A February 2024 Final Rule ushered in significant updates to the federal confidentiality framework governing substance use disorder ("SUD") patient information established at 42 C.F.R. Part 2.

Businesses turn to Sheppard to deliver sophisticated counsel to help clients move ahead. With more than 1,200 lawyers located in 16 offices worldwide, our client-centered approach is grounded in nearly a century of building enduring relationships on trust and collaboration. Our broad and diversified practices serve global clients—from startups to Fortune 500 companies—at every stage of the business cycle, including high-stakes litigation, complex transactions, sophisticated financings and regulatory issues. With leading edge technologies and innovation behind our team, we pride ourselves on being a strategic partner to our clients.

Article Insights

Sheppard, Mullin, Richter & Hampton LLP are most popular: within Cannabis & Hemp and Insolvency/Bankruptcy/Re-Structuring topic(s)

A February 2024 Final Rule ushered in significant updates to the federal confidentiality framework governing substance use disorder (“SUD”) patient information established at 42 C.F.R. Part 2. Compliance with these updates is required as of February 16, 2026, and is prompting parties in the healthcare space to revisit their handling of SUD information. Given the recent climate of increased law enforcement activities, adherence to Part 2's new protections is especially critical.

The U.S. Department of Health and Human Services and the Substance Abuse and Mental Health Services Administration issued the Final Rule in an effort to modernize information-sharing by aligning Part 2 with other prominent privacy laws, including HIPAA, while preserving heightened protections for SUD information. We previously discussed the Final Rule and its policy objectives in a blog post regarding the rule's release in 2024, which provides detailed background and context.

At a high level, the Final Rule makes key changes, including:

Provision Old Part 2 New Part 2 Treatment, Payment, Healthcare Operations (“TPO”) Consent Part 2 programs were required to seek a new consent each time they disclosed records for TPO A patient may provide a single written consent for all future disclosures for TPO as permitted under HIPAA Redisclosures for TPO Purposes Redisclosure of SUD information was prohibited without patient's specific consent or application of an exception HIPAA-regulated entities may redisclose records pursuant to TPO consent consistent with HIPAA SUD Counseling Notes Not defined or treated differently from other SUD information Defined as personal notes created by a practitioner separate from patient's medical record and afforded greater privacy protections Disclosures to Public Health Authorities Not included in permitted disclosures without patient consent De-identified records may be disclosed to public health authorities without patient consent Breach Notification Part 2 programs and lawful holders were not covered by HIPAA and had no breach reporting obligation under Part 2 HIPAA Breach Notification Rule extends to Part 2 programs and lawful holders with respect to breaches of unsecured records Penalties Violators were subject to criminal penalties and enforcement by the Department of Justice Violators are subject to civil and criminal enforcement under HIPAA rules1



With the arrival of the February 16, 2026 compliance deadline, stakeholders should take stock of their operational readiness and confirm that fulsome implementation steps have been taken as required by Part 2, including:

Review and update consent forms facilitating release of SUD information to take advantage of the Final Rule's new flexibilities surrounding disclosures of SUD information for treatment, payment, and healthcare operations purposes.

Review and update Notices of Federal Confidentiality Requirements, which describe a stakeholder's practices with respect to use and disclosure of SUD information. 2

Review and update Notices of Confidentiality Requirements, which accompany released SUD information.

Review and revise policies and procedures to ensure consistency with the Final Rule's operational updates.

Revisit existing relationships with qualified service organizations (“QPOs”) to ensure appropriate agreements are in place.

Ensure that personnel handling SUD information receive training on the Final Rule's updates.

Beyond Part 2, HIPAA also requires that covered entities describe uses and disclosures of SUD information in their Notices of Privacy Practices, which may warrant updates in light of the Final Rule.

Footnotes

1. Please note that this table does not capture an exhaustive list of changes, but rather, summarizes some of the most significant updates made by the Final Rule.

2. Please note that the Notice of Confidentiality Requirements is distinct from the more familiar Notice of Privacy Practices under HIPAA.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.