The February 2026 HIPAA Deadline: Is Your Notice of Privacy Practices Ready for the Part 2 Alignment?

by Bethany Page Ishii

The regulatory landscape for patient privacy is undergoing its most significant shift in a decade. While Privacy Officers are accustomed to the standard rhythm of HIPAA compliance, a major deadline is fast approaching that requires more than just a cursory review of policy.

By February 16, 2026, all HIPAA Covered Entities (CEs) must update their Notices of Privacy Practices (NPP) to reflect sweeping changes to 42 CFR Part 2, the federal regulations governing the confidentiality of Substance Use Disorder (SUD) treatment records.

Driven by the CARES Act, these changes aim to align Part 2 more closely with HIPAA to ease administrative burdens while maintaining heightened protections for vulnerable patients.

Here is everything your compliance team needs to know to meet the deadline.

Understanding 42 CFR Part 2: More Than Just HIPAA

For decades, 42 CFR Part 2 (often simply called “Part 2”) has operated as a stricter sibling to HIPAA. While HIPAA applies to all Protected Health Information (PHI), Part 2 specifically protects “records of the identity, diagnosis, prognosis, or treatment of any patient” maintained by a federally assisted SUD program.

The core intent of Part 2 is to ensure that a patient seeking treatment for a substance use disorder is not discouraged by the fear of prosecution or social stigma. Historically, this meant that sharing Part 2 records required a specific, highly detailed written consent for almost every disclosure, even for routine treatment or payment, which created significant silos in integrated care settings.

Does Part 2 Apply to Your Organization? A Checklist

Many general hospitals and group practices mistakenly believe Part 2 doesn’t apply to them. However, the definition of a “Program” is nuanced. Use this checklist to determine if your entity (or a department within it) must comply:

• Are you “Federally Assisted”? This includes receiving any federal funding, being tax-exempt under the IRS, or being authorized to conduct business by the federal government, including Medicare/Medicaid provider status.
• Do you have an “Individual or Entity” (other than a general medical facility) that holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment?
• Do you have a “Unit within a General Medical Facility” that holds itself out as providing SUD diagnosis, treatment, or referral for treatment?
• Do you have “Medical Personnel or Other Staff” in a general medical facility whose primary function is the provision of SUD diagnosis, treatment, or referral for treatment and who are identified as such?

If you checked “Federally Assisted” and any of the subsequent three boxes, you are likely a “Part 2 Program” and must update your NPP accordingly.

The NPP Update Requirements: What’s Changing?

The Final Rule, published in February 2024, requires Covered Entities to update their NPPs to reflect the new “harmonized” rules. The goal is to inform patients that their SUD records now have similar (but not identical) protections to HIPAA PHI.

Key updates to the NPP must include:

1. TPO Disclosures: Explicitly stating that once a single prior written consent is obtained, the entity may use and disclose Part 2 records for Treatment, Payment, and Health Care Operations (TPO) in a manner similar to HIPAA.
2. Redisclosure Notice: Explaining that Part 2 records disclosed for TPO to a Covered Entity or Business Associate may be further redisclosed in accordance with HIPAA (with certain exceptions regarding legal proceedings).
3. Right to Accounting of Disclosures: Informing patients of their right to an accounting of disclosures of Part 2 records made through an electronic health record (EHR) for TPO purposes (covering the previous three years).
4. Right to Request Restrictions: Patients now have the right to request restrictions on disclosures of Part 2 records for TPO.
5. Breach Notification: Clarifying that HIPAA Breach Notification Rule standards now apply to Part 2 records.

Combined NPP vs. Separate NPP: Which Is Right for You?

One of the most frequent questions from Compliance Officers is: “Do I need a separate notice for my SUD program and my general medical clinic?”

The Combined NPP (The “Joint Notice”)

The regulations allow a Covered Entity that also operates a Part 2 program to use a single, combined NPP.

• Pros: Streamlines the patient intake process, reduces “paperwork fatigue,” and ensures a unified privacy message across the organization.
• Requirements: A combined NPP must include all the standard HIPAA elements plus the specific Part 2 statements mentioned above. It must clearly delineate when the stricter Part 2 protections apply.

The Separate NPP

• Pros: If your organization is a large health system where only a tiny fraction of the business (e.g., a specific detox unit) is a Part 2 program, a separate NPP for that unit may prevent confusing the general patient population.
• Cons: Higher administrative burden to ensure the correct version is handed to the correct patient.

The Verdict: Most integrated systems are moving toward a Combined NPP. The new alignment rules make the two sets of regulations similar enough that a single, well-drafted document is usually the most efficient way to maintain compliance. Also, a simpler, unified approach gets our vote.

Compliance Checklist for February 16, 2026

• Audit Your Units: Confirm which departments qualify as “Part 2 Programs.”
• Draft the Revision: Update the NPP language to include the new TPO consent and redisclosure provisions.
• Update Consent Forms: Ensure your SUD-specific consent forms align with the new broad TPO consent allowed by the CARES Act.
• Train Staff: Front-desk and intake staff must understand the new notice and be able to explain the “Accountability of Disclosures” to patients.
• Physical and Digital Distribution: Post the new NPP on your website and in physical locations. Have copies ready for distribution to new patients and upon request.

How Meditology Can Help

Navigating the intersection of HIPAA and 42 CFR Part 2 is notoriously complex. Small errors in NPP drafting can lead to significant regulatory scrutiny or loss of patient trust.

Meditology Services provides expert guidance to Privacy and Compliance Officers by:

• Performing Part 2 Applicability Assessments: We help you determine exactly which parts of your organization fall under the Part 2 umbrella.
• NPP Drafting and Review: Our legal and compliance experts will draft or audit your combined NPP to ensure every regulatory “i” is dotted and every “t” is crossed.
• Privacy Program Alignment: We assist in updating your internal policies, procedures, and training modules to reflect the new 2026 standards.

Don’t wait until February 2026 to realize your notice is out of compliance. Contact Meditology today for a consultation on your NPP transition plan.

Sources

• Davis Wright Tremaine: HIPAA Notices of Privacy Practices Update (2026)
• Electronic Code of Federal Regulations: 42 CFR Part 2
• HHS Office for Civil Rights (OCR) - Fact Sheet on Part 2/HIPAA Alignment

About the Author

Bethany Page Ishii is a seasoned cybersecurity and risk management executive with 15 years of experience. Her expertise spans security consulting, operational leadership, and customer success, making her uniquely equipped to deliver comprehensive solutions that align strategic vision with practical execution. With a decade of consulting under her belt, Bethany led the firm’s Validation Service Line, overseeing Security Risk Assessments, HITRUST^® certifications, Privacy Assessments and SOC 2 attestation efforts. Bethany also served as a CISO for five years, where she directed data security and threat response activities. Her approach marries practitioner experience, consulting insight, and a focus on client relationships to drive success across a variety of security disciplines.