The Department of Health and Human Services (HHS) previously finalized sweeping changes to 42 CFR Part 2 (Part 2), the federal rules protecting the confidentiality of substance use disorder (SUD) records. While designed to improve care coordination by further aligning 42 CFR Part 2 with the Health Insurance Portability and Accountability Act (HIPAA), these changes introduce substantial new compliance obligations for SUD programs regulated under 42 CFR Part 2 (Part 2 Programs) and entities that receive SUD records created by such Part 2 Programs (Lawful Holders). For Part 2 Programs and Lawful Holders that are not Covered Entities and Business Associates under HIPAA, these changes represent a material shift from the status quo. However, HIPAA-regulated entities, including those not operating Part 2 Programs, should not assume that “alignment with HIPAA” means their current compliance posture is enough. Organizations should act now, as significant changes to existing practices surrounding the handling of SUD records may be needed before the February 16 compliance deadline.
Key Takeaways
- Enforcement Is Real: Previously, enforcement of 42 CFR Part 2 was split between the Department of Justice and the Substance Abuse and Mental Health Services Administration (SAMHSA). This split resulted in no enforcement activity and almost no risk to a noncompliant entity. With the HHS Office for Civil Rights (OCR) now being granted the authority to administer and enforce 42 CFR Part 2, SUD entities should expect similar investigation procedures that OCR has used for HIPAA-regulated entities regarding issues involving records protected by Part 2. Moreover, the penalties for violating Part 2 now align with HIPAA, meaning entities that knowingly fail to comply with their obligations under Part 2 could be subject to the escalating fine structure applicable to willful noncompliance, which is $70,000+ per violation per day, capped yearly at $2.1 million for identical offenses. Simply put, ignoring Part 2 compliance presents significant financial risk.
- Single Consent: Part 2 now allows a single consent to be obtained from patients for all future uses and disclosures of their Part 2 records for the purposes of treatment, payment and healthcare operations (TPO). While this significantly improves the ability to exchange Part 2 records with other entities participating in the patient’s treatment journey, it also is likely to significantly increase the number of entities receiving Part 2 records and thus becoming Lawful Holders under Part 2. The recipients will need to implement Part 2 compliance obligations with an understanding that workflows should accommodate records on a larger scale than ever before.
- Language To Accompany Disclosures: Part 2 requires that the following information accompany each disclosure of Part 2 records made with a patient’s written consent: (i) a copy of the consent itself or a clear explanation of the scope of the consent and (ii) the notice accompanying disclosures containing the language in 42 CFR Part 2.32. While the requirement to have a notice accompanying disclosures is not new, the required language has changed, so entities will need to review existing documents to ensure they comply with the new language.
- No Record Segregation Required: The new rule specifically states that Lawful Holders do not need to segregate Part 2 records from non-Part 2 records. In practice, this means that one of the historical barriers to data sharing has been removed. Coupled with the single consent for TPO, this revision is likely to result in non-Part 2 Programs being more likely to receive or even be solicitous of Part 2 records, thereby becoming Lawful Holders subject to specific Part 2 requirements. While segregation is no longer an issue, Lawful Holders must consider how to operationalize the requirement that patient consent continues to follow the Part 2 records for any additional uses and disclosures.
- Updated Notice of Privacy Practices: Part 2 Programs and Lawful Holders – even those that previously had a HIPAA-compliant notice of privacy practices (NPP) in place – must revise their NPP to account for new language requirements. For Part 2 Programs that are not HIPAA-covered entities, this is a significant new public-facing obligation.
- Specific Requirements for Part 2 Record Sunsetting: While not new, Part 2 contains specific technical and administrative requirements for how and where paper and electronic records of Part 2 Programs that have been wound down or acquired must be maintained. After years of nonenforcement, this provision was likely one that was previously ignored without consequences.
- Adoption of the HIPAA De-Identification Standard: If Part 2 Programs and Lawful Holders have leaned on the prior rule’s less-prescriptive “low risk of re-identification” language to enable the sharing of de-identified Part 2 records, they will have to reassess their practices. The new rule uses the HIPAA de-identification requirements, which include two options: either (i) removal of 18 direct and indirect identifiers, i.e., the “Safe Harbor Method”, or (ii) the engagement of an expert to opine that there is no reasonable basis to believe that the information can be used to identify a patient, i.e., the “Expert Determination Method”.
- Breach Notification: Previously,Part 2 Programs not governed by HIPAA were only required to comply with state data breach reporting laws in the event of unauthorized access or acquisition of Part 2 records. Only 24 states’ breach notification laws currently include health information as a notifiable data element, resulting in many incidents involving SUD records going unreported. Starting February 16, 2026, Part 2 Programs must comply with the HIPAA breach notification rule and OCR’s enforcement. HIPAA’s trigger for notification is not only a much lower bar than most state standards, it also carries with it significant extra timeline and reporting requirements that are not found in most state laws. Non-HIPAA-covered entity Part 2 Programs may be surprised to learn that breaches must be reported to OCR, and any that impact more than 500 patients will be posted publicly on OCR’s “Wall of Shame”; that they’ll need to post a substitute notice if they lack 10 or more impacted patients’ contact information; and that they will need to provide notice to media in jurisdictions where more than 500 impacted patients reside. All that said, breach notification under the HIPAA rules is required more often than under most state laws, and it carries with it significantly more public and regulatory exposure and, as a result, litigation risk.
- Expanded Patient Rights: Patients gain additional rights with respect to their Part 2 records, similar to those under HIPAA. HIPAA-like rights, including accounting of disclosures and restriction requests. While the accounting of disclosures requirements are being held in abeyance until additional guidance is issued, the ability of patients to request restrictions – and the Part 2 Program’s requirement to timely respond – must be operationalized in February.
How the Healthcare Industry Should Think About Compliance
For healthcare providers, payors, and other organizations classified as a Part 2 Program or Lawful Holder (or both), the challenge posed by the changes to Part 2 extends beyond ensuring the necessary compliance documentation is in place. Although many of the obligations under Part 2 initially appear clear, complexities often emerge when organizations consider practical implementation. Below are several key questions designed to assist entities in assessing their readiness for the upcoming Part 2 compliance deadline:
- Have you identified if you operate or are a Part 2 Program? Remember, Part 2 Programs can be entire facilities, units within larger healthcare facilities, or even specific providers. They do not need to be a HIPAA-covered entity, accept insurance or otherwise conduct HIPAA standard transactions to be subject to Part 2.
- Do you receive SUD records from Part 2 Programs or Lawful Holders? The answer here may be “We surely receive SUD information, but I don’t know if the entities sending the information qualify as Part 2 Programs or Lawful Holders.” While ignorance of the law is no defense, it may make a violation subject to a lower “unknowing” fine calculation. Willful ignorance, however, may not result in the same leniency. If you receive or begin receiving records with a Part 2 notice, you are on the hook for compliance as a Lawful Holder, and therefore must be compliant with the new regulations.
- Is your current notice of privacy practices sufficient? While the extent of the changes required will depend on whether you are regulated under HIPAA, both Part 2 Programs and HIPAA-covered entities that receive Part 2 records need to revise their NPP. For covered entities with Part 2 Programs, the notice required under Part 2 can be combined with their existing NPP or provided as a separate document. Even if you provide a separate notice for your Part 2 Program containing the elements required under Part 2, changes to your existing NPP are likely still required. Under HIPAA, if the permissible uses or disclosures of information described in the NPP are limited by other laws that are more restrictive than HIPAA, such as records protected by Part 2, the description in the NPP must reflect the more-stringent law.
- Do you have the necessary policies in place? Part 2 Programs and Lawful Holders are required to implement policies reflecting their compliance obligations regarding any Part 2 records they receive or maintain. This requirement includes not only how the entity may use or disclose Part 2 records, but also the technical and physical controls it implements to protect Part 2 records from impermissible uses, disclosures, and access as required under Part 2. Failure to have these safeguards in place are easy-to-find violations that could be lucrative for OCR.
- How will you handle a revocation of consent? Part 2 generally allows an individual to revoke consent for uses and disclosures of their Part 2 records at any time. While revocation does not impact prior uses and disclosures, Part 2 Programs and Lawful Holders are prohibited from making any further use or disclosure once they become aware of the revocation. If your organization is a Part 2 Program, how will you inform Lawful Holders of the revocation? Lawful Holders – if a Part 2 Program informs you of a revocation, will you tell your downstream vendors? How will you keep track of who has received a particular patient’s Part 2 records? While the commentary specifically addressed – and declined to apply – a requirement to notify all downstream Part 2 record recipients of a revocation, the commentary also made clear that it expects Part 2 Programs to notify recipients “where feasible.”
- How will you comply with the redisclosure requirements? If we lived in a paper world, the idea of simply stapling the consent and the notice to accompany disclosures to records provided to another entity is very easy to conceptualize and operationalize. But what about when the Part 2 record is within a claims database or electronic health record system (EHR)? Do your health information technology solutions, such as your EHR and patient portal, have the capability to append the language required by Part 2 when disclosing records (e.g., continuity-of-care documents)? Working out, as soon as possible, how to operationalize the redisclosure requirements is crucial to mitigating significant, repeated violations from day one.
[View source.]
