Here’s what you need to know about HIPAA’s February 2026 compliance deadline

Updates to the Health Insurance Portability and Accountability Act (HIPAA) notice of privacy practices (NPP) are required by February 16, 2026. Below is an overview of what changes are required and how health plan sponsors can comply.

Background

HIPAA requires covered entities, including group health plans, to maintain and distribute NPPs that outline how a covered entity may use and disclose an individual’s protected health information (PHI), along with other required content and disclosures.

In April 2024, the Department of Health and Human Services (HHS) issued a final rule that (1) strengthened HIPAA privacy protections related to reproductive healthcare; and (2) revised the NPP requirements for consistency with other HHS regulations concerning substance use disorder treatment records (known as part 2 records).

In June 2025, the U.S. District Court for the Northern District of Texas vacated the reproductive healthcare privacy protections. However, the ruling didn’t affect the requirement that health plan sponsors update NPP requirements for part 2 records.

Impact on plan sponsors

Fully insured plans. Although insurance carriers typically manage the NPP, fully insured plan sponsors must make the required updates by February 16, 2026, if the employer creates or receives PHI beyond summary health information or information used for enrollment.