February 16, 2026, is the deadline for health care providers, group health plans and health insurers to update and redistribute their Health Insurance Portability and Accountability (“HIPAA”) Notice of Privacy Practices (“Privacy Notice”) to comply with recent federal rule changes strengthening protections certain Part 2 substance use disorder (“SUD”) records (the “SUD Rules”). Timely update of Privacy Notices and compliance with these related requirements is particularly critical for the following organizations, who regularly receive and handle SUD records:
- Behavioral health providers;
- Integrated delivery systems;
- Health plans receiving SUD claims data; and
- Third party administrators, utilization management, and other health plan service providers involved in the administration of behavioral health or substance abuse benefits.
HIPAA Privacy Notice Generally
The HIPAA regulations require most health care providers, group health plans and health care clearinghouses (“Covered Entities”) to provide a Privacy Notice that meets the content and distribution requirements of the HIPAA rules. See 45 C.F.R. § 164.520. Health plans generally must deliver the Privacy Notice to their members at enrollment. Health care providers generally must present the Privacy Notice to patients at least once a year, try to obtain acknowledgement of receipt, display it at their service locations and “prominently post” it on their websites.
Noncompliance with these and other HIPAA requirements can trigger a wide range of adverse consequences, including:
- Complicate the administration and defense of HIPAA compliance;
- Fuel HIPAA complaints from PHI subjects or others;
- Trigger OCR enforcement and the potential civil monetary penalties and corrective action plans;
- Expose noncompliant health plan fiduciaries to fiduciary investigation and liability under the Employee Retirement Income Security Act;
- Expose health care providers to licensure, ethical or other professional investigations and sanctions;
- Expose health care providers and insurers to licensing or other state regulatory enforcement actions;
- Violate stop-loss, liability or other contracts;
- Expose health plans, their fiduciaries and other covered entities to added expense to respond to and defend complaints and investigations; and
- Create reputational risk.
Privacy Notice Updates Due February 16, 2026
The Privacy Notice updates currently due by February 16, 2026, arise from the 2024 Final Rule aligning 42 CFR Part 2 with HIPAA jointly published by the Substance Abuse and Mental Health Services Administration (“SAMHSA”) and OCR to align the substance abuse privacy rules in 42 CFR Part 2 more closely with HIPAA.
While most of the SUD rules operational provisions already are in effect, Covered Entities that maintain SUD records subject to Part to have until February 16, 2026, to update and timely distribute their Privacy Notices to:
- Explain how Part 2 records may be used and disclosed.
- Describe patients’ rights to obtain an accounting of disclosures, request restrictions, file complaints and describe potential penalties for misuse.
Along with updating their Privacy Notices content, health plans and other Covered Entities also need to update their Privacy Notice postings and distributions. Health plans generally are encouraged to follow best practices by treating the revisions as material revisions impacting their health plans and err in favor of broad distribution. Health plans generally should distribute the updated notice to plan participants within 60 days of a material revision or include notice of its availability in its next annual mailing and post an updated copy on the plan’s website. In contrast, health care providers must meet slightly broader distribution requirements, that generally require a health care provider:
- Ensure the updated notice is provided to new patients at check-in and request a signed acknowledgement of receipt from the patient at least once a year;
- Post the revised Privacy Notice in a clear and prominent locations in treatment areas as required by the Privacy Rule;
- Make copies available upon request; and
- Post electronically on websites
Beyond these specific actions in response to the 2024 Final Rule aligning 42 CFR Part 2, self-insured ERISA plans, their employer or other plan sponsors, fiduciaries, and service providers should take the following steps:
- Update the plan’s HIPAA Notice;
- Review and update as necessary plan documents and other policies to ensure language complies with the new rule;
- Plan fiduciaries and sponsors should coordinate with third party administrators and other service providers, behavioral health and other medical management vendors, stop loss carriers, prescription benefit management organizations, and other service providers to verify their process and practices are updated to comply with the new requirements;
- Conduct any necessary training and education for workforce members and business associates; and
- Take steps to monitor compliance on an ongoing basis.
Covered Entities Also Should Reconfirm Adequacy of Existing Other Privacy Notice Content Adequacy
Along with implementing the changes necessary to ensure their Privacy Notices comply with the SUD Rules of 42 CFR Part 2 alignment, group health plans and other Covered Entities also should review and update their Privacy Notices to confirm other content continues to meet OCR’s Privacy Notice requirements.
Since OCR has not substantively revised the content requirements for Privacy Notices or its model Notice of Privacy Practices for many years, many group health plans and other covered entities take for granted that the existing content of their Privacy Notices remains compliant. While OCR’s rules have not changed, group health plans and other Covered Entities often have experienced changes in staffing, addresses or other operational details that may make updates to their Privacy Notices required or advisable. Failing to update Privacy Notices to reflect these changes can both violate HIPAA and fuel a wide range of potentially costly miscommunications and disagreements. Consequently, group health plan sponsors, fiduciaries and service providers, as well as other Covered Entities also are encouraged to review their existing Privacy Notices for any updates required in response to these and other changes.
HIPAA Privacy Rule to Support Reproductive Health Care Privacy No Longer Required
Covered Entities currently do not have to change their Privacy Notices to add disclosures about new requirements for the disclosure of protected health information (“PHI”) relating to reproductive rights that OCR sought to require under its HIPAA Privacy Rule to Support Reproductive Health Care Privacy (“Reproductive Rights Rule”), as the U.S. District Court for the Northern District of Texas vacated those requirements in Purl v. United States Department of Health and Human Services, No. 2:24-CV-228-Z, (N.D. Tex. June 18, 2025).
Had the District Court not struck down the Reproductive Rights Rule last June, Covered Entities also would have been required by February 16, 2026, to revise their Privacy Notices to discuss OCR HIPAA rules restricting disclosures of protected health information (“PHI”) related to lawful reproductive health care.
OCR adopted the Reproductive Rights Rule as part of a broader series of actions by the Biden Administration intended to mitigate the effect of the Supreme Court’s ruling in Dobbs v. Jackson Women’s Health Organization, 597 U.S. 215 (2022). Dobbs restored state power to regulate abortion by reversing the Supreme Court’s decades-old decision in Roe v. Wade, which had recognized a woman’s right to abortion as part of a fundamental right to reproductive privacy.
In furtherance of these broader efforts to limit state efforts to regulate abortion and other reproductive rights, the Reproductive Rights Rule prohibited Covered Entities from using or disclosing PHI:
- For criminal, civil, or administrative investigations into lawful reproductive health care
- To identify a person for such investigations
- For proceedings related to lawful reproductive health care
It also required Covered Entities and their business associates to:
- Obtain a signed attestation before disclosing reproductive health information for certain law enforcement or oversight requests
- Revise their Privacy Notice to describe these new protections
The federal district court’s ruling makes these updates unnecessary at this time.
If you have questions about these health plan exposures or other health care, workforce employee benefits or other regulatory compliance or investigations concerns, contact the author.
For More Information
We hope this update is helpful. For more information about the or other health or other employee benefits, human resources, or health care developments, please contact the author Cynthia Marcotte Stamer via e-mail or via telephone at (214) 452 -8297.
Solutions Law Press, Inc. invites you receive future updates by registering on our Solutions Law Press, Inc. Website and participating and contributing to the discussions in our Solutions Law Press, Inc. LinkedIn SLP Health Care Risk Management & Operations Group, HR & Benefits Update Compliance Group, and/or Coalition for Responsible Health Care Policy.
About the Author
Cynthia Marcotte Stamer is a Martindale-Hubble AV-Preeminent (highest/top 1%) practicing attorney recognized as a “Top Woman Lawyer,” “Top Rated Lawyer,” and “LEGAL LEADER™” in Health Care Law and Labor and Employment Law; among the “Best Lawyers In Dallas” in “Labor & Employment,” “Tax: ERISA & Employee Benefits,” “Health Care” and “Business and Commercial Law recognized for her experience, scholarship, thought leadership and advocacy on health and other employee benefits, insurance, healthcare, workforce, HIPAA and other data and technology and other compliance in connection with her work with health care and life sciences, employee benefits, insurance, education, technology and other highly regulated and performance-dependent clients.
Board certified in labor and employment law by the Texas Board of Legal Specialization and a Fellow in the American College of Employee Benefits Counsel, Ms. Stamer has more than 35 years of experience advising and representing, employers, employee benefit plans and their fiduciaries and administrators, their administrative services, technology and other business associates and other vendors, managed care and insurance, health care and other clients about these and other workforce, employee benefits, internal controls and other operations and compliance concerns.
Ms. Stamer is nationally sought out for her decades of leading-edge experience in the design, sponsorship, administration, and defense of health and other employee benefit, workforce, insurance, healthcare, data and technology, and other operations to promote legal and operational compliance, reduce regulatory and other liability, and advance other operational goals. This experience includes decades of work on HIPAA and other medical and other data and technology privacy, security and other management, including years of service as the Scribe leading the American Bar Association Joint Committee on Employee Benefits Annual Agency Meeting with the Department of Health and Human Services Office of Civil Rights, extensive advice to health plans and insurers, their sponsors, fiduciaries and service providers; managed care organizations, health care organizations, health care clearinghouses and other health data and technology providers; and others about HIPAA and other Federal, state and international privacy and data security; and extensive speaking and publications on these and related concerns.
Along with her decades of legal and strategic consulting experience, Ms. Stamer also contributes her leadership and experience to many professional, civic and community organizations. She currently serves as Co-Chair of the ABA Real Property Trusts and Estates (“RPTE”) Section Welfare Plan Committee, Co-Chair of the ABA International Section International Employment Law Committee and its Annual Meeting Program Planning Committee, Chair Emeritus and Vice Chair of the ABA Tort Trial and Insurance (“TIPS”) Section Medicine and Law Committee, and Chair of the ABA Intellectual Property Section Law Practice Management Committee. She also has served as Scribe for the Joint Committee on Employee Benefits (“JCEB”) annual agency meetings with the Department of Health and Human Services and JCEB Council Representative, International Section Life Sciences Committee Chair, RPTE Section Employee Benefits Group Chair and a Substantive Groups Committee Member, Health Law Section Managed Care & Insurance Interest Group Chair, as TIPS Section Medicine and Law Committee Chair and Employee Benefits Committee and Workers Compensation Committee Vice Chair, Tax Section Fringe Benefit Committee Chair, and in various other ABA leadership capacities. Ms. Stamer also is a former Southwest Benefits Association Board Member and Continuing Education Chair, SHRM National Consultant Board Chair and Region IV Chair, Dallas Bar Association Employee Benefits Committee Chair, former Texas Association of Business State, Regional and Dallas Chapter Chair, a founding board member and Past President of the Alliance for Healthcare Excellence, as well as in the leadership of many other professional, civic and community organizations. She also is valued and celebrated for her decades of policy advocacy and charitable, pro bono, community and other service and leadership to promote understanding and strengthening health care, workforce, saving, disability, aging and retirement and other key policies and challenges through her PROJECT COPE Coalition For Patient Empowerment initiative and many other pro bono service involvements locally, nationally and internationally.
Ms. Stamer is the author of many highly regarded works published by leading professional and business publishers, the ABA, the American Health Lawyers Association, and others. Ms. Stamer also often speaks and serves on the faculty and steering committee for many ABA and other professional and industry conferences and conducts leadership and industry training for a wide range of organizations.
For more information about Ms. Stamer or her health industry, health and other benefits, workforce and other experience and involvements, see the Cynthia Marcotte Stamer P.C. website or contact Ms. Stamer via telephone at (214) 452-8297 or via e-mail here.
About Solutions Law Press™
Solutions Law Press™ provides health care, insurance, human resources and employee benefit, data and technology, regulatory and operational performance, and other business risk management, legal compliance, management effectiveness and other coaching, tools and other resources, training and education. These include extensive resources on leadership, governance, human resources, employee benefits, data security and privacy, insurance, health care and other key compliance, risk management, internal controls and operational concerns. If you find this of interest, you also be interested reviewing some of our other Solutions Law Press™ resources or training.
If you or someone else you know would like to receive future updates about developments on these and other concerns, please be sure that we have your current contact information including your preferred e-mail by creating your profile here.
NOTICE: These statements and materials are for general information and purposes only. They do not establish an attorney-client relationship, are not legal advice or an offer or commitment to provide legal advice, and do not serve as a substitute for legal advice. Readers are urged to engage competent legal counsel for consultation and representation considering the specific facts and circumstances presented in their unique circumstances at the particular time. No comment or statement in this publication is to be construed as legal advice or admission. Solutions Law Press and its authors reserve the right to qualify or retract any of these statements at any time. Likewise, the content is not tailored to any particular situation and does not necessarily address all relevant issues. Because the law constantly and often evolves, subsequent developments that could change the currency and completeness of this discussion are likely. Solutions Law Press and its authors disclaim and have no responsibility to provide any update or otherwise notify anyone of any fact or law-specific nuance, change, limitation, or other condition that might affect the suitability of reliance upon these materials or information otherwise conveyed in connection with this program. Readers may not rely upon, are solely responsible for, and assume the risk and all liabilities resulting from their use of this publication.
Circular 230 Compliance. The following disclaimer is included to ensure that we comply with U.S. Treasury Department Regulations. Any statements contained herein are not intended or written by the writer to be used, and nothing contained herein can be used by you or any other person, for the purpose of (1) avoiding penalties that may be imposed under federal tax law, or (2) promoting, marketing or recommending to another party any tax-related transaction or matter addressed herein.
©2026 Cynthia Marcotte Stamer. Non-exclusive right to republish granted to Solutions Law Press. ™ For information about licensing for republication, please contact the author directly. All other rights reserved.
slphrbenefitsupdate.com 