Is Your Notice of Privacy Practices Already Noncompliant?
This is not an update healthcare and dental practices should ignore. The recent SUD confidentiality rule changes may require some offices to review and update their Notice of Privacy Practices, especially if they create or maintain these records as part of an existing patient file. With the compliance date already here, now is a good time to make sure your privacy paperwork is not outdated — particularly if your practice has a provider with a DEA license.
The key issue is not just whether a provider creates these records, but whether the provider creates or maintains Part 2 records. HHS says HIPAA covered health care providers and health plans that create or maintain Part 2 records must provide notice to individuals explaining how those records may be used and disclosed, along with the individual’s privacy rights. HHS also released updated model notices in February 2026, which is a strong sign that affected offices should be reviewing their privacy notice now.
What does “maintains” mean in the real world? This is one of the easiest ways a practice can miss this update. Many offices may assume the rule only applies if they are actively creating SUD-related records, but that may be too narrow of a view. If substance use disorder information is sitting anywhere in a patient chart or record your office keeps, that may be enough to trigger the need for a closer review.
If substance use disorder information is sitting anywhere in a patient chart or record your office keeps, that may be enough to trigger the need for a closer review.
In other words, some medical and dental practices could be pulled into this issue even if they are not actively creating standalone SUD records themselves. That is exactly why this update should not be brushed aside. If your office has, or employs, a provider with a DEA license, there is even more reason to take a careful look, since those practices may be more likely to encounter records or treatment information that could trigger a closer Part 2 analysis. While that is not a bright-line legal test, it is absolutely a practical warning sign that your privacy paperwork may need attention.
A related question is whether a revised notice also means you should obtain a new Acknowledgement of Receipt. That is where things get a little gray. HHS says covered entities must promptly revise and distribute their notice whenever there is a material change to privacy practices. At the same time, HHS has also said a provider generally does not have to obtain a new acknowledgment from an existing patient solely because the notice was revised. So, while some offices may choose to get a new acknowledgment as a more conservative documentation step, whether it is strictly necessary can still be subject to interpretation.
For healthcare practices and dental offices, this is a good reminder that HIPAA compliance is not always limited to classic HIPAA rule changes. Sometimes a related federal privacy rule, like the SUD confidentiality rule, can still affect your notice language, patient forms, and privacy workflow. If your office is unsure whether your current notice is still accurate, now is a smart time to review it before outdated paperwork becomes a bigger problem.
Not sure whether your notice needs to be updated? Our custom OSHA & HIPAA bundles are designed to help healthcare and dental offices stay current with changing compliance requirements, including practical updates to forms, policies, and notices.
