January 30, 2026 – Health Plan Sponsors should note that updates to the HIPAA Notice of Privacy Practices are required by February 16, 2026. Below is an overview of what changes are required and how health plan sponsors can comply.  

Background

The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) requires covered entities, including group health plans, to maintain and distribute a Notice of Privacy Practices (“NPP”) that outlines how a covered entity may use and disclose an individual’s protected health information (“PHI”), along with other required content and disclosures. 

In April 2024, the Department of Health and Human Services (“HHS”) issued a final rule that (1) strengthened HIPAA privacy protections related to reproductive healthcare; and (2) revised the NPP requirements for consistency with other HHS regulations concerning substance use disorder treatment records (“Part 2 Records”). 

In June 2025, the U.S. District Court for the Northern District of Texas vacated the reproductive healthcare privacy protections. However, the ruling did not affect the requirement that Health Plan Sponsors update NPP requirements for Part 2 Records. 

Impact on Plan Sponsors

Fully Insured Plans: Although insurance carriers typically manage the NPP, fully insured plan sponsors must make the required updates by February 16 if the employer creates or receives PHI beyond summary health information or information used for enrollment.

Self-Insured Plans: Employers sponsoring self-insured plans are responsible for updating their NPP by the February 16 deadline. 

Plans must distribute the updated NPP to participants within 60 days of making the changes. However, if a plan typically posts its NPP on a website where participants can access plan documents, the plan sponsor may post the updated NPP online and include the revised notice in its next annual mailing. Plans must also provide the updated NPP to all new participants and anytime an existing participant requests it. 

Required Changes

These are the new Privacy Protections for the Part 2 Records concerning substance use disorder treatment, which Health Plan Sponsors must implement and provide notice for:

• Notice of Rights. Reference Part 2 Records in the NPP including how the records may be used or disclosed, the individual’s rights, and the covered entity’s duties related to the records. 
• Higher Standard. Include an explanation that Part 2 Records are not treated like other PHI and generally cannot be disclosed for treatment, payment, and healthcare operations without specific patient consent. 
• Limitations on Use. State that covered entities may not use or disclosure Part 2 Records in a civil, criminal, administrative, or legislative proceeding against the individual without written consent from the individual or a court order; and
• Fundraising. Organizations that maintain Part 2 Records for use or disclosure related to its own fundraising must update the NPP to clearly and conspicuously inform individuals of their right to opt out of receiving and fundraising communications. 

Health plans that previously updated their NPP to comply with the now-vacated reproductive healthcare protections should consider revising or removing that language accordingly. 

Policies and procedures should also be updated as needed to ensure that consistent authorization forms and related practices align with the new disclosure requirements. 

For more information on the required changes, please contact Dwayne Littauer, Malerie Bulot, or Emily Tastet of the Kullman Firm to assist you.