The February 16 HIPAA Deadline Came and Went. If Your Privacy Notice Hasn't Changed, You're Already in Violation.

Your Notice of Privacy Practices is almost certainly out of compliance today. The February 16, 2026 deadline mandated by the 42 CFR Part 2 final rule has passed, and the Office for Civil Rights launched its Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records the same day. The agency is now accepting complaints. If your NPP still reads the way it did in 2024, the violation clock is running.

The percentage of dental practices that have updated their NPP to reflect Part 2 SUD requirements is almost certainly in the single digits. The rule was widely interpreted as a behavioral health concern, and most dental compliance resources treated it that way. That interpretation was wrong, and the gap between what the regulation actually requires and what most dental practices have done is exactly the kind of systemic non-compliance OCR's enforcement initiatives are designed to exploit.

The Rule Most Dental Practices Read as a Hospital Problem

The 42 CFR Part 2 final rule implemented Section 3221 of the CARES Act and became effective April 16, 2024, with a compliance deadline of February 16, 2026. The rule modernized decades-old protections for substance use disorder treatment records, aligning many provisions with HIPAA while preserving and in some cases strengthening Part 2's more restrictive confidentiality requirements.

The critical language most dental practices missed: the NPP update requirement applies to any HIPAA covered entity that creates, receives, maintains, or transmits SUD records under Part 2, not just federally assisted SUD treatment programs. As Davis Wright Tremaine's privacy law team noted, "lawful holders" of Part 2 records — providers who receive SUD treatment records for care coordination purposes — are squarely within scope.

For a dental practice, the threshold for coverage is lower than most practitioners realize. A patient in recovery whose treating physician forwards SUD treatment history as part of a medication review, a referral that includes documentation of opioid use disorder, a patient who discloses SUD treatment history in intake paperwork that then enters your EHR — any of these scenarios can make your practice a holder of Part 2 records. And once you hold Part 2 records, your NPP must reflect that fact.

The assumption that Part 2 is someone else's compliance problem cost practices two years of preparation time. The Fenwick & West analysis of the deadline put it plainly: the requirement applies to entities that receive SUD records from Part 2 programs, regardless of whether the receiving entity provides any SUD treatment at all.

What the SUD Confidentiality Provision Actually Requires in a Dental Setting

The substance of the Part 2 protections is meaningfully different from standard HIPAA, and those differences must now appear explicitly in your NPP. Standard HIPAA allows covered entities to use and disclose protected health information for treatment, payment, and healthcare operations (TPO) without patient authorization. Part 2 does not extend that permission to SUD records by default.

Under the final rule, a patient's written consent is required for TPO uses and disclosures of Part 2 records unless a specific exception applies. The final rule created a "single consent" mechanism allowing patients to authorize all future TPO uses at once, but that consent must be obtained and documented. The practice's NPP must explain this distinction — that SUD records in your system are subject to a separate, more restrictive consent regime than other PHI.

Beyond the TPO distinction, the NPP must also address the legal proceedings prohibition. According to the National Law Review's analysis, Part 2 records cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings against a patient without written consent or a court order meeting specific Part 2 criteria. This is a protection that standard HIPAA does not provide, and your NPP must now spell it out.

For dental practices that use patient data for fundraising, the update also requires informing patients of their right to opt out of any fundraising communications that rely on Part 2 SUD records. And for any practice that discloses records to downstream parties, the NPP must acknowledge that Part 2 protections exceed standard HIPAA requirements.

February 16 Has Passed: What Your Liability Exposure Looks Like Right Now

The enforcement architecture is fully live. OCR announced its Civil Enforcement Program specifically for SUD record confidentiality on February 13, 2026, effective February 16. The program runs through the same complaint and investigation structure as standard HIPAA enforcement. Patients, workforce members, or any member of the public can file a complaint. OCR can investigate, require corrective action, and impose civil monetary penalties without a data breach as the predicate event.

The penalty structure under HIPAA gives OCR significant latitude. For violations in the "lack of knowledge" tier, fines run $145 to $73,011 per violation. For "reasonable cause," the range is $1,461 to $73,011. "Willful neglect" corrected within 30 days carries penalties of $14,602 to $73,011. A practice that received notice of a complaint and still had not updated its NPP would be hard-pressed to argue lack of knowledge at that point.

OCR's recent enforcement history against dental practices is not encouraging context. In October 2024, OCR imposed a $70,000 civil monetary penalty against a dental practice for failure to provide timely access to patient records. The violation was a right-of-access failure, not a data breach. OCR reached that practice through a patient complaint. The same pathway is now open for NPP non-compliance under the Part 2 enforcement program.

More broadly, OCR's 2025 enforcement activity ended the year with 21 settlements and civil monetary penalties, the second-highest annual total on record. The agency has demonstrated sustained appetite for pursuing small providers. A dental practice is not too small to attract scrutiny.

The Four Specific Changes Your Notice of Privacy Practices Must Now Include

An NPP update that satisfies Part 2 compliance is not a wholesale rewrite, but it requires four distinct additions that a standard HIPAA NPP template will not contain.

First, the NPP must affirmatively disclose that the practice may create, receive, or maintain SUD records subject to 42 CFR Part 2, and describe how those records may be used and disclosed. The description must make clear that Part 2 protections are more restrictive than standard HIPAA, including that written patient consent is required for TPO uses unless an exception applies.

Second, the NPP must include a specific statement addressing the legal proceedings limitation: that Part 2 SUD records may not be disclosed in any civil, criminal, administrative, or legislative proceeding without written patient consent or a court order that satisfies Part 2's specific requirements. This protection is material to patients and must appear in the notice.

Third, if the practice uses patient information for fundraising (a common activity among DSO-affiliated practices and larger group practices), the NPP must inform patients of their right to opt out of any fundraising that draws on Part 2 SUD information.

Fourth, the NPP must describe patient rights specific to Part 2 records, including the right to restrict uses and disclosures and the right to receive an accounting of disclosures. Smith Anderson's healthcare compliance alert notes that practices may integrate these disclosures into an existing combined NPP or maintain a separate Part 2 notice, provided all required content is present.

How OCR Finds Non-Compliant Practices

The most common assumption is that OCR enforcement follows data breaches. That assumption leads practices to under-invest in compliance areas that don't involve security incidents. The NPP update requirement is a prime example. There is no breach to report if your notice fails to include the required Part 2 language — but the violation is just as real and the enforcement pathway is identical.

OCR finds non-compliant practices through three primary channels: patient complaints, workforce complaints (including former employees), and its audit program. The OCR HIPAA audit program, which resumed in 2025 after a multi-year hiatus, specifically reviews NPP content as a core audit element. An audited practice with a non-compliant NPP faces immediate findings without any patient harm or breach triggering the review.

Patient complaints are the highest-volume pathway. A patient in recovery who understands their Part 2 rights and notices that your NPP makes no mention of SUD record protections has standing to file a complaint with OCR today. With the Civil Enforcement Program actively accepting SUD-related complaints since February 16, 2026, the complaint risk is no longer theoretical.

The Remediation Checklist: What to Fix Before Your Next Audit

The window for correction exists now, before a complaint or audit arrives. Remediation has four components, and all four matter because OCR looks for documented corrective action, not just updated documents.

Start with the NPP itself. Add the four required Part 2 elements described above. If your practice does not currently hold or expect to receive any Part 2 records, document that determination in writing and retain it. If there is any ambiguity, update the NPP anyway — the cost of the update is trivial relative to the cost of an OCR investigation.

Once the NPP is updated, re-post it. For most dental practices, this means updating the notice displayed at the front desk and the version posted on the practice website. HIPAA requires that the current NPP be prominently available to patients. A corrected NPP sitting in a compliance folder with the old version still posted creates its own problem.

Update consent workflows. If your intake process includes consent forms that authorize uses of patient records, those forms must be reviewed for compatibility with the Part 2 single-consent framework. Patients with SUD records in their chart must be able to provide a single written consent for TPO uses, and that consent mechanism must exist.

Document staff training. OCR's corrective action demands routinely require evidence that workforce members have been retrained following a compliance failure. Getting ahead of that requirement now means conducting and documenting training on Part 2 requirements, what records trigger Part 2 applicability, and how those records must be handled differently from standard PHI.

The liability clock for non-compliance with the February 16 deadline is already running. The practices that remediate now, before a complaint arrives, retain the ability to demonstrate good-faith corrective action. The ones that wait for OCR to show up will pay for the delay.