In early 2024 the Department of Health and Human Services (HHS) issued regulations regarding the handling of substance use disorder patient records under 42 CFR Part 2 (“Part 2 records”). The regulations implemented new requirements on Part 2 programs, but also require HIPAA covered entities to update their Notice of Privacy Practices to address their handling of Part 2 records.
As a reminder, HIPAA covered entities include health care providers, health care clearinghouses, and health plans. Employers who sponsor a self-funded health plan are responsible for ensuring compliance with HIPAA and will want to make any necessary updates to the HIPAA Notice of Privacy Practices (NPP).
Updates to the Notice of Privacy Practices
Covered entities must update their NPP to address the following:
- Part 2 records may not be used or disclosed in criminal, administrative, or legislative proceedings without:
- written consent; or
- a court order after notice to the individual.
- Disclosure of Part 2 records may be made pursuant to general consent. Individuals can limit these disclosures by only providing consent to disclose specific information.
- Information properly disclosed by a covered entity under HIPAA could be improperly redisclosed by the recipient of that information and no longer be protected by HIPAA.
- If Part 2 records will be used for fundraising to benefit the covered entity, individuals must be able to opt out of receiving fundraising communications (rarely applicable to self-funded health plans).
Changes to the NPP are required by February 16, 2026.
Key Takeaway: Employers who sponsor self-funded group health plans should review their current Notice of Privacy Practices and make the necessary updates. If you need an up-to-date template Notice of Privacy Practices, please contact your M3 Team.
