On February 13, the Department of Health and Human Services Office for Civil Rights (OCR) announced a new program to implement and enforce federal requirements that protect the confidentiality of substance use disorder (SUD) patient records (the Part 2 Civil Enforcement Program).
OCR established the Part 2 Civil Enforcement Program pursuant to Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which aimed to align the confidentiality of SUD patient records statute and implementing regulations at 42 C.F.R. Part 2 (the Part 2 Regulations) more closely with the HIPAA Administrative Simplification provisions. Prior to the enactment of the CARES Act, violations of the Part 2 Regulations were punishable by criminal fines but not civil penalties. The CARES Act adopted the civil enforcement framework from HIPAA, and as a result, OCR may use civil enforcement mechanisms in response to violations of the Part 2 Regulations.
As of February 16, OCR began accepting complaints alleging violations of Part 2 and notifications of breaches of SUD patient records. Breach notifications can now be submitted through OCR’s breach portal.
The launch of the Part 2 Civil Enforcement Program coincided with the compliance date for several updates to the Part 2 Regulations and HIPAA established by final rules issued in 2024, including required updates to Notices of Privacy Practices for HIPAA covered entities and for Part 2 programs. OCR posted new model notices to its website to address the updated requirements, but regulated entities should carefully adapt the model notices to align with their own operations, as appropriate.
OCR expressed its intent to use the Part 2 Civil Enforcement Program “aggressively” to enhance protection of SUD patient records, consistent with the administration’s Great American Recovery Initiative. This Initiative seeks to help patients receive necessary SUD treatment and work toward recovery. OCR demonstrated its renewed enforcement focus on SUD treatment providers on February 19 by announcing a settlement agreement with an SUD treatment provider that experienced an email phishing attack after failing to conduct an accurate and thorough security risk assessment.
