HIPAA and SUD – Overview of Compliance Requirements
HIPAA’s 2026 update changes how SUD records are handled. Embed in charts, obtain single TPO consent, track disclosures, update your Notice of Privacy Practices, and train staff to stay compliant.
Transcript:
On February 16, 2026, that was the deadline for when you had to make sure that your Notice of Privacy Practices or your HIPAA Privacy Policy, or whatever you may call it in your practice, was updated to include the changes for the substance use disorder requirements now, under HIPAA. There were a few things that changed, and so I’m going to run through those really quick.
Advertisement
The first is this: in the past, all of the SUD records had to be kept separate. So all of the substance use disorder records had to be kept fully separate. Now, one of the challenges that we would have is when a patient would come in and mention to the doctor that they had an SUD or they had gone through substance use disorder assistance and help. At that moment, the doctor documents it, and those records all had to be kept completely separate. One of the changes in this particular statute, and this change to HIPAA, was that those don’t have to be kept separate. Now, SUD counseling documents still have to be kept separate, but normal operations for healthcare, for example, when a patient mentions it, or you were to find out from another provider in the medical record transfer, those had to be kept separate. That is not the case anymore; they can actually continue to be embedded in your notes, so they don’t have to be kept separate anymore, but you still have some additional requirements.
One of which that in order to make sure that you’re fulfilling your responsibilities under this particular statute, you have to have consent to share those documents under any circumstances that includes TPO or treatment payment and healthcare operation. So if you were to get a request from an insurance carrier for medical records for a patient where those documents or those records included information about an SUD, whether past, present, or the fact that they mentioned to you that they have one and are seeking to get treatment soon or counseling soon. All of that, when you document it, then have to be protected.
So what you want to make sure you’ve got to make sure you’ve got a couple of things. First is you want to make sure that you have a way to identify, verify that you’re storing all of those correctly, and you can quickly know that a particular patient has SUD information in their notes. The second is, you want to make sure that you have a separate consent for substance use disorder patients. And in that case, they can sign a single consent that gives you the ability to be able to disclose that under TPO, in other words, under treatment payment and health care operations. So if they were to go to another doctor and that doctor requests records, then you would send them that information, as long as you those notes with the SUD, as long as you had that single document.
Now, historically, actually, you had to get a new consent every single time that a request was made that is now gone. In this case, it’s very specifically included. As long as it’s a treatment payment and healthcare operations, you can have a single consent for other reasons, except for those that are explicitly required by law. For other reasons, then you would have to get an additional consent, or if there’s counseling involved, but for us, for chiropractic physicians, in those cases, that typically is not going to be the case. And so you want to make sure that you get that single TPO consent signed, and you also want to make sure that you understand what those disclosure limitations are, so that you can track that, and you have that policy established so that it’s very clear for everyone involved.
Now, the other thing you have to do, and this was the deadline of February 16, 2026, you have to update your Notice of Privacy Practices. So you have to make sure that you update your HIPAA privacy policy to include a specific SUD note, what is that? Here’s some sample language that you could choose to use. You could say that we will not disclose any substance use disorder-related records without your written consent, except as permitted by law, including, for example, but without limitation, a court order or a medical emergency. You have rights regarding these records, including access, confidentiality requests, and an accounting of disclosures. You need to have a statement that has that information. Doesn’t have to say it exactly like that, but it does need to include all of that information in your Notice of Privacy Practices. Additionally, then that also means, because you just inform the patient that they have the right to have an accounting of all the disclosures, you need to make sure that you have an accounting of those disclosures, and so you need to have some sort of a record that you keep track of when you have disclosed that information, who you disclosed it to, and then what document gave you permission to be able to disclose that? So that would go back to the first requirement of making sure that you do have a consent form for the release of those particular documents.
The last is this: you’ve got to train all of your staff; they have to be fully aware. So if you have a team member of yours that handles all of your records requests in those particular times, you want to make sure that that team member knows that those records that have substance use disorder information in them are protected. And you’ve got to make sure that they know that they’ve got to verify that the consent signed and that all of the notifications are required, and then, of course, that they’re also adding to that record the tracking of the disclosure. So you want to make sure that all of that is taken care of. So first of all, make sure you have that office policy along with the consent form that you have designed for SUD. That you’ve updated your Notice of Privacy Practices, and that you have a way to track all of your disclosures, and that all of your training is complete.
One last thing, I just want to double back, because I want to make sure that we’re all level set on this. Some of you may be sitting back and saying, Well, I don’t ever document that, or I don’t ever run across this. And although that may be possible, I would say that through the course of your practice life, I can’t imagine a world where this doesn’t come into play, where it’s not a relevant factor that needs to be tracked in the documentation. So the policy is also critical. But in that rare case, or very, very rare case that you would never, you still have to update your notice of privacy policies. You’ve got to or Notice of Privacy Practices. You’ve got to make sure that that policy is updated and includes that information so that the patients do know. And that’s also a requirement of HIPAA, so you’ve got to make sure that that is a required element in your Notice of Privacy Practices. So make sure that it’s included. Hopefully, this helps you out, and we’ll catch you next week.
