HIPAA Privacy Notice Upcoming Deadline
Employers with group health plans need to confirm that their HIPAA Privacy Notices are updated no later than February 16, 2026, to reflect changes required by the 2024 Privacy Rule.
What Do Plan Sponsors Need to Do?
Generally, group health plan sponsors must update their HIPAA Privacy Notice to:
- Add language that aligns privacy practices with the federal confidentiality framework for substance use disorder (SUD) treatment records under 42 C.F.R. Part 2 (Part 2); and
- Remove any reproductive health care language previously added to comply with 2024 Privacy Rule amendments that have since been vacated.
If your group health plans use or disclose SUD treatment records or were updated for prior changes for reproductive health care, you should make sure your HIPAA Privacy Notice is up to date.
When Is the Deadline?
February 16, 2026. Group health plans generally comply with the HIPAA Privacy Notice requirement by posting on the plan's website. Once your Privacy Notice is updated, it can be posted on the plan's website. A hard copy notice (with instructions for how to obtain the revised notice) can be sent in the plan's next annual mailing.
Do These Changes Apply to Fully Insured Health Plans?
Yes, but for fully insured health plans, the carrier is responsible for the HIPAA Privacy Notice. Plan sponsors do not have to take any action.
What Is the History of These Changes?
Part 2 is a federal regulation governing the confidentiality of SUD patient records maintained by certain SUD treatment providers. Part 2 is more restrictive than HIPAA, reflecting a concern that individuals might forgo SUD treatment if their information could be widely disclosed. Group health plans are not Part 2 programs, but they can receive Part 2-protected records through appeals, utilization management, care coordination, behavioral health carve-outs, employee assistance programs (EAPs), or case management.
While the Part 2 final rule became effective in April 2024, HIPAA-covered entities and business associates have until February 16, 2026, to comply with its requirements. HHS revised HIPAA's Privacy Notice requirements to ensure that individuals receive clear notice of how their SUD information may be used, disclosed, and protected. Group health plan sponsors will want to review their Privacy Notice to ensure that it 1) does not suggest that Part 2-protected SUD treatment information is treated like other protected health information (PHI); 2) reflects that additional legal protections may apply to certain Part 2-protected SUD records; and 3) accurately describes the plan's legal duties with regard to Part 2-protected SUD records.
Separately, in 2024, HHS finalized HIPAA Privacy Rule amendments prohibiting certain uses and disclosures of reproductive health care information. However, a federal court vacated those provisions. This means that any reproductive health care language previously added to a Privacy Notice to comply with the 2024 amendments must now be removed to accurately reflect current law.
Please feel free to contact a member of DWT's employment services group if you have any questions about how this may impact your company.