Did You Miss the February 2026 HIPAA Notice of Privacy Practices Deadline? Here's What's Actually Still Required

If you are reading this, there is a good chance you just found out that the February 16, 2026 deadline to update your HIPAA Notice of Privacy Practices has come and gone — and your NPP still says the same thing it said when you first opened your practice. Or maybe you heard about the deadline, meant to deal with it, and it got buried under everything else.

Either way, you are not alone. Most small and independent medical practices — family medicine, dental, chiropractic, mental health, PT, urgent care — either missed this entirely or are just now realizing it applied to them. The good news is this is fixable, it is not as complicated as it sounds, and you can get it done this week. Here is exactly what changed, what your exposure is, and how to catch up fast.

What Happened on February 16, 2026?

Two separate 2024 rulemakings were both pointed at the same February 16, 2026 deadline for updating your Notice of Privacy Practices — the document you give every new patient explaining how your practice uses and protects their health information. Here is the part most online articles still get wrong: only one of those two changes survived. The other was struck down by a federal court a year ago. You need to know exactly which is which, because implementing the wrong one creates its own liability.

Change 1: Reproductive Health Information Protections — Vacated Nationwide

In April 2024, HHS finalized updates to the HIPAA Privacy Rule that added special protections for reproductive health information, including a new prohibition on certain uses and disclosures of PHI and a signed-attestation requirement for some non-treatment disclosures. An NPP update tied to this rule was one of the changes originally due by February 16, 2026.

That rule no longer applies. On June 18, 2025, the U.S. District Court for the Northern District of Texas, in Purl v. U.S. Department of Health and Human Services, vacated almost all of the 2024 Reproductive Health Privacy Rule, finding that HHS exceeded its statutory authority. The decision applies nationwide, took effect immediately, and specifically struck down the reproductive-health Notice of Privacy Practices provisions. HHS did not appeal — the deadline to do so passed in August 2025 — so the vacatur stands.

What this means for your practice: the reproductive-health language is not a required part of your NPP. You do not need to add it, and the related attestation process is no longer a federal requirement. If you already added it in anticipation of the deadline, see "What If I Already Added the Reproductive Health Language?" below. (One caveat: outside parties have sought to revive the case on appeal. As of now the rule is vacated and unenforced; we monitor the litigation and update our templates if its legal status changes. Separately, some states impose their own reproductive-health privacy requirements independent of HIPAA — see the state-law section below.)

Change 2: Substance Use Disorder (Part 2) Alignment

The second change is the alignment of 42 CFR Part 2 — the federal regulations governing the confidentiality of substance use disorder (SUD) treatment records — with HIPAA. This was mandated by the CARES Act of 2020, and the final rule was published in February 2024 with a compliance date of February 16, 2026.

If your practice provides substance use disorder treatment, you are directly affected and need to update your NPP to explain how SUD records are protected, including the fact that patients may provide a single consent for all future uses and disclosures of their SUD records for treatment, payment, and healthcare operations purposes.

But even if your practice does not provide SUD treatment, you may still be affected. If you receive patients who transfer in from other providers, if you receive referral records, or if patients disclose substance use history during intake — you may be receiving SUD records that are subject to Part 2 protections. Your NPP should address this.

Do I Need to Worry About This If I Am a Small Practice?

Yes. The HIPAA Privacy Rule applies to every covered entity regardless of size. There is no small practice exemption for the NPP requirement. Every medical practice, dental office, mental health provider, chiropractic office, and physical therapy clinic that bills insurance electronically is a covered entity and is required to maintain a current Notice of Privacy Practices.

That said, the risk profile is different for a small practice than for a large health system. Here is what you actually need to understand about your exposure.

Am I Going to Get Fined for Missing the Deadline?

The honest answer: probably not right away, and probably not for this alone. OCR — the Office for Civil Rights, the agency that enforces HIPAA — does not conduct proactive sweeps looking for outdated Notices of Privacy Practices. Their enforcement is primarily complaint-driven and breach-driven. They investigate when a patient files a complaint or when a breach is reported.

However — and this is the important part — if your practice is investigated for any reason (a patient complaint, a breach report, a random audit), OCR will review your entire compliance program. If they find that your NPP has not been updated to reflect the Part 2 / substance use disorder NPP requirements that took effect February 16, 2026, that becomes an additional finding. It signals to the investigator that your compliance program is not being actively maintained, which can escalate the severity of whatever brought them to your door in the first place.

Under the HIPAA enforcement framework, civil monetary penalties are tiered by level of culpability and are adjusted for inflation every year, so the exact figures change annually — the lowest tier runs in the low hundreds of dollars per violation and the highest tier (willful neglect, uncorrected) reaches into the millions of dollars per year. A practice that genuinely did not know about a requirement and corrects it quickly is in a very different position than a practice that knew and ignored it. The fact that you are reading this article and taking action puts you in the first category.

What Exactly Needs to Change in My NPP?

You do not need to rewrite your entire Notice of Privacy Practices from scratch. After the Purl decision, the required change is narrower than what was originally announced for the February 2026 deadline. Here is what actually applies.

Reproductive Health Protections — Not Required

Because the 2024 Reproductive Health Privacy Rule was vacated nationwide, your NPP does not need a reproductive-health protections section, and you are not required to implement the related attestation process. If your current NPP does not mention reproductive health, you do not need to add anything here. If it does — because you updated early — the relevant question is whether to revise it back out, which we cover below. The one place reproductive-health privacy may still create obligations is state law, addressed later in this article.

Part 2 / Substance Use Disorder Section (If Applicable)

If your practice provides SUD treatment or regularly receives SUD records from other providers, your NPP should include a section explaining the protections that apply to substance use disorder treatment information. This should cover the patient's right to provide a single consent for all future treatment, payment, and healthcare operations disclosures of their SUD records, the patient's right to revoke that consent, and the prohibition on re-disclosure of SUD records to third parties without additional consent.

Updated Patient Rights Language

Both rule changes include updates to how patient rights are described. Review the patient rights section of your NPP and ensure it reflects current requirements, including the right to receive a copy of the NPP, the right to request restrictions on certain disclosures, and the right to file a complaint with OCR.

Can I Just Download a Template?

Yes — with a caveat. You can start from a template, but you need to customize it for your practice. Your NPP should reflect your specific practice type, the services you provide, and the ways you actually use and disclose PHI. A dermatology practice and a substance use treatment center will have different NPPs even though they are both covered entities.

GuardWell Compliance maintains its Notice of Privacy Practices template in line with current law: it includes the Part 2 / substance use disorder alignment language, reflects the Purl vacatur (it does not include the struck-down reproductive-health provisions), and flags state-law privacy requirements that may apply on top of HIPAA. You can adopt it, customize it for your practice, and track staff acknowledgment — all within the platform.

Do I Need to Redistribute It to All My Existing Patients?

No. HIPAA does not require you to redistribute your updated NPP to your entire existing patient panel. Here is what you are required to do:

Post it prominently in your office. The updated NPP must be available in your facility in a location where patients can reasonably be expected to see it. Most practices post it at the front desk or in the waiting area.

Post it on your website. If your practice has a website, the current NPP must be prominently available on it. This should be a direct link — not buried three clicks deep in a footer.

Provide it to every new patient. Every patient who is new to your practice must receive a copy of your current NPP at their first visit. You must make a good faith effort to obtain written acknowledgment of receipt, though the patient is not required to sign.

Make it available upon request. Any patient who asks for a copy of your NPP is entitled to receive one.

You do not need to mail it to existing patients, and you do not need to have existing patients re-sign an acknowledgment form — unless you want to, which is a reasonable best practice but is not required.

How Long Will This Take Me?

If you are starting from a template, the actual work is modest. Here is a realistic timeline for a small practice:

30–45 minutes: Review and customize a template NPP for your practice. Add your practice name, address, contact information, privacy officer name, and any practice-specific language about how you use PHI. Ensure the Part 2 / substance use disorder section (if applicable to your practice) and any applicable state-law provisions are included and accurate for your practice type, and that the vacated reproductive-health provisions are not added.

15 minutes: Print the updated NPP and post it in your office. Replace the old version wherever it is currently displayed.

15 minutes: Update your website. Replace the existing NPP document with the new version. If your NPP is a PDF linked from your website, replace the file. If it is a webpage, update the content.

15 minutes: Update your new patient intake process. Ensure front desk staff know that the new version is the one being distributed. Add the updated NPP to your new patient paperwork if it is not already there.

15 minutes: Document the update. Record the date you updated the NPP, what changed, and when it was posted in the office and on the website. This documentation is important — it shows good faith effort and a specific date of compliance. If OCR ever asks when you updated your NPP, you want a clear answer.

Total: about 90 minutes of actual work. You can realistically complete this in a single afternoon.

What If I Already Added the Reproductive Health Language?

This is a common situation. Many practices updated their NPPs in 2024 or 2025 — ahead of the February 2026 deadline — and added the reproductive-health protections language and attestation process, because at the time it was a finalized federal rule. Then Purl vacated it.

If this describes your practice, the federal requirement behind that language is gone. Many healthcare attorneys are advising clients to revise the reproductive-health provisions back out, on the reasoning that an NPP should accurately describe the protections you actually provide under current federal law and should not promise a federal attestation process that no longer exists. This is a judgment call worth running by your privacy officer or counsel — particularly if you operate in a state with its own reproductive-health privacy statute, where some of that language may still be appropriate for state-law reasons. Whatever you decide, keep the Part 2 / SUD section, re-date the NPP, re-post it in your office and on your website, and document the revision and your reasoning.

What About State-Specific Requirements?

Some states have their own medical privacy laws that are more stringent than HIPAA, and your NPP may need to address both federal and state requirements. States like California (CMIA), Texas (TMRPA), New York, and Massachusetts have privacy laws that go beyond HIPAA in certain areas. If your practice is in one of these states, review whether your state has specific NPP requirements that need to be layered on top of the federal HIPAA requirements.

GuardWell's state law overlay module covers all 50 states with 500+ checklist items that flag where your state's requirements exceed HIPAA — including privacy notice requirements.

A Quick Checklist to Get This Done

Here is your action plan, in order. You can complete this in a single sitting.

1. Get a current NPP template that includes the 2024 Privacy Rule reproductive health protections and the Part 2 SUD alignment language. Start from a trusted source — your compliance platform, your attorney, or a healthcare compliance organization.
2. Customize it with your practice name, address, privacy officer contact information, and any practice-specific uses and disclosures of PHI.
3. Have your privacy officer (or practice owner) review and approve it. This is a formal compliance document. Someone with authority should sign off.
4. Date it. Include the revision date prominently on the document (e.g., "Revised March 2026").
5. Post it in your office in a prominent location. Remove the old version.
6. Post it on your website. Replace the old version. Verify the link works.
7. Update your intake process. Ensure front desk staff are distributing the new version to all new patients.
8. Document the update in your compliance records — date of revision, what changed, when and where it was posted.
9. Set a reminder to review your NPP annually. This will not be the last time HIPAA requires an update to your Notice of Privacy Practices. Building an annual review into your compliance calendar prevents this from sneaking up on you again.

The Bottom Line

Missing the February 16 deadline is not the end of the world. It is not going to trigger an OCR investigation by itself. But it is a gap in your compliance program, and every day it stays unfixed is a day you are technically out of compliance with the HIPAA Privacy Rule. The good news is this is one of the fastest compliance fixes you can make — an afternoon of focused work and it is behind you.

The bigger picture is that HIPAA is not standing still. The NPP update is just one of several major changes coming in 2026, including a proposed overhaul of the HIPAA Security Rule that, if finalized, could affect every practice in the country. If the NPP deadline caught you off guard, now is a good time to evaluate whether your practice has a system in place to stay ahead of regulatory changes — rather than learning about them after the deadline has passed.

GuardWell Compliance monitors regulatory changes across all 15 compliance domains we cover and updates affected policy templates, training content, and compliance checklists within the platform. When something changes, you know about it before the deadline — not after. If you want to see where your practice stands today, take our free 2-minute compliance score quiz to get an instant snapshot of your compliance gaps.