Critical Deadline: February 16, 2026

By February 16, 2026, all HIPAA-covered entities, regardless of their practice's size or specialty, must update their Notice of Privacy Practices (NPP).

The updates align HIPAA with revised substance use disorder (SUD) patient record regulations under 42 CFR Part 2. Even if your practice doesn't treat SUD patients, you may receive these records for care coordination, so the updates likely apply to you.

Your updated NPP must include:

• How you use and disclose SUD records
• Patient rights regarding consent for treatment, payment, and operations
• Re-disclosure restrictions and procedures
• Enhanced privacy protections for sensitive health information

Action Steps for Your Practice

• Update your Notice of Privacy Practices by February 16, 2026
• Review current cybersecurity measures against proposed requirements
• Verify your business associate agreements are current
• Document your technology assets and data flows

2026 Compliance Updates

1. The 15-Day Access Rule: Patients now have a right to access their billing and health records within 15 calendar days (previously 30). Speed in responding to requests is now a legal requirement
2. Reproductive Health Privacy: New protections prohibit disclosing PHI related to lawful reproductive healthcare for investigations or audits. This requires extra scrutiny when responding to subpoenas
3. AI in Billing: If AI tools are used to automate claim scrubbing or coding, the organization must ensure those tools have a signed Business Associate Agreement (BAA) and do not store data in “public” AI models

How We Prepare

Our team actively updates our systems and processes to meet these new standards, ensuring uninterrupted, compliant service for your practice. This includes implementing enhanced security protocols, updating our documentation, and maintaining regular security assessments.