A key HIPAA deadline is coming up on February 16, 2026. By that date, covered entities and their business associates must update their Notice of Privacy Practices (NPP) to reflect recent federal changes tied largely to confidentiality rules for substance use disorder (SUD) patient records under 42 CFR Part 2.

If you have been hearing “HIPAA 2026 requirements,” this is what most people mean: an NPP update deadline, not an entirely new HIPAA program. The purpose is to make patient notices clearer and align certain SUD privacy requirements more closely with HIPAA.

What’s changing and why it matters

1) The Notice of Privacy Practices (NPP) must be refreshed

The NPP is the document that explains, in plain language, how your organization uses and shares protected health information (PHI) and what rights patients have. The federal rulemaking sets a delayed compliance date for the NPP updates, which is why February 16, 2026 matters.

2) SUD records and Part 2 alignment are a big driver of the update

Federal updates to 42 CFR Part 2 (the confidentiality rules for SUD treatment records) include changes that impact patient notice obligations and bring several requirements closer to the HIPAA framework. HHS specifically notes the Part 2 final rule aligns Part 2 patient notice requirements with HIPAA’s NPP approach.

A quick clarification on reproductive health “attestation” language

You may have seen guidance about an “attestation” requirement for certain requests involving PHI potentially related to reproductive health care. That requirement was part of a 2024 HIPAA reproductive health privacy rule, but a federal court vacated most of that rule in June 2025, including the attestation obligation, and later updates signaled that the reproductive health provisions effectively ended.

What this means for February 2026: the NPP update deadline still applies, but you should be careful about stating that your organization “must obtain an attestation” as a current HIPAA requirement, because that obligation was removed by the court decision.

Real-world example

Imagine a small clinic that offers primary care and occasionally coordinates care with outside programs that treat substance use disorder. Even if SUD treatment is not the clinic’s main service line, the clinic may still receive SUD-related information in referrals, medication histories, lab results, or care coordination notes.

By February 16, 2026, the clinic should have:

• An updated NPP posted and available to patients
• Staff trained on what changed and how to respond to questions
• Clear internal steps for handling sensitive records, especially when a request is unusual or high-risk

Do all providers need to update their NPP by February 2026?

Yes. The NPP update deadline applies to HIPAA covered entities broadly, not only to specialty clinics. The point is to make sure patients receive a consistent, compliant notice of their privacy rights and your disclosure practices.

Even practices like dental, podiatry, optometry, and others can encounter SUD-related information through medical histories, medications, care coordination, or referrals. Updating the NPP helps you stay compliant and helps patients understand their rights.

How to prepare now

Start simple and stay practical:

1. Review your current NPP and identify what needs to be updated for the February 16, 2026 requirements.
2. Check your workflows for intake, disclosures, and responding to requests for records, especially requests that feel “outside the norm.”
3. Train your team, including front desk staff, billing teams, and clinical staff, so everyone can follow the same process.
4. Confirm your vendors and business associates understand your updated expectations and can support compliant handling of sensitive records.

Using a structured compliance system can make this easier. Taino Consultants offers web-based programs that help organizations organize policies, update documentation, track action items, and deliver training in a repeatable way. EPICompliance supports HIPAA, OSHA, and Medicare compliance through automated workflows, recurring checklists, risk assessments, and live support so teams can stay audit-ready without living in spreadsheets.

Government resources and further reading

For official guidance, review:

• HHS resources on the reproductive health privacy rule (for background and context, noting the litigation outcome)
• HHS Fact Sheet on the 42 CFR Part 2 Final Rule
• The Federal Register entry describing compliance dates, including the February 16, 2026 NPP deadline

Bottom line

Even if your practice does not specialize in SUD treatment or reproductive health services, you still need to update your NPP by February 16, 2026. This is an important step to keep your organization compliant, reduce risk, and build patient trust through clear, accurate communication.

Take control now: review, refresh, and actively manage your program. For quick, practical guidance, you can also point teams to EPICompliance educational webcasts (Watch on YouTube).