Update Business Associate Agreements to Comply with New Substance Use Disorder Record Rules

/in

By Kim Stanger

As of February 16, 2026, the new rules governing the confidentiality of substance use disorder (SUD) records will be enforced. If they have not done so, federally assisted SUD programs (Part 2 Programs) who are covered entities under HIPAA will need to update their business associate agreements (BAAs) to ensure compliance with the new rules.

SUD Confidentiality Obligations. The new Part 2 rules generally prohibit Part 2 Programs from disclosing SUD information without the patient’s written consent. However, the rules contain an exception that allows Part 2 Programs to disclose SUD information to a qualified service organization (QSO) without the patient’s consent so long as the Part 2 Program has an agreement with the QSO that requires the QSO to comply with Part 2. Read more

Do the New Substance Use Disorder Record Rules Apply to You?

/in

By Kim Stanger

The revised federal rules for substance use disorder (“SUD”) records will be enforced effective February 16, 2026.  (42 CFR part 2, hereafter “Part 2”).  Failure to comply with the new Part 2 rules may subject healthcare providers and other recipients of covered SUD records to HIPAA penalties ranging from $145 to $2,190,294 per violation along with the affirmative obligation to self-report violations to affected individuals and the Office for Civil Rights. (42 CFR § 2.3; see also 45 CFR § 102.3).  Providers rendering SUD treatment or receiving SUD records must determine whether and to what extent the new Part 2 rules apply to them. Read more

Beyond HIPAA: Navigating the “More Stringent” Standard

/in

By Jake Walker

In light of the upcoming deadline for covered entities to update their Notice of Privacy Practices by February 16, 2026,1 covered entities should consider “more stringent” state laws that may apply to these updated forms and require compliance. The Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45 C.F.R. Part 164 Subpart E) sets the floor for privacy protections and rights of individuals when it comes to their individually identifiable health information, but allows for states to enact stronger or more stringent requirements regarding the privacy of patient health information. Where federal law sets the ground floor for compliance and allows states to set more demanding requirements as in the case with HIPAA, this is commonly known as “floor preemption.”2 Thus, HIPAA leaves the door open for state law to impose standards more demanding than HIPAA in certain circumstances.

It is critical for covered entities to understand what state laws, if any, may impose additional obligations upon them, and that merely complying with HIPAA is not enough. This is made even more important by the raft of state-specific privacy protection laws that states across the country have implemented within the last decade. The examples below illustrate when and where state law may impose burdens more demanding than HIPAA and the Privacy Rule, but also note where HIPAA preempts other, conflicting state laws. Read more

Update Your HIPAA Notice of Privacy Practices by February 16, 2026

/in

By Kim Stanger

Recent changes to the HIPAA Privacy Rule require that healthcare providers update their Notice of Privacy Practices (“NPP”) by February 16, 2026.1 Most of the changes are intended to align HIPAA with the revised regulations governing substance use disorder records (see 42 CFR part 2).2 A redlined version of 45 CFR 164.520 showing the changes to the rule is available here.

Background.  HIPAA requires covered entities to post and provide individuals with a copy of the provider’s NPP no later than the first day services are delivered.3 The NPP must contain the elements, information and statements specified in 45 CFR 164.520, including but not limited to:

  • The required header, i.e., “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”4
  • A description of the uses or disclosures that the entity may make without the patient’s written authorization,5 g., those uses or disclosures permitted under 45 CFR 164.502 to 164.512.
  • A statement that other uses or disclosures will only be made with the individual’s authorization, and that the individual has the right to revoke her/his authorization subject to certain limitations.6
  • A summary of certain specified rights the individual has concerning his/her information.7
  • The contact information for a person who may respond to questions.
  • The NPP’s effective date.8

For more information concerning these continuing requirements, see our article at https://www.hollandhart.com/checklist-for-hipaa-notice-of-privacy-practices. Read more

Federal Court Vacates HIPAA Reproductive Health Rule

/in

By Kim Stanger

As anticipated, a Texas federal district court has vacated the HIPAA Reproductive Health Rule (the “Rule”) nationwide. (Memorandum Opinion and Order, Purl v. HHS, 2:24-CV-228-Z (N. Dist. Tex (Jun. 18, 2025), available here). Consequently, healthcare providers can now disregard the Rule’s rather burdensome requirements and unwind the actions they took to implement the Rule.

The Purl Decision. In the wake of Dobbs v. Jackson Women’s Health Organizations, the Biden Administration promulgated the HIPAA Reproductive Health Rule to prohibit the disclosure of reproductive health information for purposes of investigating or prosecuting the provision of reproductive healthcare if the healthcare was legal where performed.1 In Purl, the district court held that HHS exceeded its authority and violated procedural requirements in promulgating the Rule. Consequently, the district court vacated the entire Rule as it pertains to special standards or requirements relating to reproductive health information. Although HHS could appeal the district court’s decision, it is very unlikely that HHS will do so given existing Trump Administration policies. HHS has not requested a stay of the decision, thereby signaling that it has no intention of appealing. Read more