If you are reading this, there is a good chance you just found out that the February 16, 2026 deadline to update your HIPAA Notice of Privacy Practices has come and gone — and your NPP still says the same thing it said when you first opened your practice. Or maybe you heard about the deadline, meant to deal with it, and it got buried under everything else.
Either way, you are not alone. Most small and independent medical practices — family medicine, dental, chiropractic, mental health, PT, urgent care — either missed this entirely or are just now realizing it applied to them. The good news is this is fixable, it is not as complicated as it sounds, and you can get it done this week. Here is exactly what changed, what your exposure is, and how to catch up fast.
What Happened on February 16, 2026?
Two separate but related HIPAA rule changes converged on the same compliance deadline — February 16, 2026. Both of them require updates to your Notice of Privacy Practices, which is the document you give to every new patient explaining how your practice uses and protects their health information.
Change 1: Reproductive Health Information Protections
In April 2024, HHS finalized updates to the HIPAA Privacy Rule that added new protections specifically for reproductive health information. Under these changes, your practice is now prohibited from using or disclosing protected health information (PHI) for the purpose of investigating or penalizing any person for seeking, obtaining, providing, or facilitating lawful reproductive health care.
In practical terms, this means that if someone — law enforcement, an attorney, an insurance company, another provider — requests patient records, and the purpose of that request is to investigate a patient (or a provider) for obtaining or providing reproductive health care that was legal in the state where it was provided, you cannot disclose those records for that purpose.
The rule also introduces a new requirement: for certain non-treatment disclosures of PHI, you must obtain a signed attestation from the requesting party confirming that the request is not for a prohibited reproductive health investigation purpose. This applies to disclosures for health oversight activities, judicial and administrative proceedings, law enforcement purposes, and certain other situations outlined in the rule.
Your Notice of Privacy Practices must now include a section explaining these protections to your patients. Patients need to know that their reproductive health information has these additional protections under federal law.
Change 2: Substance Use Disorder (Part 2) Alignment
The second change is the alignment of 42 CFR Part 2 — the federal regulations governing the confidentiality of substance use disorder (SUD) treatment records — with HIPAA. This was mandated by the CARES Act of 2020, and the final rule was published in February 2024 with a compliance date of February 16, 2026.
If your practice provides substance use disorder treatment, you are directly affected and need to update your NPP to explain how SUD records are protected, including the fact that patients may provide a single consent for all future uses and disclosures of their SUD records for treatment, payment, and healthcare operations purposes.
But even if your practice does not provide SUD treatment, you may still be affected. If you receive patients who transfer in from other providers, if you receive referral records, or if patients disclose substance use history during intake — you may be receiving SUD records that are subject to Part 2 protections. Your NPP should address this.
Do I Need to Worry About This If I Am a Small Practice?
Yes. The HIPAA Privacy Rule applies to every covered entity regardless of size. There is no small practice exemption for the NPP requirement. Every medical practice, dental office, mental health provider, chiropractic office, and physical therapy clinic that bills insurance electronically is a covered entity and is required to maintain a current Notice of Privacy Practices.
That said, the risk profile is different for a small practice than for a large health system. Here is what you actually need to understand about your exposure.
Am I Going to Get Fined for Missing the Deadline?
The honest answer: probably not right away, and probably not for this alone. OCR — the Office for Civil Rights, the agency that enforces HIPAA — does not conduct proactive sweeps looking for outdated Notices of Privacy Practices. Their enforcement is primarily complaint-driven and breach-driven. They investigate when a patient files a complaint or when a breach is reported.
However — and this is the important part — if your practice is investigated for any reason (a patient complaint, a breach report, a random audit), OCR will review your entire compliance program. If they find that your NPP has not been updated to reflect the 2024 Privacy Rule changes, that becomes an additional finding. It signals to the investigator that your compliance program is not being actively maintained, which can escalate the severity of whatever brought them to your door in the first place.
Under the HIPAA enforcement framework, penalties for Privacy Rule violations range from $141 to $71,162 per violation depending on the level of culpability. A practice that genuinely did not know about the requirement and corrects it quickly is in a very different position than a practice that knew and ignored it. The fact that you are reading this article and taking action puts you in the first category.
What Exactly Needs to Change in My NPP?
You do not need to rewrite your entire Notice of Privacy Practices from scratch. You need to add specific new content. Here is what the updated NPP must include.
Reproductive Health Protections Section
Your NPP must now include a statement explaining that your practice will not use or disclose PHI for the purpose of conducting a criminal, civil, or administrative investigation into, or imposing criminal, civil, or administrative liability on, any person for the act of seeking, obtaining, providing, or facilitating reproductive health care that is lawful under the circumstances in which it was provided. The specific language should explain this protection in terms a patient can understand — not in regulatory jargon.
Your NPP should also explain the new attestation requirement: that when certain parties request PHI for non-treatment purposes, your practice may require a signed statement confirming the request is not for a prohibited reproductive health investigation purpose.
Part 2 / Substance Use Disorder Section (If Applicable)
If your practice provides SUD treatment or regularly receives SUD records from other providers, your NPP should include a section explaining the protections that apply to substance use disorder treatment information. This should cover the patient's right to provide a single consent for all future treatment, payment, and healthcare operations disclosures of their SUD records, the patient's right to revoke that consent, and the prohibition on re-disclosure of SUD records to third parties without additional consent.
Updated Patient Rights Language
Both rule changes include updates to how patient rights are described. Review the patient rights section of your NPP and ensure it reflects current requirements, including the right to receive a copy of the NPP, the right to request restrictions on certain disclosures, and the right to file a complaint with OCR.
Can I Just Download a Template?
Yes — with a caveat. You can start from a template, but you need to customize it for your practice. Your NPP should reflect your specific practice type, the services you provide, and the ways you actually use and disclose PHI. A dermatology practice and a substance use treatment center will have different NPPs even though they are both covered entities.
GuardWell Compliance includes an updated 2026 Notice of Privacy Practices template in our policy library that already incorporates the reproductive health protections and Part 2 language. You can adopt it, customize it for your practice, and track staff acknowledgment — all within the platform.
Do I Need to Redistribute It to All My Existing Patients?
No. HIPAA does not require you to redistribute your updated NPP to your entire existing patient panel. Here is what you are required to do:
Post it prominently in your office. The updated NPP must be available in your facility in a location where patients can reasonably be expected to see it. Most practices post it at the front desk or in the waiting area.
Post it on your website. If your practice has a website, the current NPP must be prominently available on it. This should be a direct link — not buried three clicks deep in a footer.
Provide it to every new patient. Every patient who is new to your practice must receive a copy of your current NPP at their first visit. You must make a good faith effort to obtain written acknowledgment of receipt, though the patient is not required to sign.
Make it available upon request. Any patient who asks for a copy of your NPP is entitled to receive one.
You do not need to mail it to existing patients, and you do not need to have existing patients re-sign an acknowledgment form — unless you want to, which is a reasonable best practice but is not required.
How Long Will This Take Me?
If you are starting from a template, the actual work is modest. Here is a realistic timeline for a small practice:
30–45 minutes: Review and customize a template NPP for your practice. Add your practice name, address, contact information, privacy officer name, and any practice-specific language about how you use PHI. Ensure the reproductive health and Part 2 sections are included and accurate for your practice type.
15 minutes: Print the updated NPP and post it in your office. Replace the old version wherever it is currently displayed.
15 minutes: Update your website. Replace the existing NPP document with the new version. If your NPP is a PDF linked from your website, replace the file. If it is a webpage, update the content.
15 minutes: Update your new patient intake process. Ensure front desk staff know that the new version is the one being distributed. Add the updated NPP to your new patient paperwork if it is not already there.
15 minutes: Document the update. Record the date you updated the NPP, what changed, and when it was posted in the office and on the website. This documentation is important — it shows good faith effort and a specific date of compliance. If OCR ever asks when you updated your NPP, you want a clear answer.
Total: about 90 minutes of actual work. You can realistically complete this in a single afternoon.
What If I Updated My NPP But Did Not Include the Reproductive Health Language?
This is a common situation. Many practices updated their NPPs in 2024 or 2025 for other reasons — a practice name change, a new location, a compliance consultant's recommendation — but the update did not include the new reproductive health protections because the compliance date had not arrived yet.
If this describes your practice, you need to do a targeted revision. Add the reproductive health protections section, re-date the NPP, re-post it in your office and on your website, and document the revision. You do not need to start from scratch — just add the missing section.
What About State-Specific Requirements?
Some states have their own medical privacy laws that are more stringent than HIPAA, and your NPP may need to address both federal and state requirements. States like California (CMIA), Texas (TMRPA), New York, and Massachusetts have privacy laws that go beyond HIPAA in certain areas. If your practice is in one of these states, review whether your state has specific NPP requirements that need to be layered on top of the federal HIPAA requirements.
GuardWell's state law overlay module covers all 50 states with 500+ checklist items that flag where your state's requirements exceed HIPAA — including privacy notice requirements.
A Quick Checklist to Get This Done
Here is your action plan, in order. You can complete this in a single sitting.
- Get a current NPP template that includes the 2024 Privacy Rule reproductive health protections and the Part 2 SUD alignment language. Start from a trusted source — your compliance platform, your attorney, or a healthcare compliance organization.
- Customize it with your practice name, address, privacy officer contact information, and any practice-specific uses and disclosures of PHI.
- Have your privacy officer (or practice owner) review and approve it. This is a formal compliance document. Someone with authority should sign off.
- Date it. Include the revision date prominently on the document (e.g., "Revised March 2026").
- Post it in your office in a prominent location. Remove the old version.
- Post it on your website. Replace the old version. Verify the link works.
- Update your intake process. Ensure front desk staff are distributing the new version to all new patients.
- Document the update in your compliance records — date of revision, what changed, when and where it was posted.
- Set a reminder to review your NPP annually. This will not be the last time HIPAA requires an update to your Notice of Privacy Practices. Building an annual review into your compliance calendar prevents this from sneaking up on you again.
The Bottom Line
Missing the February 16 deadline is not the end of the world. It is not going to trigger an OCR investigation by itself. But it is a gap in your compliance program, and every day it stays unfixed is a day you are technically out of compliance with the HIPAA Privacy Rule. The good news is this is one of the fastest compliance fixes you can make — an afternoon of focused work and it is behind you.
The bigger picture is that HIPAA is not standing still. The NPP update is just one of several major changes coming in 2026, including a complete overhaul of the HIPAA Security Rule that will affect every practice in the country. If the NPP deadline caught you off guard, now is a good time to evaluate whether your practice has a system in place to stay ahead of regulatory changes — rather than learning about them after the deadline has passed.
GuardWell Compliance monitors regulatory changes across all 15 compliance domains we cover and updates affected policy templates, training content, and compliance checklists within the platform. When something changes, you know about it before the deadline — not after. If you want to see where your practice stands today, take our free 2-minute compliance score quiz to get an instant snapshot of your compliance gaps.
Ready to simplify compliance?
GuardWell brings HIPAA, OSHA, OIG, and 7 more compliance modules into one affordable platform built for medical practices.
Start Free TrialRelated Articles
HIPAA Compliance Checklist for Small Medical Practices in 2026
A practical HIPAA compliance checklist for small medical practices covering the Privacy Rule, Security Rule, breach notification, risk assessments, and staff training requirements.
HIPAAHIPAA Breach Notification: Rules, Timelines, and Penalties
A complete guide to HIPAA breach notification requirements — what constitutes a breach, notification timelines, how to report to OCR, and the penalties for non-compliance.