February Deadline Approaching to Revise HIPAA Notices of Privacy Practices

January 20, 2026January 21, 2026 Wyatt Data Privacy & Security, HIPAA, HITECH Law HHS deadline, HIPAA, Part 2 Programs, substance use disorder (SUD)

Written by Margaret Young Levi

The February 16, 2026 deadline is fast approaching for HIPAA covered entities to revise their HIPAA Notice of Privacy Practices to address substance use disorder (SUD) records.

In 2024, the U.S. Department of Health & Human Services (HHS) issued a Final Rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”). This Final Rule was designed to better align Part 2 record protections with HIPAA.

Although the Final Rule primarily applies to Part 2 programs, all HIPAA covered entities that receive SUD records from Part 2 programs will need to update their Notice of Privacy Practices by February 16, 2026. This requirement applies to not only health care providers but also health plans, including health insurance companies, health maintenance organizations (HMOs), as well as employer-sponsored health plans.

For additional information about this Final Rule, please check out the HHS Fact Sheet.

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Young Levi at (859) 288-7469. Effective January 1, 2026, Wyatt, Tarrant & Combs, LLP merged with Bricker Graydon, LLP, to become Bricker Graydon Wyatt, LLP (“Bricker“). Until we have the new Bricker website up and running, you can learn more about our health care, data privacy and cyber security practices by visiting the following: Data Privacy & Cybersecurity, Health Care, Privacy & Data Protection, and Health Care.

Deadline Approaching to Revise HIPAA Policies

November 21, 2024November 22, 2024 Wyatt Data Privacy & Security, HIPAA cybersecurity, data privacy, final rule, health care law, health care providers, HIPAA Compliance, ocr guidelines, privacy, privacy practices, protected health information (PHI), regulatory changes, reproductive health

By: Margaret Young Levi

The December 23, 2024 deadline is fast approaching for HIPAA covered entities, including health care providers and health plans, to revise their HIPAA policies and procedures relating to reproductive health.

Earlier this year, the Office for Civil Rights (OCR) issued a Final Rule prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances. This will require HIPAA covered entities to amend their policies and procedures, as well as their Notice of Privacy Practices (NPP). While updates to policies and procedures must be completed by December 23, 2024, the new NPP requirements will not go into effect until February 16, 2026. Some covered entities will need to amend their business associate agreements if the agreements permit an activity no longer permitted under the revised Privacy Rule.

For additional information about this Final Rule, please check out our previous article on this topic.

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Levi Young at (859) 288-7469. To learn more about Wyatt’s health care, data privacy and cyber security practice, visit the following Wyatt website pages: Wyatt Data Privacy & Cyber Security and Wyatt Health Care.

Changes to the Health Breach Notification Rule Include Regulations for Health Apps

June 11, 2024July 2, 2024 Wyatt Data Breach & Notification, Data Privacy & Security, Electronic Health Records, FTC Enforcement, Health Information Technology, HIPAA Breach Notification, cybersecurity, Electronic Health Records, FTC Final Rule, HBNR, healthcare, personal health record, PHR, PHR identifiable health information, privacy, security, technology

Written by: Margaret Young Levi and Casey Parker-Bell (Wyatt Summer Associate)

Vendors who maintain personal health records will soon be subject to amended rules for notifying customers of data breaches. The Federal Trade Commission (“FTC”) has issued a Final Rule, finalizing changes to the Health Breach Notification Rule (“HBNR“) first issued in 2009 (the “2009 Rule”). The Final Rule clarifies the HBNR’s application to apps and other new technologies in the healthcare industry.

New technology, like fitness trackers and other direct-to-consumer health tech and wearable apps, have increased the amount of health data collected from consumers. There is a growing concern that some companies are disclosing or selling individuals’ personal health data for marketing and other purposes, while not subject to protections under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). “We are witnessing an explosion of health apps and connected devices, many of which aren’t covered by HIPAA, collecting vast amounts of sensitive consumer health information.” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “The proposed amendments to the new rule will allow it to keep up with marketplace trends, and respond to development and changes in technology.” The FTC has announced this Final Rule to address these new technologies.

The Final Rule’s Changes to the HBNR

The HBNR requires vendors of personal health records (“PHRs”) to notify individuals, the FTC, and, in some cases, the media of a breach of unsecured PHR identifiable health information. The HBNR also requires third-party service providers of personal health records to provide notifications. After seeking comments on proposed changes to better protect consumer who use PHRs, the FTC finalized the following changes to the HBNR:

Continue reading →

New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

April 25, 2024June 11, 2024 Wyatt Data Privacy & Security, HIPAA, Privacy & Security abortion, confidentiality of sud records, HIPAA, notice of privacy practices, NPP, OCR, Part 2, reproductive health, substance use disorder (SUD)

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:

CMS Issues Updated Guidance on Texting Patient Orders

February 22, 2024June 11, 2024 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security computerized provider order entry, Cyber Security, data security, EHR, Health IT, healthcare, HHS CMS, HIPAA, Joint Commission, Medicare CoPs, technology

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.