News Archive

"Plan sponsors should determine if and how the new Part 2 requirements apply to their group health plan and review their NPPs accordingly. Plan sponsors should also review whether and how PHI and SUD records travel through their systems and consult with any vendors that handle SUD records to ensure compliance. This may also require updates to business associate agreements for vendors that handle SUD on behalf of the group health plan."  MORE >>

"In addition to the required NPP changes going into effect on February 16, 2026, OCR's authority to enforce Part 2 will take effect, which will allow the following: [1] Individuals will be able to file complaints with OCR for alleged Part 2 violations; [2] Part 2 providers will be required to report breaches of unsecured Part 2 records; and [3] OCR can begin investigation and enforcement activities, including the imposition of civil monetary penalties for violations."  MORE >>

"It is critical for covered entities to understand what state laws, if any, may impose additional obligations upon them, and that merely complying with HIPAA is not enough. This is made even more important by the raft of state-specific privacy protection laws that states across the country have implemented within the last decade. The examples [in this article] illustrate when and where state law may impose burdens more demanding than HIPAA and the Privacy Rule, but also note where HIPAA preempts other, conflicting state laws."  MORE >>

"The minimum penalty for each violation of a particular HIPAA requirement or prohibition increases to $145 (up from $141) for a covered entity or business associate that did not know -- and could not have known by exercising reasonable diligence -- about the violation. For violations due to reasonable cause and not willful neglect, the minimum penalty increases to $1,461 (up from $1,424).... The calendar-year penalty cap increases to $2,190,294 (up from $2,134,831) for all violations of an identical HIPAA provision."  MORE >>

"[A] February 16, 2026, deadline ... requires health plans and most health care providers to update their Notices of Privacy Practices (NPPs).... Although the task may appear administrative, the revisions present a strategic opportunity to evaluate privacy practices, modernize internal systems, and reinforce protections for sensitive health information."  MORE >>

"If you sponsor a group health plan and are required to comply with the new NPP requirements, make sure your NPP is updated accordingly by February 16, 2026.... Although HHS typically provides sample language for the NPP, none has been issued as of this insight's publication. Once finalized, you should distribute the notice within the legal timeframes. For group health plans, the deadline to do so depends on whether the plan posts its notice on a website (as permitted if certain rules are met)."  MORE >>

"If your plan is fully insured, confirm (or re-confirm) whether the data you maintain requires you to have a Notice of Privacy Practices. If your insurer maintains the Notice of Privacy Practices for plan participants, inquire with your insurer whether the Notice has been updated and where the updated Notice can be found. If your plan is not fully insured ... ensure your privacy policy and any related documents and authorization forms are updated ... by the deadline; [and] post the Notice online (or mail the Notice to participants within 60 days of the update)."  MORE >>

"Many plan administrators currently provide a NPP that is based on the HHS model template that first became available in 2013.... HHS may not release a revised version in time for the compliance deadline. In the absence of a revised model, plan administrators that use the model template may consider going off template or addressing the new requirements in one of the model's customizable text boxes."  MORE >>

"Updating an NPP is rarely a simple drafting exercise, often requiring coordination across legal, compliance, privacy, IT, and operational teams to ensure notice language aligns with real-world data use and disclosure practices. In some cases, updating the NPP may also necessitate changes to internal policies, consent workflows, training materials, or vendor arrangements."  MORE >>

"Employer sponsors of self-funded group health plans that are subject to [HIPAA] should take immediate action to revise and redistribute their HIPAA Notice of Privacy Practices (NPP). For plan sponsors of fully insured group health plans, the NPP obligation is typically handled by the insurance carrier. But this NPP requirement does apply to plan sponsors of Medical Flexible Spending Accounts and Health Reimbursement Arrangements (because these are forms of self-funded group health plans).... The deadline to update and distribute the new NPP is February 16, 2026."  MORE >>

"Plan sponsors who previously made updates to the plan’s NPP, or other HIPAA compliance materials, to reflect the now vacated rules related to reproductive health information will also need to update those materials to remove those changes, if they have not already done so."  MORE >>

"By eliminating unnecessary software and services, patching vulnerabilities, and implementing secure configurations, organizations can reduce their 'attack surface,' thereby reducing the weaknesses and vulnerabilities that an attacker can exploit. OCR emphasizes that hardening is not a single action but an ongoing discipline requiring regular review, documentation, and updates as threats evolve. The newsletter outlines how HIPAA covered entities, business associates, and their workforce can strengthen their defenses through system hardening."  MORE >>

"[H]ealth plans must update their NPPs by February 16 to ... [1] Describe any use or disclosure that is prohibited or materially limited by Part 2. [2] Describe the limitations on use and disclosure of Part 2 records in legal proceedings without the individual's written consent or a court order. [3] Provide a clear and conspicuous opportunity to opt out of fundraising communications before the covered entity uses Part 2 records for fundraising purposes."  MORE >>

"[OCR's] January 2026 Cybersecurity Newsletter ... reinforces OCR's continued expectation that HIPAA covered entities and business associates proactively reduce cybersecurity risks to electronic protected health information (ePHI) through ongoing technical and operational safeguards.... Privacy and security officers should also consider these recommendations as a baseline for risk management responsibilities and consider integrating the safeguards into internal auditing programs."  MORE >>

"A significant question arises as to whether the revised Notice must be delivered on paper or whether it can be provided by email. The HIPAA regulations generally require an individual to agree to receive an emailed Notice, but health plans and health care providers may consider whether that requirement strictly applies to the revised Notice. Plan sponsors and providers may also consider whether changes to other HIPAA-related documents are appropriate[.]"  MORE >>

"Both [OMB] and the Spring DOL Regulatory Agenda have teased an upcoming requirement for [PBMs] to disclose fees and rebates to ERISA health plan fiduciaries.... The 2025 new trend extending into 2026 is making prescription drugs available directly to consumers at lower costs,.... New electronic disclosure rules for health plans ... This year should bring additional transparency rules."  MORE >>

"Many covered entities have not made significant changes to these Notices since the HITECH Act rules of 2013, but new revisions must be implemented by February 16, 2026.... Prior amendments to [HIPAA] regulations relating to reproductive health information were vacated in June 2025; however, the court decision vacating those rules left intact requirements for handling substance use disorder information protected under 42 C.F.R. Part 2."  MORE >>

"[C]overed entities must update their NPPs to reflect amendments to the HIPAA Privacy Rule that align HIPAA with the federal confidentiality framework for substance use disorder (SUD) treatment records ... [P]lan sponsors should confirm that their NPPs do not reference HIPAA Privacy Rule amendments addressing reproductive health care information that were finalized in 2024 but later vacated and are no longer in effect."  MORE >>

Seventeen 2026 compliance guides cover common employee health and welfare benefits issues and strategies for employers, including COBRA, HSAs, domestic partner issues, HIPAA, ICHRA, and more.   MORE >>

"HIPAA requires covered entities to post and provide individuals with a copy of the provider's NPP no later than the first day services are delivered. The NPP must contain the elements, information and statements specified in 45 CFR 164.520 ... By February 16, 2026, covered entities must update their NPP to also address the following: [1] Notice of Rights Concerning Substance Use Disorder Records.... [2] Limits on Use of SUD Records.... [3] Impact of Other Laws.... [4] Fundraising."  MORE >>

"The guidance that enrolling in a [Direct Primary Care Arrangement (DPCA)] will not cause individuals to lose HSA eligibility is helpful. However, questions remain regarding how DPCA offerings can be structured so that their services can be reimbursed from an HSA, and what services may be treated as primary care services. In addition, [Notice 2026-5] provides some flexibility with respect to individuals enrolling in bronze and catastrophic plans off-Exchange or through an ICHRA."  MORE >>

"Many federal laws create mandates that may apply to your group health plan. Here are some to be aware of: [1] [ACA] ... [2] [MHPAEA] ... [3] Women's Health and Cancer Rights Act (WHCRA) ... [4] Newborns' and Mothers' Health Protection Act (NMHPA) ... [5] [FMLA].... [6] [USERRA] ... [7] Medicare Secondary Payer (MSP) ... [8] Medicare Prescription Drug, Improvement, and Modernization Act (MMA) ... [9] Federal laws prohibiting employment discrimination."  MORE >>

"To comply with HIPAA Privacy Regulations, by February 16, 2026, all HIPAA covered entities are required to update their Notice of Privacy Practices (NPP) to address the use and disclosure of substance use disorder (SUD) treatment records that covered entities may receive from a SUD treatment program subject to 42 CFR Part 2 (Part 2 Program). The updates to the NPP are required even if the covered entity itself does not provide SUD services and is not itself considered a Part 2 Program."  MORE >>

"[1] Health legislation in congress ... [2] Transparency regulations ... [3] OBBB act guidance ... [4] NSA guidance ... [5] Mental Health Parity and Addiction Equity Act (MHPAEA) ... [6] Expansion of fertility benefits ... [7] Direct-to-consumer prescription drug programs ... [8] ERISA preemption of state PBM laws ... [9] Fiduciary breach litigation ... 10. HIPAA wellness/tobacco surcharge litigation."  MORE >>

"If passed, HIPRA would extend 'medical-grade' privacy, security, and breach obligations to a wide swath of consumer-focused digital health companies, such as smartwatches, wearables, health and wellness apps, life science companies with patient apps, health plans and hospitals' online tools, retail clinics, data/AI vendors, and employer wellness programs that sit outside traditional (HIPAA) coverage today.... [It] is paramount that digital health companies engage in a more unified, forward-looking privacy and security program now."  MORE >>