Recalculating the Route: New Health Plan Privacy Requirements

If you have ever missed an exit and heard your GPS calmly announce “recalculating,” you know the feeling. No judgment—just a firm reminder that it is time to adjust course. 

Health plans and health insurers are having a similar moment. February 16, 2026 was not just another regulatory waypoint—it marked the compliance deadline for significant changes affecting the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Notices of Privacy Practices (NPP), driven by amendments aligning HIPAA more closely with 42 C.F.R. Part 2, the federal confidentiality regulations for substance use disorder (SUD) records.

If your plan has not recalibrated yet, now is the time to check your settings.

Why are Plans on this Road Trip?

Part 2 has long imposed heightened confidentiality protections on SUD treatment records maintained by certain treatment programs. Historically, Part 2 ran somewhat parallel to HIPAA. That changed with the February 2024 final rule, which implemented CARES Act requirements to better align Part 2 with HIPAA while preserving Part 2’s core privacy protection.

Health plans are not Part 2 programs, but they often receive Part 2 records, including through:

• Appeals and grievances
• Utilization management and prior authorization
• Behavioral health carve-outs
• Employee assistance programs
• Care coordination and case management

Once a plan receives Part 2 records, it becomes a lawful holder and must comply with certain Part 2 requirements, including how it describes its privacy practices to beneficiaries.

This is where your NPP comes in. Read on for the roadmap for group health plan sponsors, fully insured plans, and carriers.

The Compliance Destination: What Do Group Health Plan Sponsors Need to Do?

Plans should review and update their NPPs to ensure they:

1. Include Part 2aligned language
   Your NPP should not imply that all SUD information is treated like ordinary protected health information regulated under HIPAA. Participants must be alerted that certain SUD records may be subject to stricter federal confidentiality rules (i.e., 42 CFR Part 2) and limits on use, disclosure, and redisclosure.
2. Accurately describe the plan’s legal duties
   The NPP should reflect that Part 2 records carry special protections, including restrictions on use in civil, criminal, or administrative proceedings, absent member consent or a qualifying court order.
3. Remove reproductive health care language that no longer applies
   In 2024, many plans added language addressing HIPAA amendments restricting uses and disclosures of reproductive health care information. Those provisions were later vacated by a federal court. Any NPP language added solely to comply with those nowvacated amendments should be removed to accurately reflect current law.

Plans generally satisfy the updated notice requirement by:

• Posting the updated NPP on the plan’s website or intranet, and
• Including information about how to obtain a paper copy in the plan’s next annual mailing (such as open enrollment materials)

No need to reroute the entire communications strategy—just make sure the NPP beneficiaries see is the right one.

Fully Insured Plans: Are We There Yet?

Yes—but you’re riding in the back seat.

For fully insured group health plans, the insurance carrier is responsible for maintaining and updating the NPP. In most cases, plan sponsors do not need to take action. That said, sponsors may still want to:

• Confirm that the carrier has updated its NPP
• Ensure beneficiary communications and benefit materials are consistent
• Coordinate with carriers if the plan sponsor receives Part 2 records directly in limited contexts (e.g., certain EAP structures)

Trust, but verify—especially if you’re the one fielding employee questions.

Health Insurance Payers: The Compliance Destination

Health insurers are HIPAA-covered entities and are frequently lawful holders of Part 2 records, whether through claims process, utilization management, behavioral health provider networks, or delegated vendor arrangements. As a result, payers bear direct responsibility for ensuring their NPPs and downstream operations align with the newly effective Part 2 roadmap.

Payer should be focused on the following Part 2 checkpoints:

• NPP accuracy (not just completeness)
  NPPs should clearly signal that certain SUD records are subject to heightened federal confidentiality protections and should not imply that all PHI is treated uniformly. Oversimplified or overly broad descriptions of uses and disclosures—especially for payment, care coordination, and health care operations—create unnecessary risk under the new enforcement regime. 

This is also an opportunity to confirm NPPs accurately describe state laws governing confidentiality of other types of sensitive records.

• Delegation and vendor alignment
  Payers often rely on a complex ecosystem of vendors, including behavioral health administrators, PBMs, care management vendors, analytics providers, and EAP partners. Where those vendors receive Part 2 records:

• Contracts should reflect Part 2 lawful holder obligations, not just HIPAA business associate terms
• Redisclosure limitations and breach reporting expectations should be clearly addressed
• Vendors should understand when Part 2 records may (and may not) be further disclosed under HIPAAaligned permissions

• Operational reality checks
  Part 2 alignment is not just a notice exercise. Payers should confirm that operational practices match what NPPs document, including:

• Claims and utilization management workflows involving SUD services
• Appeals and grievances that include SUD treatment documentation
• Case management notes and care coordination communications
• Use of SUD information in audits, evaluations, and quality improvement activities
• Incident response and breach notification include SUDs
• Consent and disclosure protocols for SUD records

If your NPP says “we may use this information,” but your internal policy says “only with consent,” it’s time to reconcile the two.

• Update BAAs

Payers that receive SUD records under upstream business associate agreements (BAAs) should update BAA templates to address any reliance on the upstream party’s collection of a Part 2-compliance consent and the payer’s subsequent handling of such records.

Why This Matters Now: Enforcement Has Left the Driveway

As of February 16, 2026, the HIPAA enforcement framework formally applies to Part 2 violations. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights is now:

• Accepting complaints alleging Part 2 violations
• Receiving breach notifications involving SUD records
• Authorized to conduct investigations, impose corrective action plans, and assess civil monetary penalties

In other words, this is no longer a “best practices” detour. It’s the main road.

Final Check Before You Hit Cruise Control

For health plans, the Part 2 amendments are less about reinventing compliance programs and more about tightening execution. Updated NPPs are the visible tip of the compliance iceberg—but vendor governance, operational discipline, updated general website privacy policies, and internal alignment are what keep you from hitting a regulatory pothole.