The U.S. Department of Health and Human Services (HHS) has finalized updates to federal privacy regulations that impact all HIPAA-covered entities, with mandatory changes related to Substance Use Disorder (SUD) records and important developments affecting reproductive health privacy guidance. Organizations should take action now to ensure timely and accurate compliance with the February 16, 2026 deadline.
Substance Use Disorder (SUD) Confidentiality – Mandatory
HIPAA has been updated to align more closely with federal confidentiality regulations governing 42 CFR Part 2 records. These changes are mandatory and must be implemented by February 16, 2026.
Key requirements include:
- Enhanced patient consent standards for SUD-related disclosures
- Expanded patient rights related to access and restrictions
- Revised redisclosure limitations
- Operational impacts to Release of Information (ROI) workflows
- Required updates to privacy policies and workforce training
Reproductive Health Privacy – Regulatory Update
HHS previously finalized a HIPAA Privacy Rule intended to strengthen protections for reproductive health information, including restrictions on certain disclosures and attestation requirements.
However, in June 2025, a federal court vacated significant portions of this rule. As a result:
- Certain reproductive-health-specific disclosure restrictions and attestation requirements are not currently enforceable
- Covered entities should continue to follow existing HIPAA Privacy Rule requirements
- Organizations should monitor future federal guidance or rulemaking, as this area remains legally and politically dynamic.
Notice of Privacy Practices (NPP) – Action Required
Clients should review and update their Notice of Privacy Practices (NPP) to ensure it accurately reflects:
- Mandatory SUD / Part 2 confidentiality requirements
- Current HIPAA disclosure standards, without including vacated reproductive-health provisions as enforceable requirements
It is critical that required privacy updates—particularly those tied to SUD confidentiality alignment—are implemented by the compliance deadline, as they are mandatory federal requirements. Even minor omissions or outdated language in the NPP may carry substantial compliance risk.
Action & Awareness
While some changes may be supported by payer, clearinghouse, or system-level updates, covered entities are encouraged to:
- Review and update internal privacy policies and procedures
- Ensure workforce awareness and training on SUD confidentiality changes
- Evaluate disclosure, authorization, and ROI workflows
- Update the Notice of Privacy Practices as required
- Coordinate with compliance and legal counsel as needed
Reminder: Covered entities must be compliant with 42 CFR Part 2 / SUD-related HIPAA updates no later than February 16, 2026.