As of February 16, 2026, HIPAA-covered entities must have updated their Notice of Privacy Practices (NPP) to comply with new federal requirements. The updated NPP must explain how substance use disorder (SUD) information is protected, used, and disclosed, and it must remove reproductive health language that has been withdrawn from the rules.
The AAC is working with a HIPAA expert to get all the information you need to know. A short educational webinar will be available for all AAC members early next week.
Steps for Chiropractic offices:
**You are not required to have established patients sign the new version of the privacy practice, this is only for new patients moving forward.
Model Notice of Privacy Practices: The U.S. Department of Health and Human Services has developed a Model Notice of Privacy Practices to assist practices in developing their own personalized NPP, available here.
A common misconception is that this update applies only to providers who prescribe opioids or treat substance use disorders. That is not the case. The requirement applies if a covered entity creates, receives, maintains, or stores PHI that includes SUD-related information, even incidentally.
Chiropractic offices routinely receive this type of information through:
You do not need to diagnose or treat substance use disorders for this requirement to apply.
Your revised NPP should:
HIPAA requirements are not one‑size‑fits‑all, and every chiropractic office must develop a compliance program and Notice of Privacy Practices that accurately reflect its own operations, workflows, and the type of protected health information it creates, receives, and maintains. Each practice is responsible for tailoring its policies, procedures, and NPP content to fit its individual structure, services, and privacy risks. A generic or borrowed NPP is not sufficient; it must be customized to your specific practice environment.
Although the February 16, 2026, update is limited to the NPP, chiropractic offices should ensure internal alignment across their HIPAA compliance program.
Update internal policies to reflect the revised NPP language regarding SUD information and disclosure restrictions.
As part of implementing the updated NPP, ensure that all patients are offered the revised NPP at their next visit and that staff make a good‑faith effort to obtain a written acknowledgment of receipt. If a patient declines to sign, staff must document the attempt, including that the patient refused. This documentation satisfies the provider’s obligation to demonstrate a good-faith effort.
This process should be followed for all existing and new patients as they are presented with the updated NPP during future appointments.
For more information on HIPAA Privacy requirements, visit the U.S. Department of Health and Human Services website that contains Guidance Materials for Small Providers.
HealthIT.gov‘s Guide to Privacy and Security of Electronic Health Information provides a beginner’s overview of what the HIPAA Rules require and has links to risk assessment tools and other aids.