HIPAA Privacy Policy Updates Required by February 16, 2026

In February 2024, the U.S. Department of Health and Human Services (HHS) finalized significant amendments to 42 CFR Part 2, the federal regulation governing the confidentiality of substance use disorder (SUD) treatment records. These amendments align Part 2 more closely with the HIPAA Privacy Rule and require covered entities and applicable business associates to achieve full compliance by February 16, 2026.

For organizations subject to HIPAA, including employer-sponsored health plans and certain vendors, this deadline requires timely updates to privacy policies, procedures and Notices of Privacy Practices (NPPs). While not every employer is directly regulated under HIPAA in its role as an employer, many organizations interact with protected health information (PHI) through their group health plans or third-party administrators. HR leaders and background screening providers should understand how these changes may affect their compliance responsibilities.

Table of Contents

• Understanding 42 CFR Part 2

• The February 16, 2026 Compliance Deadline

• Key Regulatory Changes

  • Alignment with HIPAA’s Treatment, Payment, and Healthcare Operations (TPO) Standards

  • Required Updates to Notices of Privacy Practices

  • Expanded Patient Rights and Enforcement Alignment

• A Strategic Reminder for HR and Compliance Leaders

  
  

Understanding 42 CFR Part 2

42 CFR Part 2 is a federal regulation designed to protect the confidentiality of individuals seeking or receiving treatment for substance use disorders. Originally implemented to reduce stigma and encourage treatment participation, Part 2 historically imposed stricter privacy standards than HIPAA.

The 2024 final rule modernizes these protections by aligning many Part 2 requirements with HIPAA’s framework for privacy, use, and disclosure, while still preserving enhanced safeguards for SUD treatment records.

The February 16, 2026 Compliance Deadline

Although the rule was finalized in 2024, covered entities and business associates must implement the required changes no later than February 16, 2026.

Compliance obligations include:

• Updating Notices of Privacy Practices to reflect Part 2 protections

• Revising internal privacy and disclosure policies

• Adjusting consent forms and authorization procedures

• Training workforce members on updated confidentiality standards

• Reviewing data-sharing and redisclosure protocols

  
  

The HHS Office for Civil Rights (OCR) will oversee enforcement, and Part 2 violations are now aligned more closely with HIPAA’s civil enforcement structure.

Key Regulatory Changes

The 2024 amendments to 42 CFR Part 2 introduce important updates that must be implemented by February 16, 2026. These changes align substance use disorder confidentiality requirements more closely with HIPAA while preserving enhanced protections for sensitive treatment records. Organizations subject to the rule should review and update their policies accordingly.

Alignment with HIPAA’s Treatment, Payment, and Healthcare Operations (TPO) Standards

Under the revised rule, a single patient consent may authorize future uses and disclosures for treatment, payment and healthcare operations, similar to HIPAA’s structure. This replaces the prior requirement for highly specific consent tied to individual disclosures.

However, redisclosure protections remain in place, and organizations must ensure that SUD treatment records are not used or disclosed beyond permitted parameters.

Required Updates to Notices of Privacy Practices

Entities that receive or maintain Part 2-protected records must update their HIPAA Notice of Privacy Practices to clearly describe:

• How SUD treatment records may be used and disclosed

• Limitations on redisclosure

• Individual rights regarding protected records

• Complaint and enforcement procedures

  
  

This is a mandatory regulatory update, not a discretionary enhancement.

Expanded Patient Rights and Enforcement Alignment

The final rule incorporates HIPAA-based patient rights into the Part 2 framework and aligns enforcement with HIPAA’s civil monetary penalty structure. OCR will have authority to investigate and enforce violations involving Part 2-protected records.

Organizations handling SUD treatment information should view this change as part of broader federal efforts to streamline and strengthen healthcare privacy oversight.

A Strategic Reminder for HR and Compliance Leaders

The 2024 amendments to 42 CFR Part 2 represent a significant regulatory shift in the handling of substance use disorder treatment records. Although alignment with HIPAA simplifies certain disclosure processes, the information remains highly sensitive and subject to strict safeguards.

With the February 16, 2026 compliance deadline approaching, organizations should prioritize review and policy updates now to ensure full regulatory alignment and responsible data governance. Proactive compliance not only mitigates legal exposure but also reinforces organizational commitment to privacy, confidentiality and ethical stewardship of protected health information.

For specific questions about how these changes may affect your organization, or to ensure full compliance with HIPAA, consult your legal counsel or compliance advisor.