As we previously reported here, the deadline for HIPAA[1] covered entities, including employer-sponsored group health plans, to update their Notice of Privacy Practices (NPP) was February 16, 2026, to reflect changes in accordance with a 2024 Final Rule ("2024 Final Rule") regarding protections for substance use disorder (SUD) information in Part 2 program patient records.
On February 13, 2026 (and just in the nick of time for the February 16, 2026 deadline), the U.S. Department of Health and Human Services (HHS) released updated HIPAA model NPP templates (accessed here) for HIPAA covered entities (including health plans and health care providers). These updated model NPP templates include provisions related to changes made under the 2024 Final Rule and may be used by employer-sponsored group health plans that are required to update their plans' NPPs by February 16, 2026.
Read on for more information and employer group health plan sponsor next steps.
HIPAA Privacy Notice Background
The HIPAA Privacy Rule generally requires HIPAA covered entities to develop and distribute an NPP that provides a clear, detailed, and reader-friendly description of individuals’ rights regarding their protected health information (PHI)[2] and the entity’s privacy practices, including ways in which the covered entity may use and disclose protected health information.
Generally, employers sponsoring self-funded group health plans (including level-funded plans) are required to maintain and distribute their own NPPs to plan participants during the following periods:
- at plan enrollment time,
- within 60 days of a material change to the NPP (including these specific Part 2 updates), and
- upon a plan participant’s request.
For employers sponsoring fully insured group health plans that do not have access to PHI (other than enrollment and summary health information), the health insurance issuer, rather than the group health plan itself, is generally responsible for maintaining and distributing the NPP to plan participants. In contrast, employers sponsoring fully insured group health plans that do have access to PHI for plan administrative purposes must maintain and distribute an NPP during the periods outlined above.
2024 Final Rule
The 2024 Final Rule requires covered entities, including employer-sponsored group health plans, to update their HIPAA privacy practices to meet certain standards related to substance use disorder (SUD) disclosures, and to update their NPPs by February 16, 2026. This update aligns the HIPAA Privacy Rule with rules on disclosures of SUD information applicable to Part 2 programs.
Part 2 Background
Part 2 is a federal law that protects the confidentiality of patient records for people receiving services for SUDs. Part 2 confidentiality rules describe when and how SUD patient records may be used and disclosed. Part 2 rules apply to any federally assisted program that provides SUD diagnosis, treatment, or referral for treatment. These programs are referred to as "Part 2 programs."
On a practical level, the 2024 Final Rule generally requires employer-sponsored group health plans (or their third-party delegates) to obtain individual consent (including obtaining separate individual consent or a court order to use or disclose SUD records for civil, criminal, or administrative proceedings), and provide specific protections for using and disclosing SUD-related PHI.
Individual consent must be obtained before covered entities (including group health plans) or HIPAA business associates can disclose PHI relating to SUD treatment, payment, or health care operations, in an effort to encourage individuals to seek SUD treatment without fear of potential discrimination or legal trouble.
Next Steps for Employer Group Health Plans Sponsors
Employers sponsoring group health plans who have access to PHI were required to update their NPPs by February 16, 2026, and can now rely on the model NPP templates recently released by HHS (accessed here) as a "safe harbor" for this compliance purpose.
As referenced above, employers sponsoring self-funded group health plans (including level-funded plans) and certain fully insured plans are required to maintain and distribute this updated NPP by February 16, 2026.
Since these Part 2 updates are considered a material change to the NPP, impacted employer group health plan sponsors can distribute the updated NPP to plan participants, either by[3]:
- Mailing the updated NPP out within 60 days of making the change (this means mailing out this revised NPP by April 17, 2026),
- Emailing the updated NPP by April 17, 2026, if the plan has obtained consent from employees to receive the NPP electronically, or
- If the plan maintains a benefits website, prominently posting this revised NPP by February 16, 2026 on the plan’s website, as long as a hard copy of the revised NPP (or a summary of what has changed) is distributed at the plan’s next annual mailing (which is typically during the plan open enrollment period).
Failing to comply with HIPAA requirements, including NPP failures, can result in significant HHS penalties for HIPAA covered entities. Click here for a Risk Strategies article detailing recently updated HHS penalties for HIPAA violations. Additionally, HHS expanded its online portal (accessed here) for filing privacy complaints to include complaints that SUD records were shared in violation of Part 2’s requirements.
Two Final Notes
HHS Model NPP Templates: Before the February 13, 2026 release of updated model NPP templates, HHS previously maintained model NPP templates in several formats, including booklet, full-page, layered, and text-only versions, and also included Spanish translations for each format. In connection with updating its model NPP templates to incorporate these Part 2 records requirements, HHS streamlined its model notices to single, consolidated text-only versions for health plans and health care providers.
Covered Dependents: A group health plan is not required to provide a separate NPP document to dependents (for example: a spouse or child) covered through the employee as long as the plan provides the NPP document to a covered employee.
Risk Strategies is here to help. Reach out to your Risk Strategies account team with any questions, or contact us directly here.
[1] HIPAA stands for the Health Insurance Portability and Accountability Act of 1996.
[2] PHI, as defined under HIPAA.
[3] In accordance with 45 CFR 164.520(b)&(c).
