Benefits Law Update
        Practical advice from Verrill attorneys

        HIPAA Notice of Privacy Practices Refresh for Self-Insured Group Health Plans: What to Change Before February 16, 2026

        by Karen K. Hartford on January 6, 2026

        Self-insured group health plans are HIPAA “covered entities” and—unlike most fully insured arrangements—typically must maintain and distribute their own HIPAA Notice of Privacy Practices (NPP). The NPP is a legally required statement that explains how the plan may use and disclose protected health information (PHI), participants’ rights, and the plan’s privacy obligations under federal law. When the NPP is inaccurate or out of date, it can create regulatory exposure, audit friction, participant complaints, or litigation.

        An NPP compliance deadline is approaching fast. By February 16, 2026, covered entities must update their NPPs to reflect amendments to the HIPAA Privacy Rule that align HIPAA with the federal confidentiality framework for substance use disorder (SUD) treatment records under 42 C.F.R. Part 2 (Part 2). These changes stem from a multi-year federal effort to harmonize HIPAA and Part 2 while preserving heightened confidentiality protections for SUD treatment information. In addition, plan sponsors should confirm that their NPPs do not reference HIPAA Privacy Rule amendments addressing reproductive health care information that were finalized in 2024 but later vacated and are no longer in effect.

        This post focuses on what plan sponsors should do now to prepare their HIPAA NPPs for February 2026—what to add, revise, and remove. Since fully insured group health plans are not subject to the requirements discussed in this post, references to group health plans in this post refer only to self-insured group health plans.

        What is “Part 2,” and why does it matter to health plans?

        42 C.F.R. Part 2 is a federal regulation governing the confidentiality of substance use disorder patient records maintained by certain SUD treatment providers, referred to as “Part 2 programs.” Part 2 predates HIPAA and is intentionally more restrictive, reflecting a longstanding federal policy concern that individuals might forgo SUD treatment if their information could be widely disclosed.

        Generally, a Part 2 program is a federally assisted person or entity whose primary function is the diagnosis, treatment, or referral for treatment of a substance use disorder, or a specialized SUD unit within a larger organization (such as a hospital). Federal assistance is defined broadly and can include, among other things, participation in Medicare or Medicaid or receipt of federal funds directly or indirectly.

        Importantly for plan sponsors:

        • Group health plans are not Part 2 programs.
        • However, plans and their vendors can receive Part 2-protected records through claims appeals, utilization management, care coordination, behavioral health carve-outs, Employee Assistance Programs (EAPs), or case management.
        • Once Part 2-protected information is lawfully disclosed to a HIPAA covered entity, special restrictions on use and redisclosure may continue to apply, even though the recipient is not itself a Part 2 program.

        February 16, 2026, compliance deadline

        In January 2024, federal regulators finalized amendments to 42 C.F.R. Part 2 that modernized the rule and aligned key aspects of Part 2 with HIPAA, particularly regarding treatment, payment, and health care operations. While the Part 2 Final Rule became effective in April 2024, covered entities and business associates have until February 16, 2026, to comply with its requirements.

        As part of this alignment effort, the Department of Health and Human Services (HHS) revised HIPAA’s Notice of Privacy Practices requirements to ensure that individuals receive clear and accurate notice of how sensitive SUD information may be used, disclosed, and protected. Although not every group health plan will regularly encounter Part 2-protected records, the NPP must still be drafted to disclose participants’ rights and the plan’s legal obligations when such records are involved.

        What NPP changes are required?

        With respect to Part 2, plan sponsors will want to review their NPPs to ensure that their notices:

        • Do not inaccurately suggest that all SUD treatment information is treated identically to other PHI in every context
        • Properly reflect that additional legal protections may apply to certain SUD records, depending on how they are created and received
        • Accurately describe the plan’s legal duties without overstating or understating a participant’s rights

        These changes do not require plans to identify themselves as Part 2 programs or to describe Part 2 consent mechanics in detail. However, they require careful, precise drafting—especially in the “Uses and Disclosures” and “Our Responsibilities” sections of the NPP.

        Separately, in 2024, regulators finalized HIPAA Privacy Rule amendments addressing reproductive health care information and set a delayed compliance date—also February 16, 2026—for related NPP updates. Those amendments included new prohibitions on certain uses and disclosures, as well as an attestation framework that many sponsors began incorporating into draft or revised NPPs.

        In June 2025, however, a Texas federal district court vacated the reproductive-health-specific HIPAA amendments nationwide. As a result, the reproductive health privacy provisions are not enforceable, and the related NPP content is now moot. HHS subsequently confirmed in a press release that covered entities are not required to implement the vacated provisions and that the only remaining NPP updates subject to the February 16, 2026, compliance date are those relating to the Part 2 alignment amendments.

        For plan sponsors, this means that any reproductive-health-specific descriptions added to an NPP to comply with the 2024 rule must now be removed or revised so the notice accurately reflects current law.

        What self-insured plan sponsors should be doing now

        1. Identify where Part 2-protected information could appear

        Review plan operations and vendor relationships, including:

        • Behavioral health administrators
        • EAPs
        • Care management and utilization review vendors
        • Appeals and grievance workflows
        • Stop-loss reporting channels

        The goal is to understand where Part 2-protected records may enter your HIPAA-regulated processes.

        1. Thoughtfully update the NPP

        A February 2026-ready NPP should:

        • Retain standard HIPAA notice elements
        • Avoid categorical statements that all PHI is treated the same in all circumstances
        • Include carefully framed language acknowledging that some SUD treatment information may be subject to additional legal protection
        • Remove reproductive-health-rule language tied to vacated provisions
        1. Align policies, procedures, and contracts

        Plan sponsors should confirm that:

        • Written HIPAA policies and procedures address the handling of sensitive SUD information
        • Internal training materials are consistent with the revised NPP
        • Business Associate Agreements and service agreements allocate responsibility for NPP distribution and compliance
        1. Plan for compliant distribution

        Ensure the revised NPP is:

        • Re-distributed to all participants following these material revisions
        • Distributed to new enrollees
        • Made known/available through required periodic reminders (at least once every three years)
        • Properly archived with version control and evidence of distribution

        If you need help updating your HIPAA Notice of Privacy Practices, please contact Karen Hartford or any member of Verrill’s Employee Benefits and Executive Compensation practice group.

        Benefits Law Update

        Verrill’s Benefits Law Update blog delivers timely insights and practical guidance on the ever-evolving landscape of employee benefits and executive compensation. Our blog provides up-to-date analysis and commentary on a wide range of topics, including timely updates on developments in law affecting employee benefit plans and executive compensation arrangements.

        Key Contacts

        Subscribe

        Looking for more great content? Subscribe for regular legal updates and information delivered right to your inbox.

        Firm Highlights

        Alerts and Newsletters

        Maine’s New Employer Surveillance Law, 26 M.R.S. § 620-A

        Effective July 14, 2026 Maine employers that electronically monitor employees must comply with a new disclosure law effective July 14, 2026. Under...
        Press Releases

        Verrill Recognized by U.S. News as One of the Best Law Firms to Work for in 2026

        BOSTON, Mass., BANGOR and PORTLAND, Maine, GREENWICH and WESTPORT, Conn., – Verrill has been featured on U.S. News’ 2026 Best Companies to Work...
        Blog

        SECURE 2.0 Roth Catch-Up Rules and the 403(b) 15-Year Catch-Up: What Tax-Exempt Employers Need to Know

        Tax-exempt employers whose 403(b) plans offer catch-up contributions for participants age 50 and above should be well on their way to compliance with...
        Media Mentions

        Robert Keach Quoted in Law360 on SIMAD Summer Camp Bankruptcy Sale

        Verrill attorney Robert Keach was recently quoted in a Law360 article examining the Chapter 11 bankruptcy proceedings involving SIMAD Holdings and...
        Media Mentions

        Chris Tsouros Featured in Law360’s Coverage of Sports Real Estate Deals

        Verrill Partner Chris Tsouros was recently recognized in a Law360 article highlighting law firms involved in significant sports real estate projects...
        Blog

        What Maine’s New Employer Surveillance Law Means for Maine Employers

        Maine employers who monitor their workforce, whether through productivity software, GPS, call recording, or cameras, have a new compliance obligation...
        Blog

        Run Don’t Walk: The Implication of “While Supplies Last” Prize Promotions

        This month a big-chain grocery store has been offering daily mystery boxes during specific timed drops on a first-come, first-served basis, to users...
        Blog

        Maine’s Noncompete Statute is Reshaped for Health Care Workers: What You Need to Know

        Employers of individuals who are licensed under state law to perform, or provide, health care services in the State of Maine should be prepared for...
        Media Mentions

        Steven Davis Featured in the Environmental Business Journal

        Steven Davis, President of Verrill Strategic Consulting, was recently interviewed and featured in the Environmental Business Journal, Volume 39...
        Blog

        What is a Bonus for Purposes of ERISA?

        An ongoing dispute about a Department of Labor advisory opinion published last September raises a basic but unanswered question under the ERISA: What...
        Media Mentions

        Verrill Recognized by WMTW for Partnership Supporting Hunger Relief in Maine

        Verrill was recently featured in coverage by WMTW News 8 for its role in a collaborative effort to combat food insecurity across southern...
        Press Releases

        33 Verrill Attorneys, Across Four Offices, Recognized in the 2026 Chambers USA Guide

        BOSTON, Massachusetts, PORTLAND, Maine, WESTPORT, Connecticut, and WASHINGTON, D.C. – Verrill has been recognized as a Leading Firm in 14...