Insurance

Share This Page

Reminder: Required Updates to the Notice of Privacy Practices (NPP) February 16, 2026

Posted in: Insurance, Opioids

Model Notice of Privacy Practices: The U.S. Department of Health and Human Services has developed a Model Notice of Privacy Practices to assist practices in developing their own personalized NPP, available here.  https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html

By February 16, 2026, HIPAA-covered entities must update their Notice of Privacy Practices (NPP) to comply with new federal requirements. The updated NPP must explain how substance use disorder (SUD) information is protected, used, and disclosed, and it must remove reproductive health language that has been withdrawn from the rules.

These updates align HIPAA with 42 CFR Part 2, which strengthens confidentiality protections for SUD-related information. As a result, covered entities must revise their NPP to clearly describe how SUD information is protected and the circumstances under which it may or may not be used or disclosed.

This is a notice-only requirement. It does not change scope of practice, treatment authority, or billing rules.

Why This Affects Massachusetts Chiropractic Offices

A common misconception is that this update applies only to providers who prescribe opioids or treat substance use disorders. That is not the case. The requirement applies if a covered entity creates, receives, maintains, or stores PHI that includes SUD-related information — even incidentally.

Chiropractic offices routinely receive this type of information through:

  • Patient intake and health history forms

  • Records from primary care providers, specialists, or hospitals

  • Auto no-fault or workers’ compensation documentation

You do not need to diagnose or treat substance use disorders for this requirement to apply.

What Your Updated NPP Must Include

Your revised NPP should:

  • Describe the enhanced confidentiality protections and restrictions on the use and disclosure of SUD-related information.

  • Explain the circumstances under which SUD information may or may not be used or disclosed, consistent with federal requirements.

  • Remove reproductive health language previously added under rules that have since been withdrawn.

HIPAA Is Not “One-Size-Fits-All”

HIPAA requirements are not one-size-fits-all. Every chiropractic office must develop a compliance program and Notice of Privacy Practices that accurately reflect its own operations, workflows, and the type of protected health information it creates, receives, and maintains.

Each practice is responsible for tailoring its policies, procedures, and NPP content to fit its individual structure, services, and privacy risks. A generic or borrowed NPP is not sufficient; it must be customized to your specific practice environment.

Other HIPAA Documentation to Review

Although the February 16, 2026 update is limited to the NPP, Massachusetts chiropractic offices should ensure internal alignment across their HIPAA compliance program.

Policies and Procedures

Update internal policies to reflect the revised NPP language regarding SUD information and disclosure restrictions.

Obtain Acknowledgment of Receipt for All Future Patient Visits

As part of implementing the updated NPP, ensure that all patients are offered the revised NPP at their next visit and that staff make a good-faith effort to obtain a written acknowledgment of receipt.

If a patient declines to sign, staff must document the attempt, including that the patient refused. This documentation satisfies the provider’s obligation to demonstrate a good-faith effort.

This process should be followed for all existing and new patients as they are presented with the updated NPP during future appointments.

Next Steps for Massachusetts Chiropractic Offices

  • Review and update your Notice of Privacy Practices to meet the new federal requirements.

  • Replace and distribute the updated NPP — post it in your office, include it in new patient materials, and update your website if applicable.

  • Educate staff on the updated notice and its purpose.

  • Assess related documents (policies, training materials, BAAs) for consistency with the revised NPP.

For more information on HIPAA Privacy requirements, visit the U.S. Department of Health and Human Services website for Guidance Materials for Small Providers.

HealthIT.gov’s Guide to Privacy and Security of Electronic Health Information provides a beginner’s overview of what the HIPAA Rules require and includes links to risk assessment tools and other resources.

For Doctors & Staff

About Mass Chiro

Articles