02/18/2026

Required Updates to the Notice of Privacy Practices (NPP) as of February 16, 2026

As of February 16, 2026, HIPAA-covered entities must have updated their Notice of Privacy Practices (NPP) to comply with new federal requirements. The updated NPP must explain how substance use disorder (SUD) information is protected, used, and disclosed, and it must remove reproductive health language that has been withdrawn from the rules.

The AAC is working with a HIPAA expert to get all the information you need to know. A short educational webinar will be available for all AAC members early next week.

Steps for Chiropractic offices:

1. Review and update your Notice of Privacy Practices to meet the new federal requirements.
2. Replace and distribute the updated NPP — post it in your office, include it in new patient materials, and update your website if applicable.
3. Educate staff on the updated notice and its purpose.
4. Assess related documents (policies, training materials, BAAs) for consistency with the revised NPP

**You are not required to have established patients sign the new version of the privacy practice, this is only for new patients moving forward.

Model Notice of Privacy Practices: The U.S. Department of Health and Human Services has developed a Model Notice of Privacy Practices to assist practices in developing their own personalized NPP, available here. 

Why This Affects Arizona Chiropractic Offices

A common misconception is that this update applies only to providers who prescribe opioids or treat substance use disorders. That is not the case. The requirement applies if a covered entity creates, receives, maintains, or stores PHI that includes SUD-related information, even incidentally.

Chiropractic offices routinely receive this type of information through:

• Patient intake and health history forms
• Records from primary care providers, specialists, or hospitals
• Auto or workers’ compensation documentation

You do not need to diagnose or treat substance use disorders for this requirement to apply.

What Your Updated NPP Must Include

Your revised NPP should:

• Describe the enhanced confidentiality protections and restrictions on the use and disclosure of SUD-related information.
• Explain the circumstances under which SUD information may or may not be used or disclosed, consistent with federal requirements.
• Remove reproductive health language previously added under rules that have since been withdrawn.

HIPAA Is Not “One‑Size‑Fits‑All”

HIPAA requirements are not one‑size‑fits‑all, and every chiropractic office must develop a compliance program and Notice of Privacy Practices that accurately reflect its own operations, workflows, and the type of protected health information it creates, receives, and maintains. Each practice is responsible for tailoring its policies, procedures, and NPP content to fit its individual structure, services, and privacy risks. A generic or borrowed NPP is not sufficient; it must be customized to your specific practice environment.

Other HIPAA Documentation to Review

Although the February 16, 2026, update is limited to the NPP, chiropractic offices should ensure internal alignment across their HIPAA compliance program.

Policies and Procedures

Update internal policies to reflect the revised NPP language regarding SUD information and disclosure restrictions.

Obtain Acknowledgment of Receipt for All Future Patient Visits

As part of implementing the updated NPP, ensure that all patients are offered the revised NPP at their next visit and that staff make a good‑faith effort to obtain a written acknowledgment of receipt. If a patient declines to sign, staff must document the attempt, including that the patient refused. This documentation satisfies the provider’s obligation to demonstrate a good-faith effort.

This process should be followed for all existing and new patients as they are presented with the updated NPP during future appointments.

Further Details

For more information on HIPAA Privacy requirements, visit the U.S. Department of Health and Human Services website that contains Guidance Materials for Small Providers.

HealthIT.gov‘s  Guide to Privacy and Security of Electronic Health Information provides a beginner’s overview of what the HIPAA Rules require and has links to risk assessment tools and other aids.