Healthcare Law • Data Privacy • March 2026
In This Article
01. Introduction
02. What Are HIPAA Notices of Privacy Practices?
03. What Changed in February 2026?
04. The Three New Model Notice Templates
05. Key Compliance Obligations
Introduction
The U.S. Department of Health and Human Services (HHS) has released revised Model Notices of Privacy Practices (NPPs) in February 2026, marking one of the most significant updates to HIPAA privacy compliance requirements in recent years. These model notices — developed by the HHS Office for Civil Rights (OCR) — are designed to help healthcare providers, health plans, and substance use disorder (SUD) treatment programmes meet their obligations under both the HIPAA Privacy Rule and the newly integrated Part 2 regulations.
For healthcare entities operating in the United States, and for international law firms advising clients with US healthcare operations, understanding these updated requirements is essential. This article breaks down the key changes, who is affected, and what steps covered entities must take to remain compliant.
What Are HIPAA Notices of Privacy Practices?
Under the HIPAA Privacy Rule (45 CFR §164.520), every covered entity — including hospitals, clinics, doctor’s offices, pharmacies, health insurers, and health maintenance organisations — is required to develop and distribute a Notice of Privacy Practices (NPP).
What the NPP Covers
How Protected Health Information (PHI) may be used and disclosed; what rights individuals have regarding their health information; and what the covered entity’s legal duties are with respect to protecting that information.
The NPP is not a formality. It is a legally binding commitment. Failure to maintain and distribute a compliant NPP can result in enforcement action by the OCR, including civil monetary penalties reaching up to $2.13 million per violation category per year.
What Changed in February 2026?
1. The 2024 Part 2 Final Rule
Historically, substance use disorder (SUD) patient records were governed by a separate and stricter regulation — 42 CFR Part 2. The 2024 Part 2 Final Rule substantially aligned Part 2 with HIPAA, allowing integrated handling of SUD records while maintaining protections against their use in criminal proceedings. As of February 16, 2026, covered entities must include SUD information in their standard NPP.
2. The 2024 HIPAA Privacy Rule Final Rule
This rule introduced Part 2 provisions into the HIPAA framework, requiring covered entities to address SUD record protections within their existing compliance infrastructure.
Critical Deadline
As of February 16, 2026, all HIPAA covered entities must include SUD-related information in their Notice of Privacy Practices. This is mandatory regardless of whether the entity currently treats SUD patients.
The Three New Model Notice Templates
☤ Health Care Provider NPP
For hospitals, clinics, physician practices, and pharmacies. Now includes sections on SUD patient records and restrictions on use of SUD information in legal proceedings.
⚙ Health Plan NPP
For health insurers, HMOs, employer-sponsored plans, and government programmes. Ensures members understand how SUD-related claims and treatment data will be handled.
⚖ Part 2 Patient Notice
New template for federally assisted SUD treatment programmes. Closely aligned with HIPAA NPP format. Covered entities may create a single combined notice.
Key Compliance Obligations
| Obligation | Requirements |
|---|---|
| Distribution | Must be available to anyone who requests it. Providers must deliver no later than date of first service and seek written acknowledgement. |
| Website Posting | Any covered entity with a website must prominently post its NPP. |
| Material Changes | Revised NPP must be distributed when changes occur. Health plans within 60 days. |
| SUD Integration | As of Feb 16, 2026, SUD information must be included — mandatory for all covered entities. |
International Relevance
Cross-border healthcare operations: Any organisation providing healthcare services to US patients or processing US-origin PHI must comply with HIPAA’s NPP requirements.
Comparative frameworks: The HIPAA model notice parallels India’s DPDPA 2023 requirement for data fiduciaries to provide clear processing notices, though India’s framework is broader and not limited to health data.
Business Associates: International companies serving as Business Associates — cloud providers, IT vendors, billing companies — must ensure alignment with the covered entity’s NPP commitments.
Juris Altus Insight
With offices in Panchkula and Delhi-NCR, and alliance network connections in London, Dubai, and Toronto, Juris Altus is uniquely positioned to advise on cross-jurisdictional health data compliance — bridging HIPAA (US), GDPR (EU), DPDPA 2023 (India), and UK DPA 2018.
Practical Steps for Compliance
1Download the model templates from the HHS website and customise with your organisation’s details.
2Conduct a gap analysis comparing your current NPP against the new templates.
3Review Business Associate Agreements to ensure all vendors are aware of the updated practices.
4Train your workforce. Every staff member handling PHI must understand the revised NPP.
5Update your website. Post the revised NPP prominently and ensure easy access.
6Document everything. HIPAA requires demonstrable compliance, not just good intentions.
How Juris Altus Can Help
Comprehensive healthcare compliance advisory for institutions operating across jurisdictions.
|
• HIPAA compliance audits • Drafting & reviewing NPPs • BA Agreement review |
• Cross-border data advisory • Workforce training • Breach response |
Ravinder Singh Dhull
Advocate, Punjab & Haryana High Court (Bar No. P-991/2003) | Founding Partner, M & D Law Associates LLP | Former Additional Advocate General of Haryana | 22+ years of practice.
Privacy
Healthcare Compliance
Part 2
Data Protection
DPDPA 2023
US Healthcare Law
International Practice
This article is for informational purposes only and does not constitute legal advice. For specific HIPAA guidance, consult qualified healthcare regulatory counsel. Model templates available at hhs.gov/hipaa.