HIPAA Privacy Notices Must Be Updated by February 16: Key Points for Group Health Plan Sponsors and Covered Entities

If your business is required to maintain a notice of your HIPAA privacy practices, you must act quickly to make sure your notice is updated to comply with new requirements established in a 2024 final rule. Specifically, you have until February 16 to revise your NPP to include specific content related to heightened confidentiality rules for substance use disorder treatment records. We’ll explain everything you need to know ahead of the impending deadline.

Quick Background

• HIPAA Privacy Rule. Federal regulations (known as the “Privacy Rule”) under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) set national standards for safeguarding individuals’ “protected health information” (PHI), such as their medical records and other individually identifiable health information. These rules apply to “covered entities” – such as health plans or healthcare providers – and their “business associates.”
• Privacy Notice Requirement. Unless an exception applies, the HIPAA Privacy Rule requires covered entities (but not business associates) to maintain and provide a Notice of Privacy Practices (NPP) that meets specific content (as well as distribution) requirements – for example, the NPP must explain how the covered entity may use and disclose the individual’s PHI. An employer must satisfy the NPP requirement if it sponsors:
  • a self-funded group health plan; or
  • a fully insured group health plan – but only if the employer creates or receives PHI beyond summary health information or information related to enrollment or disenrollment. 
    

• 2024 Final Rule. The Department of Health and Human Services (HHS) issued a final rule in April 2024 that: (1) strengthened HIPAA privacy protections related to reproductive healthcare; and (2) modified the NPP requirements to align with other HHS regulations (implemented under the Public Health Service Act and known as the “Part 2” regulations) related to the confidentiality of substance use disorder (SUD) treatment records.
  
  

Last Year’s Nationwide Injunction. While a federal judge tossed out the reproductive healthcare privacy protections in the 2024 final rule, that decision did not impact the modifications to the NPP requirements related to SUD records.

What to Know About the New NPP Requirements

The new NPP requirements related to Part 2 apply to any HIPAA covered entity – assuming it has the NPP obligation (such as the sponsor of a self-funded health plan) – that creates or maintains PHI that is also a record of SUD treatment provided by a Part 2 program. In addition to ensuring compliance with the protections of Part 2, such entities must update their NPP no later than February 16, 2026, to comply with the updated rules.

Required updates include, for example, modifying the NPP to:

• address Part 2 records, including how those records may be used or disclosed, and the individual’s rights, as well as the covered entity’s duties, related to such records;
• reference Part 2 as “other applicable law” that is more stringent than the HIPAA Privacy Rule;
• explain that covered entities may not use or disclose a Part 2 record in a civil, criminal, administrative, or legislative proceeding against the individual absent written consent from the individual or a court order; and
• clarify the applicability of Part 2 for organized health care arrangements that hold Part 2 records.

In addition, a covered entity that creates or maintains Part 2 records and intends to use or disclose such records for its own fundraising must update the NPP to clearly and conspicuously inform individuals of their right to opt out of receiving any fundraising communications. However, this requirement would not, practically speaking, apply to health plans. And remember, other NPP content and notice timing requirements can vary depending on the type of covered entity and other factors.

What Employers Should Do Next

If you sponsor a group health plan and are required to comply with the new NPP requirements, make sure your NPP is updated accordingly by February 16, 2026. Now is also a good time to review your NPP contents and privacy practices to ensure compliance with all applicable HHS rules. Work with counsel to revise your NPP as needed and address any questions or concerns related to the HIPAA Privacy Rule. Although HHS typically provides sample language for the NPP, none has been issued as of this insight’s publication.

Once finalized, you should distribute the notice within the legal timeframes. For group health plans, the deadline to do so depends on whether the plan posts its notice on a website (as permitted if certain rules are met).

• If the plan posts its NPP to a website, it must:
  • prominently post the changes or its revised NPP on its website by the effective date of the changes to the notice; and
  • provide the revised notice (or information about the material changes and how to obtain the revised notice) in its next annual mailing to individuals covered by the plan at that time.
• If the plan does not post its notice to a website, it must provide the revised notice (or information about the material changes and how to obtain the revised notice) to individuals covered by the plan within 60 days of the material changes to the notice.

Conclusion

If you have questions, please contact your Fisher Phillips attorney, the authors of this Insight, any attorney in our Employee Benefits and Tax Practice Group. Make sure you are subscribed to Fisher Phillips’ Insight System to get the most up-to-date information on this and other employment topics directly to your inbox.