TL;DR — What You Need to Know Right Now
The deadline is February 16, 2026 — just 07 days away.
If you’re a HIPAA-covered entity (healthcare provider, health plan, or clearinghouse), you must update your Notice of Privacy Practices (NPP) to include two new mandatory disclosures related to reproductive health care privacy. Failure to comply exposes your organization to civil penalties of up to $2,067,813 per violation category per year.
What’s required:
- Add language describing prohibited uses/disclosures of PHI for reproductive health care investigations2. Add language describing new attestation requirements for certain PHI requests3. Post the updated NPP on your website and at service locations4. Distribute or notify patients/members of the changes
This is not optional. There is no announced grace period. The 22-month compliance window since the rule’s effective date ends on February 16, 2026.
Privacy Compliance Guide: Global Requirements & Best Practices
Understanding the HIPAA Privacy Rule Amendment
On April 26, 2024, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) published a landmark final rule titled “HIPAA Privacy Rule To Support Reproductive Health Care Privacy” (89 FR 33063). This rule amends the HIPAA Privacy Rule to establish new protections for protected health information (PHI) related to reproductive health care.
The rule became effective on June 25, 2024, with a 22-month compliance period for updating Notice of Privacy Practices documents. That compliance period ends on February 16, 2026.
Why This Rule Exists
Following the Supreme Court’s 2022 decision in Dobbs v. Jackson Women’s Health Organization, which overturned federal abortion rights, a patchwork of state laws emerged regarding reproductive health care legality. HHS determined that the existing HIPAA framework did not adequately protect individuals from having their health information used against them for seeking or receiving reproductive health care that is lawful under the circumstances in which it was provided.
The rule aims to ensure that individuals can seek reproductive health care without fear that their protected health information will be weaponized against them, their providers, or those who assist them — provided that care is legal where it occurs.
The Two New NPP Requirements
The amendments add two new mandatory elements to the Notice of Privacy Practices content requirements under 45 CFR 164.520(b)(1)(ii). Every covered entity must include these in their NPP before the deadline.
Requirement 1: Prohibited Uses and Disclosures Statement
Regulatory Citation: 45 CFR 164.520(b)(1)(ii)(F)
Your NPP must now contain “a description, including at least one example, of the types of uses and disclosures prohibited under § 164.502(a)(5)(iii) in sufficient detail for an individual to understand the prohibition.”
What This Means in Plain Language:
You must explain to patients that you are prohibited from using or disclosing their PHI for the purpose of:
- Conducting a criminal, civil, or administrative investigation into any person- Imposing criminal, civil, or administrative liability on any person
…when the investigation or liability relates to:
- Seeking reproductive health care- Obtaining reproductive health care- Providing reproductive health care- Facilitating reproductive health care
…where such care is lawful under the circumstances in which it was provided.
The Key Phrase: “Lawful Under the Circumstances”
This phrase is critical. The prohibition applies when the reproductive health care in question was legal in the state where it was provided, regardless of whether it might be illegal in another state. This protects patients who travel to receive care that is legal where provided.
Sample Language for Prohibited Disclosures Section
Here is example language that satisfies the regulatory requirement (adapt for your organization’s voice and format):
Prohibited Uses and Disclosures – Reproductive Health Care
We are prohibited from using or disclosing your protected health information (PHI) to investigate any person, or to impose any criminal, civil, or administrative liability on any person, for the act of seeking, obtaining, providing, or facilitating reproductive health care where such care is lawful in the state where it was provided.
Example: If a law enforcement agency or government licensing board requests your medical records to investigate you, a family member, or a health care provider for obtaining or providing abortion services where those services were legally performed, we will not disclose your information for that purpose. This protection applies even if the care would have been illegal in a different state.
HIPAA and HITECH: A Deep Dive into Protecting Health Information in the Digital Age
Requirement 2: Attestation Requirements Statement
Regulatory Citation: 45 CFR 164.520(b)(1)(ii)(G)
Your NPP must contain “a description, including at least one example, of the types of uses and disclosures for which an attestation is required under § 164.509.”
What This Means in Plain Language:
Before certain entities can receive PHI that may be related to reproductive health care, they must provide a signed attestation stating that the information will not be used for the prohibited purposes described above.
When Attestations Are Required:
Attestations are required when PHI is requested for:
- (d) Health oversight activities — audits, investigations, inspections by health oversight agencies- (e) Judicial and administrative proceedings — court orders, subpoenas, discovery requests- (f) Law enforcement purposes — requests for information to identify or locate suspects, fugitives, witnesses, or missing persons; requests related to crime victims or criminal conduct on premises- (g)(1) Coroners and medical examiners — requests to identify deceased persons or determine cause of death
What the Attestation Must Contain:
Under § 164.509(c)(1), a valid attestation must include:
- Description of the information requested2. Identification of the person making the request3. Identification of the person or entity to receive the information4. Clear statement that the use is not for a prohibited purpose5. Notice that making a false statement is a criminal offense (penalties: up to $250,000 fine and/or 5 years imprisonment)6. Signature and date
Sample Language for Attestation Requirements Section
Attestation Requirements for Certain Requests
When certain requestors seek your protected health information for health oversight, law enforcement, judicial proceedings, or coroner/medical examiner purposes, we require them to submit a signed attestation confirming that the information will not be used to investigate any person, or to impose liability on any person, for lawfully seeking, obtaining, providing, or facilitating reproductive health care.
Example: If a prosecutor issues a subpoena for your medical records related to reproductive health services as part of court proceedings, we will require the prosecutor to sign an attestation confirming the records will not be used to investigate or penalize you, your health care provider, or any person who assisted you for reproductive health care that was legally provided. If the requestor refuses to sign the attestation, we will not disclose the requested information for that purpose.
Privacy Compliance Guide: Global Requirements & Best Practices
Who Must Comply
All HIPAA Covered Entities:
Entity Type Examples NPP Required?
Health Care Providers Hospitals, physician practices, clinics, pharmacies, labs, mental health providers, telehealth providers Yes, if conducting HIPAA-covered electronic transactions
Health Plans Health insurers, HMOs, employer-sponsored group health plans, government programs (Medicare, Medicaid), dental/vision plans Yes
Health Care Clearinghouses Billing services, repricing companies, community health management information systems Yes
Business Associates:
While business associates don’t maintain their own NPPs, they are bound by the new restrictions through Business Associate Agreements (BAAs). Covered entities should review and update BAAs to ensure business associates understand the new prohibited disclosures and attestation requirements.
Limited Exemptions
Only two narrow categories are exempt from NPP requirements:
- Correctional institutions — as specified in § 164.520(a)(4)2. Certain group health plans — plans that provide benefits solely through insurance contracts with health insurance issuers or HMOs AND do not create or receive PHI other than summary health information or enrollment/disenrollment information (§ 164.520(a)(3)(iii))
There are no other exemptions. Small practices, rural hospitals, specialty clinics — all covered entities must comply.
Penalties for Non-Compliance
HIPAA violations carry substantial financial penalties, enforced by the HHS Office for Civil Rights. The penalty structure is tiered based on the level of culpability:
Civil Money Penalty Tiers (2024 Inflation-Adjusted)
Culpability Level Per-Violation Penalty Annual Maximum
Tier 1: Did Not Know $137 – $68,928 $2,067,813
Tier 2: Reasonable Cause (not willful neglect) $1,379 – $68,928 $2,067,813
Tier 3: Willful Neglect – Corrected (within 30 days) $13,785 – $68,928 $2,067,813
Tier 4: Willful Neglect – Not Corrected $68,928 – $2,067,813 $2,067,813
Key Point: Failing to update your NPP constitutes a Privacy Rule violation. An organization that knowingly ignores the February 16, 2026 deadline could face Tier 3 or Tier 4 penalties — starting at $13,785 per violation if corrected promptly, or $68,928 minimum if not corrected within 30 days.
Criminal Penalties
For egregious violations involving knowing disclosure of PHI for prohibited purposes:
Offense Maximum Fine Maximum Imprisonment
Knowingly obtaining/disclosing PHI $50,000 1 year
False pretenses $100,000 5 years
Intent to sell or use for commercial gain $250,000 10 years
Criminal penalties are enforced by the Department of Justice and apply to individuals who knowingly violate HIPAA provisions.
The Real Risk: Audit Exposure
Beyond penalties for the NPP violation itself, an outdated NPP signals to regulators that your compliance program may have broader deficiencies. An OCR audit triggered by an NPP complaint could uncover additional violations, compounding your organization’s liability.
Step-by-Step Compliance Guide
With 11 days until the deadline, organizations need to move quickly. Here is a prioritized action plan:
Week 1 (Days 1-7): Document Updates
Day 1-2: Gap Analysis
- Retrieve your current NPP document- Review against the two new required elements in § 164.520(b)(1)(ii)(F) and (G)- Identify what language is missing- Assign responsibility for drafting revisions
Day 3-4: Draft Revised Language
- Write or adapt the required prohibited disclosure and attestation descriptions- Include at least one example for each (regulatory requirement)- Ensure language is “written in plain language” (HIPAA requirement)- Have legal counsel or compliance officer review
Day 5-7: Internal Approval
- Route revised NPP through appropriate approval channels- Finalize document- Update the effective date on the NPP
Week 2 (Days 8-11): Distribution and Systems
Day 8-9: Website and Digital Updates
- Post revised NPP prominently on your website (regulatory requirement)- Update any patient portals with the new NPP- Update electronic intake systems that display or deliver the NPP
Day 10: Physical Location Updates
- Print updated NPPs for facility posting- Replace posted notices at reception areas, waiting rooms, intake windows- Ensure copies are available to give to patients upon request
Day 11: Member/Patient Notification
- Health plans: Prepare member notification of material change (can be sent with next regular mailing, but must be within 60 days if no website posting, or by deadline if website posting)- Providers: Make revised NPP available at next patient encounter; offer to patients upon request- Document your distribution efforts for compliance records
Parallel Track: Attestation Procedures
While updating the NPP, you should also establish procedures to handle attestation requests:
- Create an attestation form template that meets § 164.509(c)(1) requirements2. Establish workflow for privacy/HIM staff to request and process attestations3. Train staff on when to require attestations (law enforcement, subpoenas, health oversight requests potentially involving reproductive health PHI)4. Document retention procedures for received attestations
Compliance Checklist
Use this checklist to track your organization’s compliance progress:
NPP Document Updates
- Reviewed current NPP against new § 164.520(b)(1)(ii)(F)-(G) requirements- [ ] Added prohibited uses/disclosures description for reproductive health PHI- [ ] Included at least one example of prohibited use/disclosure- [ ] Added attestation requirements description- [ ] Included at least one example of when attestation is required- [ ] Updated effective date on revised NPP- [ ] Verified plain language requirement is met- [ ] Legal/compliance review completed
Attestation System
- Created attestation form template per § 164.509(c)(1) requirements:[ ] Description of information requested- [ ] Identification of requestor- [ ] Identification of recipient- [ ] Statement that use is not for prohibited purpose- [ ] Criminal penalty notice (false statement = up to $250K/5 years)- [ ] Signature and date fields [ ] Established validation process for incoming attestations[ ] Created documentation retention procedures for attestations
Distribution and Posting
- Updated NPP on organization website (prominently posted)- [ ] Updated posted NPP at all physical service locations- [ ] Updated patient portal(s) with revised NPP- [ ] Health plans: Scheduled member notification communication- [ ] Providers: Updated intake acknowledgment forms- [ ] Providers: Updated new patient registration packets
Policies and Procedures
- Updated privacy policies to address reproductive health PHI handling- [ ] Created/updated attestation request procedures- [ ] Revised disclosure authorization review process to include attestation check- [ ] Updated incident response procedures for potential prohibited disclosures
Training and Communication
- Trained privacy/compliance staff on new NPP requirements- [ ] Trained HIM/medical records staff on attestation procedures- [ ] Trained intake/front desk staff on providing updated NPPs- [ ] Trained workforce on recognizing potentially covered reproductive health PHI requests- [ ] Communicated changes to business associates
Documentation and Records
- Retained copy of previous NPP (pre-amendment version)- [ ] Retained copy of revised NPP with effective date- [ ] Documented distribution and posting dates- [ ] Established log for attestation forms received- [ ] Retained training records
Frequently Asked Questions
Does this apply to my organization?
If you are a HIPAA-covered entity (health care provider conducting covered electronic transactions, health plan, or clearinghouse), yes, this applies to you. There are only narrow exemptions for correctional institutions and certain group health plans that operate solely through insurance contracts without creating or receiving PHI.
What if we miss the February 16, 2026 deadline?
There is no announced grace period or enforcement discretion policy for this deadline. Missing the deadline means you are in violation of the HIPAA Privacy Rule as of February 17, 2026. Your exposure begins immediately. The best course of action if you’re running late is to complete updates as quickly as possible — the difference between “corrected within 30 days” and “not corrected” can be the difference between $13,785 and $68,928 minimum per violation.
Do we need to re-distribute the entire NPP to all patients/members?
For health plans: If you maintain a website with the NPP prominently posted, you may notify members of the material change in your next annual mailing. If you don’t maintain a website with the NPP, you must provide the revised NPP or notice of changes within 60 days.
For health care providers with direct treatment relationships: You must make the revised NPP available and provide it to any individual who requests it. You should post the updated notice at your service delivery sites. You are not required to proactively mail it to all existing patients, but you should provide it at the next encounter and obtain new acknowledgments going forward.
Does this affect Business Associate Agreements?
The rule’s restrictions on reproductive health PHI disclosures flow through to business associates via your BAA. While you don’t need to amend BAAs specifically for the NPP changes, you should:
- Communicate the new restrictions to your business associates- Ensure your BAAs adequately incorporate regulatory changes (most well-drafted BAAs include language adopting regulatory amendments automatically)- Consider whether explicit amendments clarifying reproductive health PHI handling are appropriate for your organization
What if a legitimate law enforcement request comes in?
The rule does not prohibit all law enforcement disclosures of reproductive health PHI. It prohibits disclosures for the purpose of investigating or imposing liability for lawful reproductive health care. If law enforcement has a legitimate purpose unrelated to investigating lawful reproductive health care, and provides a valid attestation confirming they will not use the information for prohibited purposes, disclosure may proceed according to normal HIPAA law enforcement provisions.
The attestation requirement creates a checkpoint. If the requestor refuses to sign the attestation, you should not disclose the information for that purpose.
How do we know if reproductive health care was “lawful under the circumstances”?
You are not required to independently investigate the legality of a patient’s care. The standard applies to care that is lawful where and when it was provided. If a patient received care at your facility, you know the circumstances. If you receive a request for records about care provided elsewhere, the attestation requirement shifts the burden to the requestor to confirm they’re not using the information for prohibited purposes.
What if our state has additional reproductive health privacy laws?
The federal HIPAA rule does not preempt more protective state laws. States like California, New York, Washington, and others have enacted additional reproductive health privacy protections. You must comply with both federal HIPAA requirements and any applicable state laws. If state law is more protective, you must meet the higher standard.
Sample Attestation Form Template
Below is a template that meets the requirements of 45 CFR 164.509(c)(1). Adapt as appropriate for your organization:
ATTESTATION FOR REQUESTS POTENTIALLY RELATED TO REPRODUCTIVE HEALTH CARE
Pursuant to 45 CFR 164.509
1. Description of Information Requested:
2. Requesting Person or Entity:
Name: _________________________________________________________
Title/Position: ________________________________________________
Organization: __________________________________________________
Address: _______________________________________________________
Phone: _________________________ Email: _________________________
3. Person or Entity to Receive Information (if different from requestor):
Name/Entity: ___________________________________________________
Address: _______________________________________________________
4. Purpose of Request:
5. Attestation Statement:
I hereby attest that the use or disclosure of the protected health information described above is not for any of the following prohibited purposes:
- To conduct a criminal, civil, or administrative investigation into any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;- To impose criminal, civil, or administrative liability on any person for the mere act of seeking, obtaining, providing, or facilitating reproductive health care;
where such reproductive health care is lawful under the circumstances in which it was provided.
6. Acknowledgment of Criminal Penalties:
I understand that a person who makes a false statement in this attestation may be subject to criminal penalties under federal law, including fines up to $250,000 and imprisonment up to 5 years (18 U.S.C. § 1001).
7. Signature:
Signature: _________________________________ Date: ______________
Printed Name: __________________________________________________
Key Regulatory References
For those who want to review the primary sources:
Document Citation Description
Final Rule 89 FR 33063 (April 26, 2024) “HIPAA Privacy Rule To Support Reproductive Health Care Privacy” — Full text and preamble
NPP Requirements 45 CFR 164.520 Notice of Privacy Practices content and distribution requirements
Prohibited Disclosures 45 CFR 164.502(a)(5)(iii) Prohibition on reproductive health care investigation disclosures
Attestation Requirements 45 CFR 164.509 Uses and disclosures requiring attestation
Penalty Amounts 45 CFR 160.404 Civil money penalty tiers
Penalty Inflation Adjustments 45 CFR Part 102 Current penalty amounts
Links:
- Federal Register Final Rule: https://www.federalregister.gov/documents/2024/04/26/2024-08503/hipaa-privacy-rule-to-support-reproductive-health-care-privacy- eCFR Title 45 (HIPAA): https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C
The Bottom Line
The February 16, 2026 HIPAA NPP compliance deadline is not a drill. In 11 days, every covered entity must have an updated Notice of Privacy Practices that includes:
- A description with at least one example of the types of uses and disclosures prohibited for reproductive health care investigations2. A description with at least one example of when attestations are required before PHI can be disclosed
The penalties for non-compliance are substantial — up to $2,067,813 per violation category per year — and there is no announced grace period.
Your action items:
- If you haven’t started, start today- If you’ve started, finish this week- If you’re done, verify posting, distribution, and documentation
Compliance is achievable. The requirements are specific and finite. What’s not acceptable is inaction.
Need Help?
If your organization needs assistance with HIPAA compliance, consider:
- Your legal counsel — for reviewing revised NPP language- Your compliance officer — for policy and procedure updates- HHS Office for Civil Rights — for official guidance: https://www.hhs.gov/ocr/- Industry associations — many publish template language and guidance
Don’t wait. February 16, 2026 is coming.
This article is provided for informational purposes only and does not constitute legal advice. Organizations should consult with qualified legal counsel to ensure compliance with HIPAA and applicable state laws.