2026 HIPAA Updates for SUD Records

New HIPAA Rules for Substance Use Disorder Records: What Covered Entities Need to Know

As of February 16, 2026, HIPAA-covered entities must comply with new federal requirements that change how substance use disorder (SUD) treatment records are addressed in privacy documentation. These updates revise the HIPAA Privacy Rule to better align with the Federal Confidentiality of Substance Use Disorder Patient Records regulations (42 CFR Part 2) and introduce new documentation and notice requirements for covered entities.

These changes affect a wide range of healthcare organizations — including dental practices, medical offices, health plans, and any covered entity that may receive or maintain SUD-related information.

What’s Changing Under HIPAA and Part 2 Regulations

Historically, HIPAA and Part 2 have operated under different confidentiality standards. Part 2 provides enhanced privacy protections for substance use disorder treatment records created by federally assisted programs. The updated federal rule changes how these protections integrate with HIPAA and requires covered entities to revise how they describe their privacy practices.

Effective February 16, 2026, covered entities must update their Notice of Privacy Practices (NPP) to explain how SUD records protected under Part 2 may be used and disclosed. These requirements stem from a final rule issued in 2024 that modernized Part 2 while preserving stricter safeguards for sensitive SUD information.

Why These Updates Matter

Even if a practice does not provide substance use disorder treatment directly, it may still receive SUD-related information through patient disclosures, referrals, health histories, or care coordination. When that happens, the enhanced confidentiality requirements of Part 2 apply.

Key Part 2 Protections Include:

• Heightened confidentiality requirements for SUD diagnosis, treatment, or referral records
• More restrictive consent rules for disclosures of SUD information
• Limits on the use of SUD records in civil, criminal, administrative, or legislative proceedings without patient consent or a qualifying court order

These protections exceed standard HIPAA privacy requirements and must be clearly communicated to patients through updated privacy notices.

What Covered Entities Must Do by February 16, 2026

1. Update the Notice of Privacy Practices (NPP)

Covered entities must revise their NPP to include:

• A description of how SUD records protected under Part 2 may be used and disclosed
• Consent requirements specific to SUD treatment information
• Statements explaining restrictions on the use of SUD records in legal proceedings
• Patient rights related to SUD information, including limitations on redisclosure

Updated notices must be provided to patients at intake, made available at physical office locations, and posted online if the entity maintains a website. Electronic distribution is permitted if patients have agreed to receive notices electronically.

2. Review and Update Internal Policies and Forms

Practices should review whether they create, receive, or store SUD-related records and ensure their internal policies, procedures, and authorization forms align with the updated requirements. This includes confirming that consent language accurately reflects current federal rules.

3. Educate and Train Staff

Because Part 2 protections go beyond baseline HIPAA requirements, workforce training should emphasize the special handling, disclosure limitations, and documentation requirements that apply to SUD-related information. Both clinical and administrative staff should understand when heightened protections apply.

Preparing for the 2026 HIPAA Changes: How We Can Help

Staying ahead of HIPAA updates doesn’t have to be complicated. Our 2026 HIPAA Compliance Documentation includes the required updates addressing substance use disorder (SUD) records, including revised Notice of Privacy Practices language aligned with updated HIPAA and Part 2 requirements.

In addition to documentation updates, our 2026 HIPAA training also covers the required substance use disorder (SUD) content to ensure staff understand the heightened confidentiality protections and disclosure limitations associated with these records.

If You’re Subscribed to Annual Updates and Training

If you’re enrolled in our annual documentation update program and have HIPAA training access, be sure to log into your account, download, and implement your 2026 HIPAA updates before the February 16, 2026 deadline.

As long as your team has completed the associated SUD-related module within the HIPAA training, no additional training action is needed — you’re all set from a training perspective.

If You Have HIPAA Documentation but No Training

If you already have HIPAA documentation in place but do not currently have HIPAA training, we recommend reviewing our HIPAA training options. Training helps ensure your workforce understands how to properly handle sensitive SUD-related information under the updated rules.

If You Don’t Currently Have HIPAA Documentation or Training

If you don’t yet have HIPAA documentation or training in place, we invite you to browse our HIPAA compliance offerings to find a solution that fits your organization. Having both up-to-date documentation and completed training is a key part of demonstrating compliance.

Need Assistance?

If you need help accessing your updates, confirming training completion, or determining which HIPAA documentation or training options are right for your practice, our team is here to help. Contact us anytime — we’re happy to assist.

Taking action now helps ensure you’re compliant, prepared, and confident well before the 2026 deadline.