Skip to content
English - United States
Submit a Ticket Go To Customer Portal
  • There are no suggestions because the search field is empty.

Privacy Guidance: What are the Content Requirements for the Revised Notice of Privacy Practices?

This article covers the revised NPP requirements related to Part 2 SUD records.

Privacy Guidance: What are the Content Requirements for the Revised Notice of Privacy Practices?
In 2024, HHS amended the Notice of Privacy Practices rule, imposing additional content requirements for HIPAA Notice of Privacy Practices (NPP). An NPP is required by the HIPAA Privacy Rule.  The additional requirements pertain to 42 CFR Part 2 (Part 2) substance use disorder (SUD) records, and become enforceable on February 16, 2026. This article summarizes the additional requirements.

Does the Amended Rule Apply to All Covered Entities?
Yes. The amended Rule applies to both Part 2 Programs, as well as to HIPAA covered entities that are not Part 2 programs but that create, maintain, or receive records that are subject to 42 CFR Part 2. For example, although you might not be a Part 2 provider, you might receive medical records concerning a new patient that had been treated by a Part 2 program in the past.

What are the Requirements for Covered Entities that Create or Maintain 42 CFR Part 2 Substance Use Disorder Records?
Part 2 SUD records are records of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.

Written patient consent is required for uses and disclosures of Part 2 substance use disorder records (SUDs) for treatment, payment, and healthcare operations (TPO). This consent may be on a single consent form. Non-TPO disclosures of these SUD records require separate, specific consent.

The revised Notice of Privacy Practices rule provides that if a covered entity maintains records subject to 42 CFR Part 2 and intends to use these records for fundraising for its benefit, the covered entity must first provide a clear and conspicuous opportunity for the patient to elect not to receive any fundraising communications.

Does the Revised NPP Rule Require Specific Content Changes to the NPP?
If a covered entity intends to use or disclose Part 2 SUD records in a civil, criminal, administrative, or legislative proceeding against a patient, the revised Notice of Privacy Practices must state that the covered entity may only do so when:

  • The patient provides written consent for such use or disclosure; or
  • A court orders the use or disclosure after provision of appropriate notice and an opportunity to be heard, AND a subpoena or other legal mandate compels the disclosure.

Will an Updated Notice of Privacy Practices Template be Available?
Compliancy Group has a revised Notice of Privacy Practices template available in The Guard’s Resource Library.  For details on notification, effective date, and publication requirements for revised NPPs, refer to your Notice of Privacy Practices policy. For example, you will need to publish the revised NPP on your website. 

Who Enforces Part 2 Requirements?
In August of 2025, the HHS Secretary delegated to the Office for Civil Rights (OCR) the authority to administer and enforce Part 2 regulations.

In February of 2026, the Department of Health and Human Services (HHS)'  Office for Civil Rights (OCR) announced a new program to implement and enforce the requirements that protect the confidentiality of Part 2 substance use disorder (SUD) patient records. OCR's enforcement authority extends to not just Part 2 programs, but to providers that create, maintain, or receive records subject to part 2.  An example of a provider that creates, maintains, or receives Part 2 records is a healthcare provider that is not a Part 2 program, but that received medical records concerning a new patient that had been treated by a Part 2 program in the past.

To enforce Part 2 (including the updated Notice of Privacy Practices requirement), OCR may:

  • Conduct compliance reviews.
  • Investigate complaints alleging noncompliance with Part 2.

If OCR determines that a violation has occurred, OCR has a range of available remedies, including the imposition of a civil money penalty. 

In February 2026, OCR published both a Model Part 2 Patient Notice (to be used by Part 2 Programs) as well as an updated HIPAA Model Notice of Privacy Practices, which can be used by healthcare providers who are not Part 2 programs but who create, maintain, or receive records subject to Part 2. The Model Notices can be found here.