bond, Schoeneck & King PLLC are most popular:
  • within Food, Drugs, Healthcare and Life Sciences topic(s)
  • with Senior Company Executives, HR and Inhouse Counsel

Note:  This memorandum is focused on required changes to the HIPAA Notice of Privacy Practices that apply to group health plans, including employer-sponsored group health plans. Bond will be sending a forthcoming communication tailored to implications for other clients, including healthcare providers.

In 2024, the Department of Health and Human Services (HHS) amended the Health Insurance Portability and Accountability Act (HIPAA) Notice of Privacy Practices regulations under 45 CFR § 164.520, in large part, to better align with the Confidentiality of Substance Use Disorder Patient Records regulations in 42 CFR Part 2, which provide additional restrictions on the use and disclosure of Substance Use Disorder (SUD) related records.

Changes in the notice requirements under 42 CFR Part 2 primarily apply to federally assisted SUD programs, referred to in the regulations as “Part 2 Programs”. However, the 42 CFR Part 2 regulations apply, in part, to Covered Entities that “receive or maintain” records from Part 2 Programs. Accordingly, the HIPAA notice rules have been amended to include SUD-related rules for Covered Entities. In light of these changes, Covered Entities under HIPAA, including health plans, must update their Notice of Privacy Practices (NPP or Notice) by Feb.16, 2026.

Background

A Notice of Privacy Practices describes how a Covered Entity may use and share an individual's protected health information and the individual's privacy rights under HIPAA. “Covered Entities” under HIPAA generally include health plans (including employer health plans), healthcare clearinghouses and healthcare providers. Covered Entities are required to provide the Notice of Privacy Practices to individuals whose protected health information is created or received by the Covered Entity. HHS has provided NPP templates and guidance for the various types of Covered Entities on their website. However, as of the date of this article, these resources have not been updated to include the required changes.

Fully Insured Plan Exception

45 CFR § 164.520(a)(2) provides for an exception for fully insured group health plans that do not create or receive protected health information other than enrollment status or “summary health information” (partially deidentified claims information). This exception allows the plan's insurer to provide the Notice directly to participants. Any fully insured plans that create or receive protected health information (other than the exempted information above) must maintain their own Notice.

Health Plan Notice Requirements

Health plans are required to provide the Notice to protected individuals upon initial enrollment or at any time upon request. In addition, plans must remind individuals of the Notice and how they may obtain a copy of the Notice every three years. The regulations clarify that providing the required information to the policy owner (typically the employee) satisfies the notification requirements for any individuals covered under the policy.

Plans must post any updated Notice to the plan's website by the effective date of the change and include the Notice or information on how to access the Notice in the plan's next annual mailing. If the Notice is not posted on the website, the updated Notice or information on how to access the Notice must be provided to participants within 60 days of the revision to the Notice.

Required Updates to the Notice

By Feb. 16, 2026, Covered Entities must update their Notice to include:

  • A revision to any existing description of a permissible use or disclosure of protected information to reflect any more stringent legal requirements for the use and disclosure of information, including requirements under 42 CFR Part 2.
  • A disclosure that records received from Part 2 Programs will not be “used or disclosed in civil, criminal, administrative or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2.”
  • A disclosure that if a Covered Entity intends to use or disclose such Part 2 Program records for fundraising for the Covered Entity's benefit, the individual must first be provided with a clear and conspicuous opportunity to elect not to receive any fundraising communications.
  • A statement to put the individual on notice for the potential of protected health information, that is properly disclosed by the Covered Entity, to be “redisclosed” by the recipient following the individual's authorization for disclosure, thus making the information no longer protected.

The amended HIPAA NPP regulations also include additional notice requirements pertaining to reproductive health disclosures released under the Biden Administration. In 2025, these requirements were struck down in federal court and have not been further challenged by the Trump Administration. Accordingly, these requirements do not have to be incorporated into the updated Notice.

Next Steps For Employers

  • If your plan is fully insured, confirm (or re-confirm) whether the data you maintain requires you to have a Notice of Privacy Practices. If your insurer maintains the Notice of Privacy Practices for plan participants, inquire with your insurer whether the Notice has been updated and where the updated Notice can be found.
  • If your plan is not fully insured, or you are otherwise required to maintain a Notice of Privacy Practices:
    • Ensure your privacy policy and any related documents and authorization forms are updated to comply with the 42 CFR Part 2 Rules and any other practices/requirements described on the Notice;
    • Update the Notice with any applicable requirements by the deadline;
    • Post the Notice online (or mail the Notice to participants within 60 days of the update);
    • Ensure the updated Notice is being distributed to participants upon initial enrollment; and
    • If you choose to post the Notice online (rather than mail it), make note that you must include information on how to access the updated Notice in the next annual mailing for the plan.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Hailey S. Trippany
Hailey S. Trippany
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More