February Deadline Approaching to Revise HIPAA Notices of Privacy Practices

January 20, 2026January 21, 2026 Wyatt Data Privacy & Security, HIPAA, HITECH Law HHS deadline, HIPAA, Part 2 Programs, substance use disorder (SUD)

Written by Margaret Young Levi

The February 16, 2026 deadline is fast approaching for HIPAA covered entities to revise their HIPAA Notice of Privacy Practices to address substance use disorder (SUD) records.

In 2024, the U.S. Department of Health & Human Services (HHS) issued a Final Rule modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR part 2 (“Part 2”). This Final Rule was designed to better align Part 2 record protections with HIPAA.

Although the Final Rule primarily applies to Part 2 programs, all HIPAA covered entities that receive SUD records from Part 2 programs will need to update their Notice of Privacy Practices by February 16, 2026. This requirement applies to not only health care providers but also health plans, including health insurance companies, health maintenance organizations (HMOs), as well as employer-sponsored health plans.

For additional information about this Final Rule, please check out the HHS Fact Sheet.

Looking for assistance in this area? We regularly work with our clients regarding their policies and procedures related to compliance with HIPAA and other data privacy and security laws and regulations. If you are looking for assistance in this area, contact Kathie McDonald-McClure at (502) 562-7526 or Margaret Young Levi at (859) 288-7469. Effective January 1, 2026, Wyatt, Tarrant & Combs, LLP merged with Bricker Graydon, LLP, to become Bricker Graydon Wyatt, LLP (“Bricker“). Until we have the new Bricker website up and running, you can learn more about our health care, data privacy and cyber security practices by visiting the following: Data Privacy & Cybersecurity, Health Care, Privacy & Data Protection, and Health Care.

New HIPAA Final Rule Supporting Reproductive Health Care Privacy Also Requires Amending Notices of Privacy Practices

April 25, 2024June 11, 2024 Wyatt Data Privacy & Security, HIPAA, Privacy & Security abortion, confidentiality of sud records, HIPAA, notice of privacy practices, NPP, OCR, Part 2, reproductive health, substance use disorder (SUD)

By: Margaret Young Levi

On April 22, 2024, the U.S. Department of Health and Human Services’ (HHS) Office for Civil Rights (OCR) announced a Final Rule entitled HIPAA Privacy Rule to Support Reproductive Health Care Privacy. This Final Rule not only bolsters the Health Insurance Portability and Accountability Act of 1996 and its implementing regulations (collectively, HIPAA) by prohibiting the disclosure of protected health information (PHI) related to lawful reproductive health care in certain circumstances, but also requires HIPAA covered entities (health care providers, health plans, and health care clearinghouses) to amend their Notices of Privacy Practices (NPPs).

HIPAA and Reproductive Health Care Privacy

HHS is issuing this Final Rule because of concerns that officials in states with more extreme abortion bans, like Kentucky, will seek medical records from states where abortion is legal (or even from their own states) in order to prosecute individuals who cross state lines to seek an abortion. To prevent those medical records from being used against people for providing or obtaining lawful reproductive health care, the Final Rule prohibits the use or disclosure of PHI by a covered entity—or their business associate—for the following activities:

CMS Issues Updated Guidance on Texting Patient Orders

February 22, 2024June 11, 2024 Margaret Young Levi Cyber Security and Cyber Crime, Data Privacy & Security, Electronic Health Records, Health Information Technology, HIPAA, Privacy & Security computerized provider order entry, Cyber Security, data security, EHR, Health IT, healthcare, HHS CMS, HIPAA, Joint Commission, Medicare CoPs, technology

By: Margaret Young Levi

On February 8, 2024, the Centers for Medicare and Medicaid Services (CMS) issued a memorandum entitled Texting of Patient Information and Orders for Hospitals and CAHs (the 2024 Memo), which provides updated guidance to State Survey Agency Directors. This 2024 Memo now permits the texting of patient orders among members of the hospital care team—if the texting is accomplished on a secure platform that protects the privacy and integrity of the patient information.

This new guidance updates CMS’ previous memorandum entitled Texting of Patient Information among Healthcare Providers in Hospitals and Critical Access Hospitals (CAHs) (the 2017 Memo), which permitted texting patient information if done through a secure platform, but prohibited texting of patient orders regardless of the platform utilized.

Even though texting of patient orders through a secure platform is now permitted by CMS, that does not mean it is recommended. CMS still prefers that providers enter their orders into the medical record via computerized provider order entry (CPOE) or even a handwritten order because of concerns about medical record retention, accuracy, privacy and security, etc. as set forth in the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Medicare Conditions of Participation (CoPs), and, if applicable, The Joint Commission (TJC) standards discussed below.

Breach Notification Deadline is February 29th

February 16, 2024June 12, 2024 Margaret Young Levi data breach; notification, Data Privacy & Security Breach Notification, Cyber Security, data breach, healthcare sector, HHS OCR Deadline, HIPAA

By: Margaret Young Levi

Head’s up! The deadline for notifying the Office for Civil Rights (OCR) of healthcare data breaches affecting fewer than 500 individuals is early this year. Reports of small data breaches may be submitted to OCR annually, usually on March 1st, but because 2024 is a leap year, the reports are due on or before Thursday, February 29^th.

OCR Issues Guidance on HIPAA, COVID-19 Vaccination and the Workplace

October 8, 2021January 19, 2022 Margaret Young Levi HIPAA, Privacy & Security COVID Vaccines, HIPAA, Privacy of Vaccination Status

By: Margaret Young Levi

On September 30, 2021, the Office for Civil Rights (OCR) issued welcome guidance concerning when the Health Insurance Portability and Accountability Act of 1996 (HIPAA) applies to disclosures and requests for information about whether a person has received a COVID-19 vaccine—and when it does not apply.

The guidance aims to clear up misperceptions about who can ask questions about vaccination. In general, OCR reminds that HIPAA only applies to HIPAA covered entities, such as health care providers (physicians, hospitals, etc.) and health plans, and it does not apply to employers or employment records. The guidance addresses common workplace situations, provides helpful examples, and answers frequently asked questions for HIPAA covered entities, businesses, and the public.

HIPAA does not prohibit businesses, individuals, or HIPAA covered entities from asking whether their customers or clients have received a COVID-19 vaccine. HIPAA does not prohibit any person, whether an individual or a business or a HIPAA covered entity, from asking individuals whether they have received a COVID-19 vaccine. First, OCR makes it clear that HIPAA only applies to HIPAA covered entities, and it does not apply to other individuals or entities. Second, even though HIPAA regulates how and when HIPAA covered entities may use or share information about COVID-19 vaccinations, it does not limit the ability of covered entities to ask patients or visitors whether they have been vaccinated.

The guidance clarifies that HIPAA does not apply when an individual:

Is asked about their vaccination status by a school, employer, store, restaurant, entertainment venue, or another individual.
Asks another individual, their doctor, or a service provider whether they are vaccinated.
Asks a company, such as a home health agency, whether its workforce members are vaccinated.

Continue reading →