Thank you for reading this post, don't forget to subscribe!
All HIPAA-covered entities, including healthcare providers, employer group health plans, and business associates handling Substance Use Disorder (SUD) treatment records subject to 42 C.F.R. Part 2. The compliance deadline is February 16, 2026.
The Long-Term Goal: A Unified Privacy Standard
For decades, healthcare providers and organizations have struggled to manage two separate, often conflicting sets of healthcare privacy laws. The long-term goal of this federal update is to eventually fold 42 CFR Part 2 entirely under the HIPAA umbrella. By aligning these rules now, the Department of Health and Human Services (HHS) is moving toward a single, streamlined standard for all health information. This transition is designed to improve care coordination and ensure that sensitive Substance Use Disorder (SUD) data can flow securely between providers for treatment, payment, and operations—just like any other medical record.
What The New Compliance Update Requires
All HIPAA-covered entities must update their Notice of Privacy Practices (NPP) by February 16, 2026. For entities that receive or maintain SUD records protected by 42 C.F.R. Part 2, the NPP must now include specific language regarding these enhanced protections. Even if you do not currently handle Part 2 records, the government requires the NPP to be updated to reflect these new alignment standards to ensure you are compliant should you receive such records in the future.
While the official requirement focuses on the NPP, updating your notice creates a legal obligation to actually implement those protections. Although 42 C.F.R. Part 2 remains a separate federal regulation from HIPAA, this new requirement intertwines the two, requiring organizations to integrate these overlapping obligations into their existing privacy programs.
Note: These requirements apply to SUD treatment records originating from federally assisted SUD programs (“Part 2 programs”) that are protected under 42 C.F.R. Part 2 and may be held by your organization as a HIPAA covered entity or business associate.
Who Must Become Compliant?
A common misconception is that these rules only apply to specialized substance abuse clinics. In reality, the “alignment” means that if these records touch your organization, you are likely in scope.
This includes:
Healthcare & Mental Health Providers: Any provider—from primary care to specialized mental health practices—that receives, maintains, or transmits Substance Use Disorder (SUD) treatment records for care coordination or billing.
Employer Group Health Plans: Plans that receive SUD information for claims processing or wellness programs must ensure their privacy policies and plan documents reflect the new protections.
Business Associates: Third-party vendors (billing companies, IT providers, EHR platforms) that handle Part 2 records on behalf of a covered entity are now directly subject to these confidentiality standards.
Next Steps
We recommend you take the following actions as soon as possible due to the February 16, 2026 deadline:
- Revise your NPP and post the update on your website and at service locations.
- For employer group health plans, distribute the updated NPP to plan participants (optional or wait for next communication).
- Update your documents and policies and procedures to comply with 42 C.F.R. Part 2.
The Risk of “Double Compliance”
Many organizations make the mistake of trying to maintain two separate compliance programs—one for HIPAA and one for Part 2. This is a high-risk strategy. If you attempt to manage these as independent silos, you will almost certainly end up with conflicting policies and duplicate information. This not only creates administrative headaches and “compliance fatigue” for your staff, but it also opens the door to regulatory gaps. When your Notice of Privacy Practices (NPP) says one thing and your SUD consent forms say another, you increase your risk of a breach or an unfavorable audit by the Office for Civil Rights (OCR).
How We Can Help
To take a path of simplication for all our customers, we have completely revised our Privacy Documentation Kits to help you comply with both HIPAA and the 42 C.F.R. Part 2 standards as much as possible. After implementation, we encourage all organizations to perform their own due diligence to ensure full compliance with all applicable Part 2 requirements.
For our existing customers, we have made this process extremely simple by placing all the documents that have changed from our previous Privacy Documentation Kits into a separate zip file that you can download. The update for existing customers contains only the files that changed with this update and we have marked all the changes in green to quickly identify and copy those specific updates into your existing documents rather than having to start from scratch. As part of updating your documents, you can also roll out the updated business associate contract addendums to your partners.
For our online training, the changes do not affect the core HIPAA training we currently provide. Our existing training already emphasizes that sensitive information, including substance abuse, should be treated with higher sensitivity.
For 42 C.F.R. Part 2, we have provided an additional supplementary PDF in our Privacy Documentation Kits to perform the necessary supplemental training for staff on 42 C.F.R. Part 2 (SUD).
How to Purchase the Privacy Documentation Kits
If you purchased the Privacy Documentation Kit within the last year:
We are providing this update to you at no charge. You can log in to your documentation kit account to start the process.
If you purchased the Privacy Documentation Kit prior to Feb 1, 2025:
You can repurchase the updated kit from our website at www.hipaatraining.com. This ensures you have the most current templates to meet the February 16, 2026 deadline. Pricing for the Privacy Documentation Kit has not changed and is still priced at only $499.99.
Additional Information And References
https://www.hipaatraining.com/blog/feb-16-2026-hipaa-42-cfr-part-2-update-deadline
https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
https://www.hhs.gov/hipaa/part-2/index.html
https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records
https://www.youtube.com/watch?v=F3ZZgCXpT4k
HIPAA Regulations
HIPPA regulations state: “The final Security Rule made the use of encryption an addressable implementation specification. See 45 CFR § 164.312(a)(2)(iv) and (e)(2)(ii). The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity! may choose to not implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.” http://www.hhs.gov
privacysummary