Holland & Hart's Health Law Blog
  • Publications
  • Webinar Recordings
    • 2026 Webinar Recordings
    • 2025 Webinar Recordings
    • 2024 Webinar Recordings
    • 2023 Webinar Recordings
    • 2022 Webinar Recordings
    • 2021 Webinar Recordings
    • 2020 Webinar Recordings
    • 2019 Webinar Recordings
    • 2018 Webinar Recordings
    • 2017 Webinar Recordings
    • 2016 Webinar Recordings
  • Compliance Bootcamps
  • Attorneys
  • Healthcare Law
  • Employers’ Lawyers Blog
  • Click to open the search input field Click to open the search input field Search
  • Menu Menu

Update Business Associate Agreements to Comply with New Substance Use Disorder Record Rules

March 2, 2026/in HIPAA

By Kim Stanger

As of February 16, 2026, the new rules governing the confidentiality of substance use disorder (SUD) records will be enforced. If they have not done so, federally assisted SUD programs (Part 2 Programs) who are covered entities under HIPAA will need to update their business associate agreements (BAAs) to ensure compliance with the new rules.

SUD Confidentiality Obligations. The new Part 2 rules generally prohibit Part 2 Programs from disclosing SUD information without the patient’s written consent. However, the rules contain an exception that allows Part 2 Programs to disclose SUD information to a qualified service organization (QSO) without the patient’s consent so long as the Part 2 Program has an agreement with the QSO that requires the QSO to comply with Part 2. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2026-03-02 09:27:372026-03-02 09:27:37Update Business Associate Agreements to Comply with New Substance Use Disorder Record Rules

Do the New Substance Use Disorder Record Rules Apply to You?

February 9, 2026/in HIPAA

By Kim Stanger

The revised federal rules for substance use disorder (“SUD”) records will be enforced effective February 16, 2026.  (42 CFR part 2, hereafter “Part 2”).  Failure to comply with the new Part 2 rules may subject healthcare providers and other recipients of covered SUD records to HIPAA penalties ranging from $145 to $2,190,294 per violation along with the affirmative obligation to self-report violations to affected individuals and the Office for Civil Rights. (42 CFR § 2.3; see also 45 CFR § 102.3).  Providers rendering SUD treatment or receiving SUD records must determine whether and to what extent the new Part 2 rules apply to them. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2026-02-09 17:08:082026-02-09 17:08:08Do the New Substance Use Disorder Record Rules Apply to You?

Beyond HIPAA: Navigating the “More Stringent” Standard

February 3, 2026/in HIPAA

By Jake Walker

In light of the upcoming deadline for covered entities to update their Notice of Privacy Practices by February 16, 2026,1 covered entities should consider “more stringent” state laws that may apply to these updated forms and require compliance. The Health Insurance Portability and Accountability Act (“HIPAA”) Privacy Rule (45 C.F.R. Part 164 Subpart E) sets the floor for privacy protections and rights of individuals when it comes to their individually identifiable health information, but allows for states to enact stronger or more stringent requirements regarding the privacy of patient health information. Where federal law sets the ground floor for compliance and allows states to set more demanding requirements as in the case with HIPAA, this is commonly known as “floor preemption.”2 Thus, HIPAA leaves the door open for state law to impose standards more demanding than HIPAA in certain circumstances.

It is critical for covered entities to understand what state laws, if any, may impose additional obligations upon them, and that merely complying with HIPAA is not enough. This is made even more important by the raft of state-specific privacy protection laws that states across the country have implemented within the last decade. The examples below illustrate when and where state law may impose burdens more demanding than HIPAA and the Privacy Rule, but also note where HIPAA preempts other, conflicting state laws. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2026-02-03 12:43:042026-02-09 15:51:33Beyond HIPAA: Navigating the “More Stringent” Standard

Update Your HIPAA Notice of Privacy Practices by February 16, 2026

December 29, 2025/in HIPAA

By Kim Stanger

Recent changes to the HIPAA Privacy Rule require that healthcare providers update their Notice of Privacy Practices (“NPP”) by February 16, 2026.1 Most of the changes are intended to align HIPAA with the revised regulations governing substance use disorder records (see 42 CFR part 2).2 A redlined version of 45 CFR 164.520 showing the changes to the rule is available here.

Background.  HIPAA requires covered entities to post and provide individuals with a copy of the provider’s NPP no later than the first day services are delivered.3 The NPP must contain the elements, information and statements specified in 45 CFR 164.520, including but not limited to:

  • The required header, i.e., “THIS NOTICE DESCRIBES HOW MEDICAL INFORMATION ABOUT YOU MAY BE USED AND DISCLOSED AND HOW YOU CAN GET ACCESS TO THIS INFORMATION. PLEASE REVIEW IT CAREFULLY.”4
  • A description of the uses or disclosures that the entity may make without the patient’s written authorization,5 g., those uses or disclosures permitted under 45 CFR 164.502 to 164.512.
  • A statement that other uses or disclosures will only be made with the individual’s authorization, and that the individual has the right to revoke her/his authorization subject to certain limitations.6
  • A summary of certain specified rights the individual has concerning his/her information.7
  • The contact information for a person who may respond to questions.
  • The NPP’s effective date.8

For more information concerning these continuing requirements, see our article at https://www.hollandhart.com/checklist-for-hipaa-notice-of-privacy-practices. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2025-12-29 13:26:352026-01-16 13:29:00Update Your HIPAA Notice of Privacy Practices by February 16, 2026

Idaho’s New Healthcare Whistleblower Law

October 22, 2025/in Idaho Healthcare Law

By Kim Stanger

A new Idaho law gives a broad private cause of action to actual or alleged whistleblowers in the healthcare industry.  The statute will increase the risk and cost to health care employers and organizations who want to take any kind of adverse action against employees, contractors, medical staff members, or other individuals no matter how much such action is warranted.

I. Conscience Protections. The new Medical Ethics Defense Act, Idaho Code § 54-1301 et seq., generally protects the conscience rights of healthcare providers.  Under the statute, “[h]ealth care providers1 … shall not be required to participate in … a medical procedure, treatment, or service that violates such health care provider’s conscience.” 2  (I.C. § 54-1304(1)).  Furthermore, “[n]o health care provider shall be discriminated against in any manner as a result of exercising the right of conscience….”  (Id. at § 54-1304(6)).

“Discrimination” or “discriminated against” means any adverse action taken against, or any threat of adverse action communicated to, any health care provider as a result of exercising [conscience] rights pursuant to sections 54-1304 and 54-1305, Idaho Code. Discrimination includes but is not limited to any penalty or disciplinary or retaliatory action, whether executed or threatened….

(Id. at § 54-1303(2)).  The language is quite broad:  in addition to adverse employment action, it would likely extend to adverse contract, credentialing, and other actions against contractors, medical staff members, and persons with clinical privileges. Read more

https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png 0 0 admin https://hhhealthlawblog.com/wp-content/uploads/2024/05/logo_vertical-v2.png admin2025-10-22 14:55:492025-11-10 14:57:07Idaho’s New Healthcare Whistleblower Law
Page 1 of 48123›»

Idaho Patient Act Timeline


View our Idaho Patient Act Timeline Guide

Holland & Hart

This blog is maintained by the Health Law practice group of Holland & Hart LLP. Visit the Holland & Hart website.

Subscribe to Email Updates

Enter your Email:

Contact

If you have any questions, please contact Kim Stanger.

More COVID-19 Articles


View more COVID-related articles on our Labor & Employment Blog

Categories

Archives

Disclaimer

This publication is designed to provide general information on pertinent legal topics. The statements made are provided for educational purposes only. They do not constitute legal or financial advice nor do they necessarily reflect the views of Holland & Hart LLP or any of its attorneys other than the author. This publication is not intended to create an attorney-client relationship between you and Holland & Hart LLP. Substantive changes in the law subsequent to the date of this publication might affect the analysis or commentary. Similarly, the analysis may differ depending on the jurisdiction or circumstances. If you have specific questions as to the application of the law to your activities, you should seek the advice of your legal counsel.

Privacy Policy

View our privacy policy.

© Copyright 2026 | Holland & Hart LLP - Enfold WordPress Theme by Kriesi
Scroll to top Scroll to top Scroll to top