Modernizing HIPAA Compliance: Navigating New Notice of Privacy Practices Requirements Amid Legal Uncertainty
In April 2024, the U.S. Department of Health and Human Services (HHS) finalized a series of important modifications to the HIPAA Privacy Rule, many of which center on the Notice of Privacy Practices (NPP). These updates mark a significant shift in how covered entities and their business associates must communicate privacy protections to patients, particularly in light of broader changes affecting sensitive health information.
While a June 2025 federal court ruling in Texas vacated key provisions designed to enhance the privacy of reproductive health records, other components of the 2024 final rule remain enforceable and must be implemented. For compliance professionals, especially those responsible for privacy governance, understanding what has changed—and what has not—is essential to avoiding regulatory risk and maintaining transparency with patients.
Key Revisions to the Notice of Privacy Practices (NPP)
By February 16, 2026, HIPAA-covered entities are required to adopt and disseminate updated NPPs that reflect a number of newly mandated disclosures. These changes are intended to enhance clarity for individuals about how their health information may be used or disclosed under HIPAA, with a particular focus on sensitive data such as substance use disorder records and reproductive healthcare information.
Among the principal updates:
- Expanded Disclosure Descriptions: NPPs must now provide examples of uses and disclosures that are explicitly prohibited, particularly in connection with reproductive healthcare and substance use disorder treatment information.1 2
- Attestation Requirements: The revised notice must explain when the use or disclosure of protected health information (PHI) is conditional upon the recipient providing a written attestation that the information will not be used for impermissible purposes, such as pursuing lawful reproductive care investigations.1 2
- Redisclosure Advisory: Patients must be informed that once PHI is disclosed pursuant to HIPAA, the recipient may not be subject to HIPAA’s protections, thus placing the data at greater risk of redisclosure.1
- Alignment with 42 CFR Part 2: Covered entities must describe how they manage PHI protected under federal substance use disorder confidentiality regulations, integrating these requirements into the broader HIPAA framework.1 2
- Acknowledgment of Receipt Eliminated: In an effort to reduce administrative burden, the final rule removes the requirement that patients sign a written acknowledgment of receipt of the NPP.4
Entities Required to Comply—and the Timelines That Apply
The obligation to implement these revisions extends to all covered entities, including healthcare providers that exchange electronic health information, health plans, and healthcare clearinghouses. Business associates, particularly those managing PHI on behalf of covered entities—such as billing services or cloud hosting providers—must also review their practices and contractual agreements to ensure compliance.
Two key compliance deadlines are now in effect:
- Reproductive Health PHI Use and Disclosure Restrictions: Originally set to take effect on December 23, 2024, this requirement was vacated by court order (see below).2
- NPP Update and Distribution: Covered entities must update and disseminate the revised NPPs no later than February 16, 2026.1 2 3
The Texas Decision and Its Broader Impact
A pivotal legal development occurred in June 2025, when a federal district court in Texas invalidated portions of the 2024 HIPAA amendments that sought to strengthen privacy protections for reproductive health information. This judicial decision nullified several provisions that would have imposed additional limitations on the use of PHI related to services such as abortion, contraception, in vitro fertilization, and gender-affirming care.4 5 6 7 8
The implications are noteworthy:
- Scope of the Ruling: The decision has nationwide effect, not merely jurisdictional impact within Texas.7 8
- Reversion to Prior Standards: With the federal protections for reproductive health information rescinded, covered entities may resume disclosures permissible under the earlier HIPAA rules—such as sharing PHI for law enforcement investigations or legal proceedings.5 6 7 8
- State Laws Still Enforceable: Importantly, many state laws impose stricter privacy requirements than federal standards. Covered entities must continue to assess whether disclosures that are now permitted under HIPAA are still restricted under state law.6 7
Compliance Actions Required Now
Despite the court’s decision, the remainder of the 2024 HIPAA amendments, including those concerning the NPP, remain enforceable and must be fully implemented. Covered entities and business associates should act promptly to ensure readiness by the applicable deadlines.
Recommended actions include:
- Policy Review and Legal Assessment: Conduct a thorough review of existing privacy policies, particularly those concerning NPP content and disclosures, to align with federal and state law changes.
- NPP Revisions: Incorporate all mandated disclosures into the NPP, including examples of prohibited disclosures, warnings about redisclosure risk, substance use disorder protections, and attestation requirements.1 2 3
- Redistribution Planning: Develop a strategy to disseminate the updated NPP through appropriate channels, such as online postings and in-person distributions during intake.1 2 3
- Staff Education: Train staff—especially those in front-line roles or responsible for intake procedures—on the new NPP language and any revised internal policies.
- Business Associate Coordination: Review and amend Business Associate Agreements as needed to reflect the updated privacy obligations.
- Ongoing Monitoring: Keep abreast of potential future legal developments at both the state and federal levels, including any new guidance issued by HHS or relevant case law.
Conclusion
The regulatory terrain surrounding healthcare privacy continues to evolve, shaped by policy changes and judicial intervention. While the rollback of enhanced reproductive health privacy protections signals a shift in federal enforcement posture, the modernization of the Notice of Privacy Practices remains firmly in place. Compliance with the revised NPP requirements is not optional—and delay carries risk. As privacy professionals, our role is to ensure that patients remain informed, their rights are respected, and our organizations uphold the principles at the core of HIPAA compliance.1 2 3 4 6 7
- https://www.kutakrock.com/newspublications/publications/2024/april/hipaa-privacy-rule-amendment
- https://www.haynesboone.com/news/blogs/required-changes-to-hipaa-policies-and-notice-of-privacy-practices
- https://www.segalco.com/consulting-insights/new-hipaa-rule-will-require-updates-to-policies-and-notices
- https://www.hipaajournal.com/hipaa-updates-hipaa-changes/
- https://www.stinson.com/newsroom-publications-federal-court-strikes-down-hipaa-reproductive-health-privacy-rule-what-it-means-for-health-plan-compliance
- https://www.saul.com/insights/alert/hhs-rule-reproductive-health
- https://www.koleyjessen.com/insights/publications/hipaa-reproductive-health-rule-vacated-nationwide
- https://ogletree.com/insights-resources/blog-posts/federal-court-nullifies-hhs-rule-granting-extra-protections-to-reproductive-health-information/