13 Feb New HIPAA Privacy Rule Update: What Dental Practices Must Do Before the February 16 Deadline
A critical HIPAA compliance deadline is here: by February 16, 2026, all HIPAA-covered dental practices must update their Notice of Privacy Practices (NPP) to address new federal requirements regarding substance use disorder (SUD) patient records. This isn’t optional — it’s a federal mandate, and non-compliance could result in significant penalties.
Here’s what changed, why it matters to your dental practice, and exactly what you need to do to stay compliant.
What Changed: The Part 2 Final Rule
On February 16, 2024, the Substance Abuse and Mental Health Services Administration (SAMHSA) published a final rule modifying 42 CFR Part 2 — the federal regulations governing the confidentiality of substance use disorder patient records. This rule better aligns Part 2 protections with the HIPAA Privacy Rule.
The practical impact is straightforward: HIPAA-covered entities, including dental practices, must now include specific language in their Notice of Privacy Practices describing how substance use disorder records may be used and disclosed. The compliance deadline for updating your NPP is February 16, 2026 — exactly two years after the rule was published.
Why This Affects Dental Practices
You might be thinking, “We’re a dental office — we don’t treat substance use disorders.” That’s understandable, but the rule still applies to your practice for several important reasons:
You May Receive Part 2 Records
If your practice receives patient records or referrals from providers who do treat substance use disorders — including hospitals, primary care physicians, or behavioral health providers — those records may contain Part 2 protected information. Your NPP must address how you handle this data.
Medical History Forms Capture SUD Information
Many dental practices collect comprehensive medical histories that may include information about past or current substance use treatment. Medications like methadone, buprenorphine, or naltrexone that patients may disclose could constitute Part 2 information.
HIPAA Applies to All Covered Entities
The requirement to update the NPP applies to all HIPAA-covered entities, not just those that specifically treat SUDs. If your dental practice files electronic claims (which virtually all practices do), you are a HIPAA-covered entity and must comply.
The 4 Things Your Practice Must Do
The American Dental Association (ADA) has published a clear checklist for dental practices. Here are the four required actions:
1. Update Your Notice of Privacy Practices
Your NPP must now include language describing how your practice handles Protected Health Information received from a Part 2 substance use disorder treatment program. The ADA has published a revised sample NPP (available in English and Spanish for ADA members) that includes the required language. You can use this as a template to update your own.
Key additions to your NPP should cover:
- A description of how SUD records received from Part 2 programs may be used and disclosed
- Patient rights regarding their SUD treatment information
- The prohibition on using Part 2 information in certain legal proceedings without patient consent
- Re-disclosure restrictions that apply to Part 2 information
2. Make the Updated NPP Available
Once updated, your revised NPP must be made available in four ways:
- On request — Provide a copy to any patient who asks
- Posted in a prominent location — Display it in your waiting room or reception area
- Posted on your practice website — If you maintain a website, the current NPP must be accessible online
- At or before the first appointment — New patients must receive the NPP no later than their first visit
3. Train Your Staff
All staff members who handle patient information must be made aware of the updated NPP and the new requirements regarding SUD information. This training should cover:
- What Part 2 records are and why they receive special protection
- How to identify if incoming records contain Part 2 information
- Updated policies and procedures for handling SUD records
- The enhanced confidentiality protections and re-disclosure restrictions
4. Retain Compliance Documentation
HIPAA requires that all compliance documentation — including your updated NPP, training records, and related policies — be retained for six years. Make sure you keep dated copies of both your old and new NPP, along with records showing when staff training occurred.
The IT and Cybersecurity Connection
While this update is primarily a privacy and policy matter, it has direct implications for your practice’s IT infrastructure and cybersecurity posture:
Electronic Records Management
If your practice management software stores notes from referrals or external providers, you may need to review how Part 2 information is flagged, stored, and access-controlled within your system. Some practice management systems (like Dentrix or Eaglesoft) allow you to set access restrictions on specific records — this capability may now be relevant.
Access Controls
Part 2 records have stricter disclosure requirements than general HIPAA-protected information. Your IT systems should support role-based access controls that can limit who in your practice can view records containing SUD information.
Audit Trails
In the event of a breach or OCR investigation, you’ll need to demonstrate who accessed what records and when. Ensure your EHR or practice management system maintains adequate audit logging — and that those logs are backed up and protected.
Website Updates
Don’t forget to update the NPP on your practice website. If your website is managed by a third party, contact them now to ensure the updated document is posted before the deadline. Verify that the online version matches the printed version in your office.
What Happens If You Don’t Comply
HIPAA violations carry significant penalties. The Office for Civil Rights (OCR) can impose fines ranging from $141 to $2,134,831 per violation, depending on the level of negligence. Beyond financial penalties:
- OCR investigations disrupt practice operations and consume significant time
- Non-compliance discovered during a breach investigation dramatically increases penalties
- Reputational damage from published enforcement actions can affect patient trust
- State attorneys general can bring additional actions under state privacy laws
Resources and Next Steps
The ADA has made several resources available to help practices comply:
- ADA Dental Practice Checklist — A step-by-step guide for what to do before February 16
- ADA Sample Notice of Privacy Practices — Revised to include Part 2 language (ADA member login required)
- ADA Q&A about Part 2 Changes — Detailed answers about how the new rules affect dental practices
These resources are available at ada.org/hipaa.
Act Now — The Deadline Is Here
February 16, 2026 is days away. If your practice hasn’t updated its NPP yet, this needs to be your top administrative priority this week. Download the ADA’s sample NPP, customize it for your practice, print and post updated copies, update your website, and brief your team.
HIPAA compliance isn’t a one-time event — it’s an ongoing responsibility. This update is a reminder to review your entire privacy and security program regularly. If it’s been more than a year since your last HIPAA risk assessment, consider scheduling one soon.
Your patients trust you with sensitive health information. Staying current with HIPAA requirements is how you honor that trust.