Blog

Health Information Technology, Health Law News

Print PDF

Important Deadlines for HIPAA Covered Entities and Part 2 Programs

Posted on February 26, 2026 in Health Information Technology, Health Law News

Published by: Hall Render

HIPAA covered entities and Part 2 Programs should be aware of two important compliance deadlines that may require prompt action.

Annual HIPAA Small Breach Reporting

Under the Breach Notification Rule, HIPAA covered entities are required to submit reports of certain breaches of unsecured protected health information (“PHI”) affecting fewer than 500 individuals to the HHS Office for Civil Rights (“OCR”) on an annual basis. No later than March 1, 2026, covered entities must submit breaches discovered in 2025 through OCR’s breach notification web page, which can be found here.

The Breach Notification Rule requires covered entities to notify individuals and OCR of breaches of unsecured PHI that compromise the security or privacy of the PHI, unless an exception applies. Covered entities are required to notify individuals of a breach without unreasonable delay and no later than 60 days following a breach. If a breach affects 500 or more individuals, the covered entity must notify OCR simultaneously with the notification to the individuals. However, if a breach affects fewer than 500 individuals, the covered entity must notify OCR no later than 60 days after the end of the calendar year in which the breach occurred. For such breaches, covered entities may choose to submit their notifications to OCR throughout the year or at one time, so long as the notification is made within the annual deadline.

Potential Updates to Notice of Privacy Practices

Significant changes to the regulations governing the “Confidentiality of Substance Use Disorder Patient Records” set forth at 42 CFR Part 2 (“Part 2”) went into effect on February 16, 2026. While those changes primarily impact federally assisted programs that provide substance use disorder diagnosis, treatment or referral for treatment (“Part 2 Programs”), changes related to updating notices of privacy practices also impact HIPAA covered entities that are not Part 2 Programs, but that receive or maintain records that continue to be subject to Part 2. HIPAA covered entities that also qualify as or operate Part 2 Programs are affected by the changes as well.

The final rules updating the HIPAA and Part 2 regulations both required HIPAA covered entities and Part 2 Programs to implement compliant Notices of Privacy Practices (“NPPs”) that reflect the special protections applicable to Part 2 records. How these requirements apply to a given organization depends on the type of organization and how it interacts with Part 2 records:

  • Part 2 Programs that are not HIPAA covered entities are required for the first time to have an NPP, and must post the NPP and provide it to patients in compliance with the Part 2 revisions, which were intended to align their privacy operations with those of covered entities that are or operate Part 2 Programs. OCR recently published a model NPP for this type of entity, available here.
  • HIPAA covered entities that are not Part 2 Programs but that receive or maintain records from Part 2 Programs must ensure that their NPPs are updated to address the use of Part 2 records in legal proceedings against the individual and for fundraising purposes. OCR recently published a model NPP for this type of organization, available here.
  • HIPAA covered entities that are also Part 2 Programs will need to either use a separate NPP for their Part 2 Program activities that meets the new requirements or make substantial revisions to their existing NPP to inform patients of how both their PHI and Part 2 records may be used and disclosed, including addressing Part 2’s more stringent requirements. While OCR did not provide a model NPP for HIPAA covered entities that are also Part 2 Programs who want to use a single or “combined” NPP, the agency did state that this would be permitted.
  • HIPAA covered entities that are not Part 2 Programs and do not receive or maintain Part 2 records would not have to update their NPPs. However, with recent industry and regulatory emphasis on interoperability and increased information sharing for continuity of care purposes, many covered entities could receive or maintain such information in order to have a holistic view of a patient’s overall health care. Therefore, proactively updating the NPP to address Part 2 can help avoid regulatory noncompliance related to future increased data sharing.

The compliance deadline for updating and posting NPPs was February 16, 2026, so if your organization has not yet assessed how these changes might impact you or taken steps to adopt or update your NPP accordingly, prompt action is required to ensure regulatory compliance.

If you have any questions or would like additional information about this topic, please contact:

Hall Render blog posts and articles are intended for informational purposes only. For ethical reasons, Hall Render attorneys cannot give legal advice outside of an attorney-client relationship.

If you have any questions, please contact one of the following or your regular Hall Render attorney.

Elizabeth Callahan's Photo

Elizabeth Callahan

(248) 457-7854

Email
Waseem Chachar's Photo

Waseem Chachar

(317) 977-1496

Email
Stephane P. Fabus's Photo

Stephane P. Fabus

(414) 721-0904

Email
Charise R. Frazier's Photo

Charise R. Frazier

(317) 977-1406

Email
Mark J. Swearingen's Photo

Mark J. Swearingen

(317) 977-1458

Email

Related Services

Dropdown arrow

Blog Categories

Archives