By February 16, 2026, all HIPAA-covered entities — including dental practices — must update their Notice of Privacy Practices (NPP) to include specific information about how they handle substance use disorder (SUD) treatment records protected under federal law (42 CFR Part 2). They must also train their workforce on these updates.

What are SUD Records?

SUD records include information related to a patient’s identity, diagnosis, or treatment for substance use disorder that comes from a federally assisted SUD program, such as an addiction treatment facility. These records are protected under stricter rules than typical health records covered by HIPAA.

What Dentists Should Know

While most dental offices do not create SUD records, you still may receive SUD records as part of coordinating care with another provider or facility. These records are protected under stricter rules and must be handled differently.

Here are some of the key updates you need to know to be compliant:

• You can use SUD records for treatment, payment, and healthcare operations just like other PHI.
• You cannot disclose SUD records in legal proceedings against the patient without their written consent or a court order — even if subpoenaed.

For most dental practices, this won't change daily operations. But your team should understand that if you see SUD records in a patient's history, they aren't treated the same as other medical records when it comes to legal requests.

What About Reproductive Health Privacy Rules?

You may have heard about HIPAA changes related to reproductive health information. Those provisions were vacated by a federal court in June 2025 and are no longer in effect — you do not need to include reproductive health language in your NPP.

What Needs to Be in Your Updated Notice of Privacy Practices?

Your updated NPP must include:

• How SUD records may be used and disclosed
• Patient rights related to SUD information
• Your legal duties to protect these records
• Limitations on use in legal proceedings
• Restrictions on redisclosure

What to Do by February 16 to Be Compliant

1. Train your team on the rule updates.
2. Update and post your new Notice of Privacy Practices in a prominent location in your office and on your website if applicable.
3. Have copies of the updated NPP available for patients who request them.
4. Provide the updated NPP to new patients at intake.

HIPAA Compliance Resources from WSDA & ADA

Offices using ComplyBetter — WSDA’s online dental compliance service — can now access training courses and an updated NPP template in their ComplyBetter account to complete requirements in time for the February 16 deadline.

If you aren’t yet using ComplyBetter and are interested in an affordable, modern platform to easily keep your office HIPAA, OSHA/WISHA and infection control compliant, now is a great time to join! Learn more about ComplyBetter’s comprehensive compliance features and review our competitive all-in-one annual membership pricing (discounted pricing for WSDA members!). Contact the ComplyBetter + WSDA team to learn more.

The ADA has also made information and resources available for members prior to the February 16 HIPAA deadline. Learn more and review the ADA’s revised Sample Notice of Privacy Practices on ADA.org.

Looking Ahead: Proposed Major HIPAA Revisions

The U.S. Department of Health and Human Services has proposed the first major revisions to the HIPAA Security Rule in over a decade. The Office for Civil Rights published the proposed rule in January 2025, and it includes some significant changes for covered entities:

• Encryption of ePHI would be required, not just recommended.
• "Addressable" standards would be eliminated — all safeguards would become mandatory rather than subject to a risk-based decision.

The final rule is still pending. Once published, compliance timelines are expected to allow 6-8 months for implementation, which could mean requirements take effect mid-to-late 2026. WSDA will keep members updated on the status, requirements, and deadlines of the final rule. 

ComplyBetter users will receive notification and access to updated documentation, training and resources to confidently meet new HIPAA compliance requirements.