ARTICLE
12 March 2026

OCR Launches Part 2 Civil Enforcement Program

BB
Bass, Berry & Sims

Contributor

Bass, Berry & Sims logo
Bass, Berry & Sims is a national law firm with nearly 350 attorneys dedicated to delivering exceptional service to numerous publicly traded companies and Fortune 500 businesses in significant litigation and investigations, complex business transactions, and international regulatory matters. For more than 100 years, our people have served as true partners to clients, working seamlessly across substantive practice disciplines, industries and geographies to deliver highly-effective legal advice and innovative, business-focused solutions. For more information, visit www.bassberry.com.
Explore Firm Details
On February 13, the Department of Health and Human Services Office for Civil Rights (OCR) announced a new program to implement and enforce federal requirements...
United States Food, Drugs, Healthcare, Life Sciences
Craig Stewart,Nesrin Garan Tift, and Elizabeth Warren
Bass, Berry & Sims are most popular:
  • within Compliance topic(s)
  • with readers working within the Healthcare industries

On February 13, the Department of Health and Human Services Office for Civil Rights (OCR) announced a new program to implement and enforce federal requirements that protect the confidentiality of substance use disorder (SUD) patient records (the Part 2 Civil Enforcement Program).

OCR established the Part 2 Civil Enforcement Program pursuant to Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which aimed to align the confidentiality of SUD patient records statute and implementing regulations at 42 C.F.R. Part 2 (the Part 2 Regulations) more closely with the HIPAA Administrative Simplification provisions. Prior to the enactment of the CARES Act, violations of the Part 2 Regulations were punishable by criminal fines but not civil penalties. The CARES Act adopted the civil enforcement framework from HIPAA, and as a result, OCR may use civil enforcement mechanisms in response to violations of the Part 2 Regulations.

As of February 16, OCR began accepting complaints alleging violations of Part 2 and notifications of breaches of SUD patient records. Breach notifications can now be submitted through OCR's breach portal.

The launch of the Part 2 Civil Enforcement Program coincided with the compliance date for several updates to the Part 2 Regulations and HIPAA established by final rules issued in 2024, including required updates to Notices of Privacy Practices for HIPAA covered entities and for Part 2 programs. OCR posted new model notices to its website to address the updated requirements, but regulated entities should carefully adapt the model notices to align with their own operations, as appropriate.

OCR expressed its intent to use the Part 2 Civil Enforcement Program "aggressively" to enhance protection of SUD patient records, consistent with the administration's Great American Recovery Initiative. This Initiative seeks to help patients receive necessary SUD treatment and work toward recovery. OCR demonstrated its renewed enforcement focus on SUD treatment providers on February 19 by announcing a settlement agreement with an SUD treatment provider that experienced an email phishing attack after failing to conduct an accurate and thorough security risk assessment.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

[View Source]
Authors
Photo of Craig Stewart
Craig Stewart
Photo of Nesrin Garan Tift
Nesrin Garan Tift
Photo of Elizabeth Warren
Elizabeth Warren
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More