On February 13, 2026, OCR announced its Civil Enforcement Program for 42 CFR Part 2 — the regulation governing substance use disorder patient records. Three days later, the compliance deadline hit. Any covered entity that receives SUD records and hadn't updated its Notice of Privacy Practices by February 16 is now in active enforcement territory.
That's just the most recent example of why a HIPAA privacy policy isn't something you write once and forget. The requirements change. The enforcement priorities shift. And when OCR comes looking, "we haven't updated our NPP in four years" isn't a defense — it's evidence of willful neglect.
This guide walks through exactly what HIPAA requires you to write, who needs to write it, and the specific elements auditors check. If you're starting from scratch or reviewing an existing document, this is the complete reference.
The February 16, 2026 Part 2 deadline applied to all HIPAA covered entities — not just addiction treatment programs. If your organization receives substance use disorder records from any source (hospital EHRs, referral networks, payer data), your NPP must now include Part 2 protections and individual rights language. Check your document against the updated HHS model NPP.
First: understand what you're actually required to write
HIPAA doesn't require one document called a "privacy policy." It requires several distinct documents, and mixing them up is one of the most common mistakes that causes audit failures.
Here's what covered entities must have:
- Notice of Privacy Practices (NPP): The patient-facing document. Required under 45 CFR §164.520. This is the one most people mean when they say "HIPAA privacy policy."
- Internal written privacy policies and procedures: The workforce-facing documents covering minimum necessary use, PHI handling, patient rights procedures, and training. Not patient-facing, but required and auditable.
- Business Associate Agreements (BAAs): Written contracts with every vendor that touches PHI on your behalf. Technically separate from your privacy policy but often grouped in compliance documentation.
Business associates don't need to publish an NPP — they're not covered entities. But they do need internal privacy and security policies that comply with the Security Rule, plus signed BAAs with every covered entity they serve. A BA with PHI access and no internal policies is non-compliant.
Writing the Notice of Privacy Practices
The NPP is what you hand to patients and post on your website. The regulation at 45 CFR §164.520 specifies what it must contain. Here's each required element, what it actually needs to say, and where organizations typically get it wrong.
Header statement
Your NPP must prominently display a specific header: "THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY."
That exact language is required by the regulation. You can add context around it, but the header must appear verbatim. Many templates that circulate online have variations that don't satisfy the requirement.
Description of uses and disclosures — with examples
This is the substantive core of the NPP. You must describe how your organization uses and discloses PHI for treatment, payment, and healthcare operations — and you must provide at least one example of each category.
Generic language like "we may use your health information for treatment purposes" doesn't satisfy the requirement. The regulation requires examples specific enough that patients understand what's actually happening. Something like: "Example: We may share information about your diagnosis with a specialist we refer you to for further treatment."
Beyond treatment, payment, and operations, you must also describe all other purposes — public health reporting, law enforcement disclosures, workers' compensation, marketing (if applicable), and any sale of PHI. Each one needs its own description. Missing any category that applies to your organization is a compliance gap.
Required disclosures
Tell patients the situations where you're legally required to disclose their PHI — when they request it themselves, and when HHS is conducting a compliance investigation or audit. This section is usually brief but must be explicit.
Individual rights — specific and actionable
This is the section where most NPPs are too vague to be compliant. You can't just say "you have the right to access your records." The regulation requires you to explain how patients can exercise each right. The required rights to address:
- Right of access: How to request records, what formats are available, timeline for response (30 days, or 60 days with one extension), any allowable fees
- Right to request amendment: How to submit an amendment request, how long you have to respond, what happens if you deny it
- Right to request restrictions: How to make the request, when you can deny it, when you're required to agree (patient pays out-of-pocket for a service and asks you not to bill their health plan)
- Right to request confidential communications: How to request alternative communication methods or locations
- Right to an accounting of disclosures: How to request a list of disclosures made for purposes other than treatment, payment, and operations
- Right to get a paper copy: Even if you've provided the NPP electronically, patients can request a paper copy
- Right to file a complaint: Contact information for both your Privacy Officer and HHS/OCR — this cannot be omitted
Saying "you may exercise your rights by contacting our office" without specifying how, what to expect, and what the timelines are doesn't satisfy the requirement. OCR's right-of-access enforcement initiative has specifically targeted organizations with vague or obstructive procedures here.
Covered entity's duties
Your NPP must include an explicit statement that your organization is required by law to: maintain the privacy of PHI, provide patients with notice of your privacy practices, and follow the terms of the current notice. Also required: a statement that you're obligated to notify patients in the event of a breach of their unsecured PHI. This is often missing in older templates predating the Omnibus Rule.
Changes to the notice
Include a statement that you reserve the right to change your privacy practices and apply the changes to all PHI you hold — and that you'll post the current NPP on your website and make it available upon request. The effective date of the current notice must appear prominently, typically in the header or footer.
Privacy Officer contact information
A named contact — or at minimum a titled role — and their contact information must appear in the NPP. This is how patients reach you with privacy questions or to exercise their rights. "Contact our office" without a specific person or title isn't sufficient.
Check your NPP against HIPAA requirements
PolicyAudit scans your Notice of Privacy Practices against the required elements under 45 CFR §164.520 and flags vague language, missing sections, and outdated provisions. Takes under a minute. Free for up to 3 documents.
Scan your HIPAA privacy policy free →The 2026 update: 42 CFR Part 2 provisions
The February 2026 NPP update isn't just for addiction treatment centers. The HHS 42 CFR Part 2 Final Rule, which took effect April 2024 and became enforceable February 16, 2026, applies broadly to covered entities that receive SUD records from Part 2 programs.
If your hospital receives records from substance use disorder treatment providers, if your practice participates in health information exchanges that include SUD data, or if your health plan processes claims involving SUD treatment — your NPP needs to address Part 2.
The required additions to your NPP:
- Disclosure that SUD records obtained from a Part 2 program are subject to additional confidentiality protections under 42 CFR Part 2
- Description of the restrictions on use and disclosure of Part 2 records (tighter consent requirements, prohibitions on use in criminal proceedings)
- Notice of the patient's right to receive a list of entities to which their Part 2 records have been disclosed
- Contact information for submitting Part 2 complaints (separate from general HIPAA complaints — OCR now accepts them directly)
HHS published model NPP language for Part 2 on HHS.gov. If you use a template that predates February 2026, it's missing these sections.
Internal privacy policies — the other required documents
Your NPP tells patients what you do. Your internal policies tell your workforce how to do it. Both are required and both get audited.
The internal policies that OCR commonly reviews during investigations:
Minimum necessary use policy
When workforce members access PHI, they should access only what's needed for their specific job function. Your policy must define what "minimum necessary" means for each role — a billing specialist needs different data than a treating physician. Generic policies that say "employees should only access necessary information" without role-specific guidance don't satisfy the standard.
PHI disclosure procedures
Documented procedures for who can authorize disclosures of PHI for various purposes, what verification is required before disclosing to third parties (law enforcement, other providers, payers), and how to handle requests that fall outside routine treatment, payment, and operations. Without written procedures, employees make judgment calls — and inconsistent judgment calls create liability.
Patient rights request procedures
Step-by-step procedures for processing access requests, amendment requests, restriction requests, and accounting of disclosures requests. Each one needs documented timelines, approval chains, and what to do when a request is denied. OCR's right-of-access enforcement initiative has specifically targeted organizations where the procedures existed on paper but weren't followed.
Privacy Officer designation and responsibilities
You must document who your Privacy Officer is — it can be a title, not necessarily a dedicated full-time role — and what they're responsible for. This includes policy development, workforce training, receiving patient complaints, and conducting investigations. At a small practice, the Privacy Officer is often the practice manager or the compliance lead. That's fine. But it has to be documented.
Checklist: before you publish your NPP
Run through this before calling your privacy policy done:
- Required header language appears verbatim at the top
- Descriptions of treatment, payment, and operations uses include specific examples
- All other uses and disclosures that apply to your organization are described
- Required disclosures section is present
- All six patient rights are described with actionable procedures, not just listed
- Right to file complaints includes both your Privacy Officer and HHS/OCR contact information
- Covered entity's legal duties — including breach notification — are stated
- Effective date appears prominently
- Privacy Officer name or title and contact info are included
- If your organization handles SUD records: Part 2 provisions are included per February 2026 deadline
- If your NPP was last updated before 2021: review against the 2021 HIPAA Privacy Rule changes on reproductive health information
- If your NPP was last updated before 2013: the Omnibus Rule's breach notification and BA provisions are likely missing
Using a template — and what to customize
HHS publishes model NPPs at HHS.gov/hipaa. They're the safest starting point because they're written to satisfy the regulatory requirements as HHS interprets them. They're updated when the rules change — the current model reflects the February 2026 Part 2 update.
But any template requires customization before it's compliant for your specific organization. The elements you must fill in:
- Your organization's name and legal entity name
- Your Privacy Officer's name or title and contact information
- Your specific uses and disclosures — with examples that reflect what you actually do
- Your complaint procedures — how patients reach you, and how long you take to respond
- Any state law provisions that are stricter than HIPAA (California's CMIA, New York's health data laws, Texas's THIPAA all have provisions that must be reflected)
- Your effective date
After filling in a template, check it against the required elements before distributing it. The fastest way to do that systematically — especially if you're updating multiple documents at once — is to run your draft through PolicyAudit. It'll flag specific missing elements and vague language that won't hold up under scrutiny. That's a lot faster than comparing your document line-by-line against the Federal Register.
Using an NPP generated by an online "privacy policy generator" that isn't specifically built for HIPAA. Generic privacy policy generators produce GDPR- or CCPA-style notices that don't satisfy HIPAA's specific structural and content requirements. The required header language alone won't be there. Start with HHS's model NPP or a HIPAA-specific template, not a general privacy policy tool.
Frequency of review
HIPAA requires you to review and update your privacy practices when there are material changes to your operations. Beyond that, the regulation doesn't specify a review cadence — but the rule changes since 2020 make an annual review the sensible baseline.
The changes that triggered required NPP updates since 2020: the 2021 HIPAA Privacy Rule amendments on reproductive health information, the 2024 Part 2 Final Rule (enforceable February 2026), and the forthcoming HIPAA Security Rule overhaul expected to finalize in May 2026. Each one requires something in your documentation to change.
If your NPP hasn't been reviewed in the last two years, assume it's out of date. The 2026 HIPAA compliance requirements guide covers all of these changes in detail.
Frequently asked questions
Verify your HIPAA privacy policy in minutes
PolicyAudit checks your Notice of Privacy Practices and internal HIPAA policies against the regulatory requirements and outputs a specific gap report. Find out exactly what's missing or vague before an OCR investigation does. Free for up to 3 documents.
Check your HIPAA policies free →