Ensuring Compliance with the Part 2 Final Rule: Required Updates for SUD Treatment Providers

Substance use disorder (SUD) providers who are subject to the federal Confidentiality of Substance Use Disorder Patient Records regulations, commonly referred to as the “Part 2 Regulations,” are officially subject to a new civil enforcement program announced by the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR). As Part 2 programs that are also subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) well know, for decades, the two frameworks imposed different and often conflicting standards, leaving providers struggling to reconcile HIPAA’s broader information sharing allowances with Part 2’s stricter confidentiality requirements. Recognizing a misalignment, Congress directed the Department of Health and Human Services (HHS) to harmonize the Part 2 Regulations with HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH).  HHS responded to this direction, and as of February 16, 2026, compliance with the Part 2 Final Rule is required. 

The new enforcement program, along with other guidance on compliance with Part 2, was announced just days ahead of the compliance date for the Final Rule. 

In this blog post, we provide an overview of the changes under the Part 2 Final Rule and summarize all updates that (i) Part 2 programs, (ii) HIPAA covered entities that create, receive, maintain, or transmit Part 2 records, and (iii) business associates that handle SUD records must implement to the following documents, procedures, and operations to comply with the new framework and avoid enforcement penalties.

Patient Consents  for Treatment, Payment, and Health Care Operations
First, some good news:  the Part 2 Final Rule permits the use of a single consent for all future uses of SUD records for purposes of treatment, payment, and health care operations (TPO). This alignment with the HIPAA Privacy Rule will reduce significant administrative burdens for Part 2 programs that previously had to obtain separate consents for each disclosure. The TPO consent forms must indicate the Part 2 program disclosing the records, the intended recipients, a clear description of the consent’s scope, purpose, and expiration, and a statement that informs patients that records disclosed under a TPO consent can be redisclosed in accordance with the HIPAA Privacy Rule. 

Updated Notices of Privacy Practices
As of the February 16, 2026 compliance date, HIPAA-covered entities that receive or maintain Part 2 records must also update their Notices of Privacy Practices (NPP) to conform with the new requirements of the Part 2 Final Rule. These updates must include explanations of the heightened confidentiality protections applicable to SUD records, the limitations on redisclosure of the records, and the explicit prohibitions on using SUD records in legal proceedings without a patient’s consent or a Part 2 qualifying court order.  NPPs must also indicate that records shared under a TPO consent may be redisclosed by HIPAA covered entities and business associates in accordance with the HIPAA Privacy Rule. The NPP must also inform a patient of their right to file complaints with OCR and their right to restrict certain disclosures. In addition, Part 2 programs—including those that are not HIPAA covered entities—must revise their own Part 2 NPPs to comply with 42 CFR § 2.22. This includes (i) adopting clearer and more accessible language, (ii) restructuring notices so they resemble HIPAA NPPs in format, and (iii) expressly describing the program’s duties, permitted uses, and disclosures of SUD records, redisclosure rules, and patient rights.  The much awaited updates to OCR’s model NPP are available here. 
 

Breach Notification
Breach notification processes have also been modified under the Part 2 Final Rule. Now, any unauthorized acquisition, access, use, or disclosure of Part 2 records must be treated and handled as a HIPAA breach. This translates to entities conducting a documented breach-risk assessment, identifying the nature and scope of the incident, and notifying those affected without unreasonable delay and no later than 60 days after the breach’s discovery, as well as reporting breaches to HHS on an annual basis (except for those involving 500 or more individuals, which require contemporaneous reporting to HHS). These requirements ensure that Part 2 breaches receive the same standard of response as HIPAA breaches, fully integrating them into HIPAA’s established notification framework.

Updates to Processes and Workflow
Beyond updates to documentation and policies, the Part 2 Final Rule requires entities to revamp institutional processes and workflows to ensure its compliance at an operational level. First, entities must update their consent administration procedures to support the TPO consent. This involves ensuring that there is accurate tracking of consents, processing of consent revocations, and distributing information related to the consent appropriately. Because the single TPO consent is now permitted, Part 2 records received under such a consent are no longer required to be siloed, and thus do not require a separate labeling or isolation. Additionally, redisclosure and data-sharing workflows must be updated to reflect the Part 2 Final Rule’s alignment with HIPAA. This includes ensuring that Part 2 records can be redisclosed in accordance with HIPAA, except in the contexts such as legal proceedings where redisclosure remains prohibited, fulfilling accounting-of-disclosure requests for up to three years, processing requests for restrictions on Part 2 record sharing, and routing patient complaints to OCR.

Conclusion
With OCR now fully empowered to enforce the Part 2 Final Rule, Part 2 regulated entities should expect that compliance with these updated requirements will be evaluated under the same civil penalty framework that applies to HIPAA. This means that improper uses or disclosures of SUD records, and failures to implement the updated consent, notice, workflow, and breach response requirements, may expose organizations to the full range of HIPAA aligned civil and criminal penalties. As OCR launches a dedicated civil enforcement program for Part 2, regulated entities should take this moment to confirm that their documentation, operational practices, and workforce training reflect the new standards. Staying ahead of these updates will not only reduce enforcement risk but also strengthen privacy protections for patients receiving SUD treatment, which remains at the core of the Part 2 framework.

Subscribe To Viewpoints