HIPAA compliance requirements continue to evolve, and recent court decisions have understandably drawn significant attention.

Last summer, we examined these developments in our Workplace Privacy Report article, analyzing how a Texas federal district court decision affected the HIPAA Reproductive Health Privacy Rule and why a subsequent Supreme Court decision may change that outcome.  The analysis remains an important resource for understanding the current state of reproductive health privacy under HIPAA.  While the litigation has curtailed significant portions of the Reproductive Health Privacy Rule, the related requirement to update Notices of Privacy Practices (NPPs) was not affected by the Texas court decision and appears to remain enforceable. As a result, covered entities should confirm their NPPs comply by the February 16, 2026, deadline. 

At the same time, covered entities and employer-sponsored health plans should not lose sight of a separate — and firmly in place — HIPAA compliance obligation: updating their NPPs to address substance use disorder (SUD) records, also by February 16, 2026.

The U.S. Department of Health and Human Services (HHS) finalized a 2024 rule revising the Confidentiality of Substance Use Disorder Patient Records to more closely align certain parts of the HIPAA Privacy Rule with rules relating to certain federally funded substance abuse treatment programs. That rule also introduced specific notice obligations for covered entities that create, receive, maintain, or transmit SUD information. All HIPAA-covered entities that handle such SUD records must update their NPPs.

Importantly, this obligation is not limited to traditional substance use treatment programs. Health plans, employers, and other covered entities may be subject to the updated notice requirements if they receive or maintain these records as part of care coordination, payment, or other health care operations.

HHS has not issued an updated model NPP reflecting either of these changes; covered entities and plan sponsors should therefore work with counsel to draft appropriate NPP language and confirm their distribution/posting procedures before the February 16, 2026, deadline.

Members of the Jackson Lewis Employee Benefits and Privacy Practice Groups can help if you have questions or need assistance. Please contact a Jackson Lewis employee benefits team member or the Jackson Lewis attorney with whom you regularly work.  Subscribe to the Benefits Law Advisor Blog here

Tags: HIPAA, Notice of Privacy Practices, NPP, substance use disorder
Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Kellie M. Thomas Kellie M. Thomas

Kellie M. Thomas is co-leader of the firm’s Employee Benefits practice group. Her goal with every client is to provide practical and straightforward advice that breaks down and makes accessible the myriad issues and considerations arising under ERISA, the Internal Revenue Code (including…

Kellie M. Thomas is co-leader of the firm’s Employee Benefits practice group. Her goal with every client is to provide practical and straightforward advice that breaks down and makes accessible the myriad issues and considerations arising under ERISA, the Internal Revenue Code (including Sections 280G, 401(k), 403(b), 409A and 457(b) and (f)), the Affordable Care Act, COBRA, HIPAA, and the various other federal and state laws and regulations affecting benefit plans.

As part of her day to day advice and counsel work, Kellie regularly reviews, drafts and amends self- and fully-insured health and welfare plans; cafeteria plans; qualified and non-qualified retirement plans; employment, consulting, severance and change in control agreements; and stock option and other equity-based compensation plans. She drafts and prepares submissions under the Internal Revenue Service’s Employee Plans Compliance Resolution System and the Department of Labor’s Voluntary Fiduciary Correction Program, and reviews and qualifies proposed Qualified Domestic Relations Orders and Qualified Medical Child Support Orders. Kellie also counsels on corporate governance and fiduciary matters, including the structure and duties of retirement and benefit plan committees.

Kellie also has extensive experience advising on all benefits-related aspects of corporate transactions, from due diligence and transaction document negotiations to benefits integration following a closing. She particularly enjoys building relationships during the transaction process that continue after the deal is done.

Read more about Kellie M. Thomas
Show more Show less
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the…

Joseph J. Lazzarotti is a principal in the Tampa, Florida, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Read more about Joseph J. Lazzarotti
Show more Show less
Related Posts
Not So Fast: DOL Releases Annual Funding Notice Guidance Just Before the Distribution Due Date
April 21, 2025
What the End of the COVID-19 Pandemic Means for Employee Benefit Plan Deadlines and Coverage
March 10, 2023
SECURE 2.0 Series Part 6: Changes to Retirement Plan Notice Requirements
January 26, 2023