If you work in healthcare, you already know one thing is always true: HIPAA never really “stops changing.” Sometimes those changes come as brand-new rules. Other times, they come as deadlines quietly attached to earlier regulations. This is where a HIPAA risk assessment plays a key role. February 16, 2026 falls into the second category, and it is one that many healthcare providers should not ignore.
This date marks an important compliance deadline tied to how substance use disorder (SUD) records are explained and protected under federal privacy laws. While the updates do not introduce an entirely new HIPAA rule, they do require action, particularly around patient-facing privacy notices, staff awareness, and internal policies.
Here is what healthcare providers need to know in plain language, and what steps to take now rather than later.
Why February 16, 2026 matters
In 2024, the U.S. Department of Health and Human Services (HHS), in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA) and the HHS Office for Civil Rights, finalized updates that align long-standing substance use confidentiality rules under 42 CFR Part 2 with HIPAA requirements. These changes affect how addiction-related records are handled, shared, and explained to patients under federal privacy law.
Rather than forcing immediate compliance, regulators provided a transition period. That compliance period ends on February 16, 2026. Persons subject to the Part 2 Final Rule must meet the applicable requirements by this date.
By that date, healthcare organizations that handle, or may receive, substance use disorder information must ensure their privacy practices and Notices of Privacy Practices reflect the updated federal requirements. This deadline is not just about paperwork. It is about transparency, patient trust, and reducing compliance risk by making sure privacy notices and internal processes reflect current law.
Who should pay attention
Many providers assume this only applies to rehab centers or addiction clinics. In reality, the scope is broader.
You should pay attention if your organization:
- Provides substance use or behavioral health services
- Receives substance use information from another provider
- Coordinates care, billing, or referrals that may involve SUD records
- Uses electronic health records where addiction-related notes may appear
This includes hospitals, primary care clinics, specialty practices, health plans, and smaller outpatient providers.
Even if substance use treatment is not your main focus, reviewing your privacy practices as part of a regular HIPAA risk assessment is still important.
What actually needs to be done by the deadline
-
Update your Notice of Privacy Practices (NPP)
The most significant requirement is updating your Notice of Privacy Practices, which explains to patients how you use and protect their health information.
By February 16, 2026, the notice must clearly explain:
- How can you use disorder records for treatment, payment, and healthcare operations
- That these records generally cannot be used against patients in court, investigations, or legal proceedings without consent or a proper court order
- Patients’ rights related to fundraising communications
- How information may be shared after it has been properly disclosed
This is not about adding pages of legal language. It is about clarity. Patients should be able to read the notice and understand how you handle their most sensitive information.
-
Make sure internal policies match the notice
An updated notice only works if your internal policies reflect what it says.
This includes reviewing:
- How you obtain and document consent
- How staff respond to subpoenas or legal requests
- Who can access SUD-related records in your systems
- How you handle redisclosure
Many providers identify gaps during a HIPAA risk assessment, especially when older policies do not reflect newer regulations.
-
Align staff behavior with updated privacy practices
Staff do not need to memorize regulations, but they do need to act consistently with your privacy notice.
Front desk teams, nurses, billing staff, and administrators should understand:
- That substance use records have extra protections
- When you can or cannot share information
- When to escalate questions rather than guessing
Even basic refresher training can significantly reduce compliance risk.
How HIPAA training supports compliance and HIPAA risk assessment beyond the notice
Updating privacy documents is only one part of compliance. Healthcare providers must also ensure their workforce understands what those updates mean in day-to-day practice.
AMC offers HIPAA training designed specifically for healthcare providers who need clear, practical guidance instead of legal theory. As regulations evolve, particularly around sensitive information like substance use disorder records, staff need consistent training that connects policy language to real-world situations.
Incorporating formal HIPAA training into a broader HIPAA risk assessment helps organizations identify knowledge gaps, reinforce updated privacy requirements, and demonstrate good-faith compliance efforts. Training also supports audit readiness by showing regulators that you actively implement privacy protections, not just document them.
For providers preparing for the February 16, 2026 deadline, pairing updated privacy notices with ongoing HIPAA training is one of the most effective ways to reduce risk and protect patient trust.
What this update is not
To avoid confusion, here is what this February 2026 deadline does not involve:
- It is not a brand-new HIPAA Privacy Rule
- It is not related to reproductive health rules that were vacated in 2025
- It is not optional
- It is not limited only to addiction treatment facilities
Understanding what the rule is not helps teams focus on what truly needs attention.
Take the next step toward confident compliance
Preparing for the February 16, 2026 deadline is not just about meeting requirements. It is about ensuring compliance across your organization, improving efficiency, and building trust with patients and regulators. When staff understand how privacy rules apply to their roles, compliance becomes part of everyday operations, not a last-minute task.
AMC supports healthcare providers with practical HIPAA training through its customized, free course development program. Organizations can enroll large teams in training tailored to their workflows and risk areas, strengthening the hipaa risk assessment process and helping staff apply privacy requirements with confidence.
Now is the time to invest in training that supports compliance, efficiency, and trust. Enroll your team in AMC’s customized, free course development program today and move toward audit-ready, patient-centered privacy practices.
