January 2026
Natashia Wright, Associate Director Benefits Compliance
Employers that sponsor self-funded group health plans, considered “covered entities” under the Health Insurance Portability and Accountability Act (“HIPAA”), are required to update their Notice of Privacy Practices (“NOPP”). A final rule issued by the U.S. Department of Health and Human Services (HHS) in April 2024 requires covered entities to update their Privacy Notices if they receive or maintain patient records regarding substance use disorder (SUD) treatment provided by a federally assisted treatment program. While many organizations have not revised their NOPP since the HITECH Act in 2013, federal authorities have established February 16, 2026, as the deadline for mandatory revisions. This notice must be accessible to plan participants, as well as on applicable employer or plan websites.
The requirements outlined in 45 C.F.R. Section 164.520 of the HIPAA rule are now considered outdated. Notably, the existing regulations do not address recent legal developments, particularly those impacting reproductive health information. Although certain HIPAA modifications regarding reproductive health were vacated by courts in June, all covered entities must update their NOPP to comply with new regulatory directives related to SUD records. For organizations that create or maintain SUD records protected under 42 C.F.R. part 2, the revised NOPP must provide individuals with clear notice regarding the potential uses and disclosures of their records, as well as inform them of their rights and the entity’s legal obligations concerning such sensitive information.
Stricter limits on the use of SUD records
Under the new regulation, the NOPP is required to explicitly state that SUD treatment records from programs governed by 42 C.F.R. part 2 may not be used or disclosed in civil, criminal, administrative, or legislative proceedings without written consent or a court order following due process. Any judicial authorization for use or disclosure must also be accompanied by a subpoena or other valid legal requirement.
Impact of other laws and consent requirements
The revised rule emphasizes that if other laws impose stricter limitations than HIPAA—especially those governing SUD records—these requirements must be reflected in the NOPP. Additionally, where other legislation permits or requires disclosure, the revised NOPP must clearly communicate the circumstances under which individuals’ information may be shared. Covered entities maintaining SUD records should clarify that, unlike most protected health information, the use or disclosure of SUD records for treatment, payment, or healthcare operations typically requires explicit patient consent.
Redisclosure and fundraising provisions
A further significant amendment stipulates that the NOPP must notify individuals that information released pursuant to the Privacy Rule may be subject to redisclosure by the receiving party and, consequently, may no longer be safeguarded by the Privacy Rule. This redisclosure warning, previously limited to authorizations, now extends to the NOPP itself. Moreover, if an entity proposes to use or release SUD records for fundraising purposes, it must offer individuals a clear and prominent method to opt out of any related communications.
The Department of Health and Human Services’ Office for Civil Rights is anticipated to issue further guidance, and additional regulatory changes may be forthcoming if proposed rules designed to improve care delivery and reduce administrative complexities are finalized later this year.
Employer Action Items
- Review Process and Procedures and ensure that enhanced privacy protections for SUD records are included.
- Review and update NOPPs, to include the suggested SUD-related language, regardless of whether the plan handles SUD records, and have posted by February 16, 2026.
Additional Information and Resources
For more information
We’re ready when you are. Get in touch and a friendly, knowledgeable Baldwin advisor is prepared to discuss your business or individual needs, ask a few questions to get the full picture, and make a plan to follow up.
This document is intended for general information purposes only and should not be construed as advice or opinions on any specific facts or circumstances. The content of this document is made available on an “as is” basis, without warranty of any kind. The Baldwin Insurance Group Holdings, LLC (“The Baldwin Group”), its affiliates, and subsidiaries do not guarantee that this information is, or can be relied on for, compliance with any law or regulation, assurance against preventable losses, or freedom from legal liability. This publication is not intended to be legal, underwriting, or any other type of professional advice. The Baldwin Group does not guarantee any particular outcome and makes no commitment to update any information herein or remove any items that are no longer accurate or complete. Furthermore, The Baldwin Group does not assume any liability to any person or organization for loss or damage caused by or resulting from any reliance placed on that content. Persons requiring advice should always consult an independent adviser.
The Baldwin Group offers insurance services through one or more of its insurance licensed entities. Each of the entities may be known by one or more of the logos displayed; all insurance commerce is only conducted through The Baldwin Group insurance licensed entities. This material is not an offer to sell insurance.
