News Archive

"If the provisions of the Final Rule are substantially similar to those in the Proposed Rule, it would raise the bar for demonstrating compliance with the HIPAA Security Rule. Under the proposed framework, incomplete documentation or informal practices will be harder to defend, particularly where an entity cannot show consistent, enterprise-wide governance. Organizations with mature, well-documented security programs will be better positioned to adapt, while others may need to reassess foundational compliance structures."  MORE >>

"Employers should continue to exercise care to ensure that requests for medical records and similar information are justified by applicable law ... but can now be assured that, where necessary, HIPAA does not excuse the employee's obligation to provide it.... Employers should also continue to maintain medical records separately from personnel files, limit access to those with a need to know, and state in forms and notices how information will be used and protected, aligning with federal and state privacy obligations.​" [Trumper v. Women's Healthcare Assoc. LLC, No. 1010 (Ore. App. Nov. 26, 2025)]  MORE >>

"This alert highlights key filing, notice, contribution, and reporting obligations commonly applicable during the April-June timeframe, including ERISA plan filings, health plan reporting, and HSA-related actions."  MORE >>

"For plan sponsors, the potential lag between the date when mail is deposited at USPS and when it is actually processed and postmarked creates risk that time-sensitive materials (e.g., COBRA election notices, HIPAA certificates, decisions on benefit claims and appeals, summary plan descriptions, QDIA notices, fee disclosures and other required disclosures) may bear a postmark date later than intended, even if mailed before the deadline."  MORE >>

"Group health plans can access a model notice as well as a Word version of a model notice on the HHS website. Under the HIPAA privacy rules, group health plans and other covered entities that receive, maintain or transmit certain SUD treatment records must update their NPPs to include specific content related to how they use or disclose the records. The deadline for updating the NPP was February 16, 2026."  MORE >>

"[1] Determine if your organization receives, maintains, or transmits PHI.... [2] Don't rely solely on TPA's policies.... [3] Designate a HIPAA Compliance Officer.... [4] Implement policies on uses and disclosures of PHI.... [5] Maintain a Notice of Privacy Practices (NPP) for your plan participants.... [6] Comply with the Security Rule and stay tuned for updates.... [7] Implement a business associate agreement (BAA) when required.... [8] Follow breach notification rules.... [9] Ensure ERISA fiduciary and cybersecurity oversight."  MORE >>

"As of February 16, 2026, the new rules governing the confidentiality of substance use disorder (SUD) records will be enforced. If they have not done so, federally assisted SUD programs (Part 2 Programs) who are covered entities under HIPAA will need to update their business associate agreements (BAAs) to ensure compliance with the new rules."  MORE >>

"Health plans (including employer sponsors of self-insured group health plans) must update their published NPPs. Coming to the rescue of providers that waited to make the required changes to their Notices of Privacy Practices regarding SUD treatment records, the federal government itself waited until February 16 to update its model Notice of Privacy Practices to provide sample language that can be used to update or help draft NPPs for Part 2 compliance."  MORE >>

"[T]he revised model notices can be a useful starting point, but plan sponsors should ensure that the final NPP language aligns with their actual practices and administration, and should coordinate updates with insurers, TPAs, and counsel. Given OCR's announcement of a civil enforcement program for confidentiality of SUD patient records, plan sponsors, group health plans, and business associates that receive and disclose information related to SUDs should act quickly to understand their obligations."  MORE >>

"[1] Review and update consent forms facilitating release of SUD information to take advantage of the Final Rule's new flexibilities ... [2] Review and update Notices of Federal Confidentiality Requirements ... [3] Review and update Notices of Confidentiality Requirements ... [4] Revisit existing relationships with qualified service organizations (QPOs) to ensure appropriate agreements are in place. [5] Ensure that personnel handling SUD information receive training on the Final Rule's updates."  MORE >>

"February 16, 2026 was not just another regulatory waypoint -- it marked the compliance deadline for significant changes affecting [HIPAA] Notices of Privacy Practices (NPP), driven by amendments aligning HIPAA more closely with ... the federal confidentiality regulations for substance use disorder (SUD) records. If your plan has not recalibrated yet, now is the time to check your settings."  MORE >>

"[M]any HIPAA covered entities must implement updates to align certain Part 2 regulations with the HIPAA Privacy Rule. Guidance is now available for Notice of Privacy Practices (NPP) updates. OCR's Part 2 enforcement authority becomes active on February 16, 2026, and OCR has opened its portal for Part 2 complaints. To the extent separate from their HIPAA NPP, SUD providers now have a model Part 2 Patient Notice from OCR."  MORE >>

"Plan sponsors should determine if and how the new Part 2 requirements apply to their group health plan and review their NPPs accordingly. Plan sponsors should also review whether and how PHI and SUD records travel through their systems and consult with any vendors that handle SUD records to ensure compliance. This may also require updates to business associate agreements for vendors that handle SUD on behalf of the group health plan."  MORE >>

"In addition to the required NPP changes going into effect on February 16, 2026, OCR's authority to enforce Part 2 will take effect, which will allow the following: [1] Individuals will be able to file complaints with OCR for alleged Part 2 violations; [2] Part 2 providers will be required to report breaches of unsecured Part 2 records; and [3] OCR can begin investigation and enforcement activities, including the imposition of civil monetary penalties for violations."  MORE >>

"It is critical for covered entities to understand what state laws, if any, may impose additional obligations upon them, and that merely complying with HIPAA is not enough. This is made even more important by the raft of state-specific privacy protection laws that states across the country have implemented within the last decade. The examples [in this article] illustrate when and where state law may impose burdens more demanding than HIPAA and the Privacy Rule, but also note where HIPAA preempts other, conflicting state laws."  MORE >>

"The minimum penalty for each violation of a particular HIPAA requirement or prohibition increases to $145 (up from $141) for a covered entity or business associate that did not know -- and could not have known by exercising reasonable diligence -- about the violation. For violations due to reasonable cause and not willful neglect, the minimum penalty increases to $1,461 (up from $1,424).... The calendar-year penalty cap increases to $2,190,294 (up from $2,134,831) for all violations of an identical HIPAA provision."  MORE >>

"[A] February 16, 2026, deadline ... requires health plans and most health care providers to update their Notices of Privacy Practices (NPPs).... Although the task may appear administrative, the revisions present a strategic opportunity to evaluate privacy practices, modernize internal systems, and reinforce protections for sensitive health information."  MORE >>

"If you sponsor a group health plan and are required to comply with the new NPP requirements, make sure your NPP is updated accordingly by February 16, 2026.... Although HHS typically provides sample language for the NPP, none has been issued as of this insight's publication. Once finalized, you should distribute the notice within the legal timeframes. For group health plans, the deadline to do so depends on whether the plan posts its notice on a website (as permitted if certain rules are met)."  MORE >>

"If your plan is fully insured, confirm (or re-confirm) whether the data you maintain requires you to have a Notice of Privacy Practices. If your insurer maintains the Notice of Privacy Practices for plan participants, inquire with your insurer whether the Notice has been updated and where the updated Notice can be found. If your plan is not fully insured ... ensure your privacy policy and any related documents and authorization forms are updated ... by the deadline; [and] post the Notice online (or mail the Notice to participants within 60 days of the update)."  MORE >>

"Many plan administrators currently provide a NPP that is based on the HHS model template that first became available in 2013.... HHS may not release a revised version in time for the compliance deadline. In the absence of a revised model, plan administrators that use the model template may consider going off template or addressing the new requirements in one of the model's customizable text boxes."  MORE >>

"Updating an NPP is rarely a simple drafting exercise, often requiring coordination across legal, compliance, privacy, IT, and operational teams to ensure notice language aligns with real-world data use and disclosure practices. In some cases, updating the NPP may also necessitate changes to internal policies, consent workflows, training materials, or vendor arrangements."  MORE >>

"Employer sponsors of self-funded group health plans that are subject to [HIPAA] should take immediate action to revise and redistribute their HIPAA Notice of Privacy Practices (NPP). For plan sponsors of fully insured group health plans, the NPP obligation is typically handled by the insurance carrier. But this NPP requirement does apply to plan sponsors of Medical Flexible Spending Accounts and Health Reimbursement Arrangements (because these are forms of self-funded group health plans).... The deadline to update and distribute the new NPP is February 16, 2026."  MORE >>

"Plan sponsors who previously made updates to the plan’s NPP, or other HIPAA compliance materials, to reflect the now vacated rules related to reproductive health information will also need to update those materials to remove those changes, if they have not already done so."  MORE >>

"By eliminating unnecessary software and services, patching vulnerabilities, and implementing secure configurations, organizations can reduce their 'attack surface,' thereby reducing the weaknesses and vulnerabilities that an attacker can exploit. OCR emphasizes that hardening is not a single action but an ongoing discipline requiring regular review, documentation, and updates as threats evolve. The newsletter outlines how HIPAA covered entities, business associates, and their workforce can strengthen their defenses through system hardening."  MORE >>

"[H]ealth plans must update their NPPs by February 16 to ... [1] Describe any use or disclosure that is prohibited or materially limited by Part 2. [2] Describe the limitations on use and disclosure of Part 2 records in legal proceedings without the individual's written consent or a court order. [3] Provide a clear and conspicuous opportunity to opt out of fundraising communications before the covered entity uses Part 2 records for fundraising purposes."  MORE >>