By: HUB’s EB Compliance Team
Under final rules issued in 2024, any HIPAA Notices of Privacy Practices need to be updated by February 16, 2026. HUB previously wrote about these rules here. Although these rules were first enacted two years ago, they are just now going into effect.
Notice of Privacy Practices
Under HIPAA, covered entities (including health plans and providers) generally must provide a Notice of Privacy Practices to each individual for whom the covered entity possesses Protected Health Information (“PHI”). The notice is required to include the uses and disclosures of PHI that may be made by the covered entity, the individual's rights related to the PHI, and the covered entity's legal duties with respect to the PHI. In addition, although this subject matter is complex, the notice must be written in plain language.
Updates
The final rule puts forth changes to the HIPAA Notice of Privacy Practices. These changes center on adjustments made to harmonize separate privacy rules regarding substance use disorder treatment (sometimes called the “Part 2 rules”) with HIPAA.
This harmonization is designed to align HIPAA and the Part 2 rules, which previously did not align. For example, HIPAA generally permits uses and disclosures for treatment, payment, and health care operations (“TPO”) without individual authorization. On the other hand, Part 2 required explicit written patient consent for virtually all disclosures, including for TPO purposes. Under the new rules, Part 2 data no longer requires explicit consent for TPO purposes.
The Part 2 rules overall impose additional protections on substance use disorder treatment or research, and when conducted or regulated by the federal government (more information is available here). As a practical matter, this should not be a concern for most plan sponsors as few Part 2-related claims should make their way to a private group health plan.
Even so, employers with self-funded health plans should review their privacy practices with experienced benefits counsel to determine what changes may be required. In addition, updates to training materials may also be required.
Conclusion
It should be noted that these HIPAA updates are separate from the other updates released in 2024 related to reproductive health care. As HUB previously wrote, the reproductive health care rules were vacated in 2025. Since those rules are no longer effective, employers can remove any internal HIPAA training and administrative processes related specifically to these rules.
Finally, the Department of Health and Human Services (“HHS”) maintains model notices of privacy practices. However, those model notices have not yet been updated to reflect the Part 2 changes, nor has HHS provided insight into when these may be updated in the future.
If you have any questions, please contact your HUB Advisor. View more compliance articles in our Compliance Directory.
NOTICE OF DISCLAIMER
Neither HUB International Limited nor any of its affiliated companies is a law or accounting firm, and therefore, they cannot provide legal or tax advice. The information herein is provided for general information only and is not intended to constitute legal or tax advice as to an organization’s or individual's specific circumstances. It is based on HUB International's understanding of the law as it exists on the date of this publication. Subsequent developments may result in this information becoming outdated or incorrect, and HUB International does not have an obligation to update this information. You should consult an attorney, accountant or other legal or tax professional regarding the application of the general information provided here to your organization’s specific situation in light of your or your organization’s particular needs.