How to Update Your NPP to the HHS February 2026 Model

If your practice has an existing Notice of Privacy Practices, you almost certainly need to update it. The HHS February 2026 revised model integrated 42 CFR Part 2 SUD language, clarified reproductive-health disclosures, and refined individual-rights language — and every covered entity was required to have an updated NPP by the February 16, 2026 deadline. Here's the practical step-by-step.

By NPP Generator Research Team · Published Feb 18, 2026 · Last reviewed Apr 23, 2026

Step 1: Find your existing NPP's effective date

The first thing to locate is the effective date of your current NPP — the one your new notice will supersede. Check: (a) the top of the document itself (direct-treatment providers are required to display the effective date prominently); (b) your website's privacy-policy page (if the NPP is posted there); (c) your EHR or practice-management system's document repository; (d) the version control in your Word file properties if you retain the source. If you can't find an exact date, a month and year approximation is fine — the supersede line is a courtesy to patients, not a strict HIPAA requirement.

Step 2: Identify what needs to change

The substantive changes between a typical pre-2026 NPP and the HHS February 2026 model:

42 CFR Part 2 SUD language (for entities that are Part 2 programs or combined HIPAA + Part 2 entities). The 2024 Part 2 Final Rule permits a single integrated HIPAA/Part 2 notice. Required additions: written-consent requirement for most SUD disclosures; redisclosure prohibition by recipients; protection against subpoena without a court order meeting § 2.64 / § 2.65 standards; Part 2 breach notification obligations.
Reproductive-health PHI disclosures. Post-Dobbs HHS guidance clarifies the boundaries around law-enforcement and investigation disclosures involving reproductive healthcare. The revised model notice addresses this directly.
Individual-rights refinements. The 2023 HIPAA Privacy Rule amendments refined access, amendment, accounting, and restriction procedures. Electronic-copy rights under § 164.524 are spelled out more plainly.
Acknowledgment language for direct-treatment providers — the "good-faith effort" phrasing in § 164.520(c)(2)(ii) is unchanged, but many pre-2026 notices have abbreviated or awkward acknowledgment sections that the revised model cleans up.
Section 1557 taglines (optional appendix, required for federally-funded entities). Most Medicare/Medicaid-participating practices must include these. If your existing NPP lacks a taglines page, add one.

Step 3: Decide — rewrite or regenerate?

Rewriting manually means pulling up your existing Word document and carefully adding Part 2 sections, revising individual-rights language against the 2023 amendments, and appending Section 1557 taglines. This is labor-intensive and error-prone — you're essentially reconstructing the HHS model by hand.

Regenerating means re-entering your entity information (organization name, Privacy Officer, address, website, effective date) into a tool that outputs the full HHS Feb 2026 model pre-populated. Re-entry takes about 3 minutes. Our generator costs $49 and produces clean PDF plus editable Word. For almost all practices this is the faster, safer path.

Step 4: Fill in the supersede date

The revised NPP should include a line at the top: "This notice supersedes our prior Notice of Privacy Practices dated [prior effective date]." This helps patients understand which version of your privacy policy was in effect when — useful if they later have questions about how their PHI was handled during a particular period.

The supersede line is not strictly required by § 164.520, but it is a best practice that resolves ambiguity. If your practice has updated its NPP multiple times over the years, you are only superseding the most recent prior version — not every historical version.

Step 5: Choose the new effective date

The new effective date is the date the revised NPP takes effect at your practice. Common choices:

Today — if you're adopting the revised notice immediately.
A specific future date — useful if you want to coordinate posting, printing, and patient communication to happen on the same day.
February 16, 2026 — the HHS deadline. If you're updating post-deadline (as most practices are), using Feb 16 retroactively is not appropriate; use today's date.

Step 6: Redistribute

Material changes to the NPP require redistribution under § 164.520(b)(3). What you must do depends on your entity type:

Direct-treatment providers:

Post the revised notice on your website immediately (§ 164.520(c)(3)(i))
Post at each physical service site where patients receive services
Provide the revised notice to patients at their next visit after the effective date
Make paper copies available on request
You do not have to individually mail the revised notice to every historical patient
New patients after the effective date acknowledge the new version; returning patients who acknowledged the prior version do not need to re-acknowledge

Health plans:

Provide the revised notice to all plan members within 60 days of a material change
Delivery can be mail, secure email, or posting on the member's online account
Continue reminding members at least once every 3 years that the notice is available

Step 7: Archive the prior version

Keep a copy of the superseded NPP in your compliance records along with the effective-date range it covered. OCR's investigations sometimes ask for the notice that was in effect at a specific point in time — typically when investigating complaints about how PHI was handled in the past. A clean archive of NPP versions with date ranges makes this trivial to produce.

Common mistakes to avoid

Updating the printed copy but forgetting the website. § 164.520(c)(3)(i) requires both. A stale website copy is often what OCR finds during audits.
Adding Part 2 language to a practice that isn't Part 2. If you're not a Part 2 program, don't include Part 2 disclosures — you'll confuse patients and potentially misstate your legal obligations.
Skipping the supersede line. Not legally required but significantly reduces confusion for patients and auditors.
Not updating the Privacy Officer if that person has changed. Any contact-info change is a material change and is one of the most common NPP deficiencies OCR cites.
Omitting Section 1557 taglines when Medicare/Medicaid participating. A separate enforcement risk from HIPAA, but still a violation.

Skip the manual work

Our generator takes you through the HHS February 2026 model in 5 minutes, adds the supersede line automatically, and outputs clean PDF plus editable Word. $49 one-time.

Update my NPP — $49

Related: Update landing page · HHS model walkthrough · Effective vs supersede date · NPP requirements 2026

First-time question? See if your practice actually needs an NPP: Does my practice need a Notice of Privacy Practices? →