If you work anywhere near healthcare compliance right now, it probably feels like HIPAA is changing every five minutes. Vendors are blasting emails. Consultants are posting urgent LinkedIn takes. Webinars are promising to explain “major HIPAA updates” before it’s “too late.”
Let’s slow this way down and separate fact from hype.
The NPP Changes Are About Part 2, Not Everyone
One of the loudest sources of confusion right now is the update to the Notice of Privacy Practices (NPP). Many organizations are being told they must update their NPP immediately or they’ll be out of compliance.
Here’s the truth: the recent NPP changes are tied to 42 CFR Part 2, which governs substance use disorder (SUD) records.
If your organization creates, receives, maintains, or transmits Part 2 data, then yes, the NPP changes matter to you. You should be reviewing your notice and coordinating with legal and compliance to make sure it reflects the new alignment between HIPAA and Part 2.
If your organization does not handle Part 2 data, then nothing has changed for you. There is no new HIPAA-wide requirement forcing everyone to rewrite their NPP. No secret deadline. No hidden enforcement wave.
This distinction keeps getting glossed over, and that’s creating unnecessary panic for organizations that simply aren’t impacted.
The Security Rule NPRM Has Not Passed
The second big source of noise is the proposed update to the HIPAA Security Rule.
Yes, there is a Notice of Proposed Rulemaking (NPRM).
No, it has not been finalized.
And no, it is not law.
An NPRM is exactly what it sounds like, a proposal. It’s the government saying, “Here’s what we’re thinking, and we want public input.” Until a final rule is issued and an effective date is set, covered entities and business associates are not required to comply with the proposed changes.
Despite that, many vendors and consultants are already acting as if the Security Rule changes are a done deal. Some are marketing new tools, services, or “gap assessments” framed around requirements that don’t yet exist.
That doesn’t mean organizations shouldn’t pay attention. The proposed changes give us insight into where OCR is heading and what regulators care about. But preparing thoughtfully is very different from being told you’re suddenly noncompliant.
Scare Tactics Help No One
A lot of the current messaging relies on fear:
That kind of language doesn’t improve compliance. In fact, it often does the opposite by overwhelming already stretched compliance, privacy, and IT teams.
Good compliance work is risk-based, thoughtful, and grounded in what is actually required today, not what might happen someday.
What Organizations Should Be Doing Right Now
Here’s the reasonable, responsible approach:
A Little Less Noise, A Little More Clarity
HIPAA compliance is complex enough without adding manufactured urgency and half-truths. Not every proposed change applies to everyone. Not every proposal is law. And not every email with “urgent” in the subject line reflects reality.
Clear thinking, accurate information, and steady leadership will always beat panic-driven compliance.
Sometimes the most compliant thing you can do is take a breath and read the fine print.
