Feb 16, 2026: HIPAA & 42 CFR Part 2 Update Deadline

February 16, 2026

The February 16, 2026 HIPAA Update: Navigating the 42 CFR Part 2 Alignment

The landscape of healthcare privacy is shifting. By February 16, 2026, all HIPAA-covered entities must comply with a major new federal rule that aligns 42 CFR Part 2 (the regulations governing Substance Use Disorder records) with the HIPAA Privacy Rule.

Who Must Become Compliant?

A common misconception is that these rules only apply to specialized substance abuse clinics. In reality, the "alignment" means that if these records touch your organization, you are likely in scope. This includes:

• Healthcare & Mental Health Providers: Any provider—from primary care to specialized mental health practices—that receives, maintains, or transmits Substance Use Disorder (SUD) treatment records for care coordination or billing.
• Employer Group Health Plans: Plans that receive SUD information for claims processing or wellness programs must ensure their privacy policies and plan documents reflect the new protections.
• Business Associates: Third-party vendors (billing companies, IT providers, EHR platforms) that handle Part 2 records on behalf of a covered entity are now directly subject to these confidentiality standards.

The Long-Term Goal: A Unified Privacy Standard

For decades, healthcare providers have struggled to manage two separate, often conflicting sets of privacy laws. The long-term goal of this federal update is to eventually fold 42 CFR Part 2 entirely under the HIPAA umbrella. By aligning these rules now, the Department of Health and Human Services (HHS) is moving toward a single, streamlined standard for all health information. This transition is designed to improve care coordination and ensure that sensitive Substance Use Disorder (SUD) data can flow securely between providers for treatment, payment, and operations—just like any other medical record.

Do I need to update my Notice of Privacy Practices (NPP)?

Yes. Most covered entities must update their NPP by the February 16, 2026 deadline. Because the new rule changes how SUD records are handled, your existing notice is likely out of date. The updated NPP must include specific language regarding how SUD records are used, new patient rights to request restrictions, and the strict new rules regarding the use of records in legal proceedings.

Don't Forget Your Business Associates

One of the most critical—and often overlooked—requirements of this update is the impact on your vendors. If your Business Associates (such as billing companies, IT providers, or cloud storage vendors) handle Part 2 records on your behalf, your Business Associate Agreements (BAAs) must be updated. These contracts must now explicitly bind the vendor to the new Part 2 confidentiality and redisclosure standards. Failing to update these agreements leaves a significant gap in your compliance framework.

New Breach Notification Standards

Under the new alignment, the HIPAA Breach Notification Rule now officially applies to Part 2 records. This means that if SUD data is compromised, you must follow the same rigorous reporting timelines and notification procedures required for any other HIPAA breach. Your internal incident response plans should be updated to ensure your team knows how to handle a breach involving these sensitive records.

The Risk of "Double Compliance"

Many organizations make the mistake of trying to maintain two separate compliance programs—one for HIPAA and one for Part 2. This is a high-risk strategy. If you attempt to manage these as independent silos, you will almost certainly end up with conflicting policies and duplicate information. This not only creates administrative headaches and "compliance fatigue" for your staff, but it also opens the door to regulatory gaps. When your Notice of Privacy Practices (NPP) says one thing and your SUD consent forms say another, you increase your risk of a breach or an unfavorable audit by the Office for Civil Rights (OCR).

What is Changing?

The new Final Rule, mandated by the CARES Act, simplifies your requirements by:

• Aligning Consent: Allowing a single patient consent for all future uses and disclosures for treatment, payment, and healthcare operations (TPO).
• Updating patient rights: New rights include an accounting of disclosures and the ability to request certain restrictions.
• Enforcement & penalties: The Office for Civil Rights (OCR) now enforces Part 2 with penalties aligned to HIPAA levels.

How We Help You Achieve Unified Compliance

We’ve designed our solutions to help you move away from fragmented "double compliance" and toward a single, cohesive privacy program:

1) All-in-One Privacy Documentation Kit

Don't waste time trying to patch together old templates. Our newly rewritten Privacy Documentation Kit supports both HIPAA Privacy and 42 CFR Part 2 compliance in a single, unified package. It eliminates duplicates and ensures your policies are consistent across the board. The kit includes:

• Updated Notice of Privacy Practices (NPP) templates
• New TPO consent forms that reflect Part 2 rules
• Policies for SUD Counseling Notes handling
• Business Associate Agreement (BAA) language updated for Part 2 redisclosure rules

2) Quick & Painless Staff Training (Part 2 add-on)

Your team doesn’t need to start from scratch. Once they’ve completed their base HIPAA Awareness training, our supplemental module gets them up to speed on the 42 CFR Part 2 updates in minutes. It’s a practical, role-based, and focused on everyday workflows so your team can apply the rules without the headache of "double standards."

3) Master Compliance Checklist for Compliance Officers

Stop wondering if you’ve missed a step. We provide a simple but comprehensive Master Checklist that outlines the high-level components you need to address for Part 2 compliance. This gives you a clear roadmap to ensure all required policies, notices, and staff training are complete and documented.

Don't Wait

Updating notices, policies, and training takes time. Start now to avoid last-minute scrambling and reduce enforcement risk. If you try to maintain separate HIPAA and Part 2 silos, you’ll likely create duplication and inconsistencies that are hard to fix later.

If you’d like help: our Privacy Documentation Kit is designed to simplify the transition and get your organization compliant with minimal disruption.

Source: