Crucial HIPAA Amendments for Health Plans and Insurers
As of February 16, 2026, health plans and insurance carriers faced a pivotal compliance deadline concerning amendments to the Health Insurance Portability and Accountability Act of 1996 (HIPAA). These modifications bring HIPAA closer in alignment with 42 C.F.R. Part 2, which governs the confidentiality of substance use disorder (SUD) records, ensuring stringent privacy protections for sensitive health information.
Historically, Part 2 has provided stricter confidentiality protections for SUD treatment records managed by specific programs, operating in parallel to HIPAA's guidelines. In February 2024, the final rule influenced by the CARES Act was announced to harmonize Part 2 with HIPAA, maintaining the rigorous privacy protections inherent in Part 2.
Although health plans are not classified as Part 2 programs, they often become lawful holders of SUD records, necessitating adherence to specific Part 2 requirements. This includes how they convey privacy practices to beneficiaries through Notices of Privacy Practices (NPP), a critical element for regulatory compliance.
Importance of Updating NPPs and BAAs
For group health plan sponsors, insurers, and carriers, updating NPPs is crucial. Updated NPPs must reflect compliance with enhanced confidentiality standards to mitigate potential regulatory risks. For those covered by HIPAA and often processing claims involving Part 2 records, the compliance responsibility is direct and requires precise communication regarding SUD record confidentiality.
Further, insurers often operate within a network of vendors, such as behavioral health managers and analytics providers, who may handle Part 2 records. Ensuring vendor practices align with Part 2 compliance and reconciling inconsistencies between operational policies and documented procedures is essential for seamless risk management.
Updating business associate agreements (BAAs) represents another necessary step when dealing with SUD records. Payers must ensure their BAAs articulate the collection and handling of Part 2-consent information, fostering a strong foundation for regulatory adherence.
The alignment with Part 2 is now formally embedded within the HIPAA enforcement framework. The Department of Health and Human Services (HHS) Office for Civil Rights will oversee compliance, transitioning from best practice guidance to a mandatory requirement. For health plans, these amendments emphasize refining existing compliance measures rather than an overhaul, highlighting the importance of vendor governance, operational adherence, and internal consistency in navigating compliance landscapes effectively.