- in United States
The U.S. Department of Health and Human Services (HHS) recently published a Final Rule amending the regulations under 42 CFR Part 2, which governs the confidentiality of substance use disorder (SUD) records. Historically, Part 2 imposed stricter privacy protections than those under the Health Insurance Portability and Accountability Act (HIPAA), reflecting the sensitive nature of SUD treatment information. Covered entities are now required to revise their Notices of Privacy Practices (NPP) to appropriately incorporate substance use disorder records, ensuring compliance with the updated regulatory landscape.
As a reminder, the compliance deadline for updating your NPP to include specific disclosures related to the use and disclosure of SUD records protected under Title 42 CFR Part 2 was February 16, 2026.
This update is critical for any covered entity under HIPAA that provides SUD diagnosis, treatment, or referral for treatment, which is conducted, regulated, or assisted by a department or agency of the United States. The statute specifically concerns records with a patient's identity, diagnosis, prognosis, or treatment that are maintained in connection with programs or activities related to substance use disorder education, prevention, training, treatment, rehabilitation, or research.
If your organization has not yet completed this update, action is necessary to comply and reduce the risk of penalties.
Key Enforcement Information
The Office for Civil Rights (OCR) is responsible for enforcing the regulation, and it may conduct compliance reviews and investigate complaints alleging noncompliance with Part 2. The enforcement program is established pursuant to section 3221 of the CARES Act, codified at 42 CFR Part 2, and is designed to uphold patient rights and strengthen privacy protections for SUD records. Penalties for non-compliance are aligned with existing HIPAA sanctions and are enforceable immediately, with no phased approach or exceptions.
Resources for Updating Your Notice of Privacy Practices
HHS provides valuable resources to assist organizations in complying with these requirements. These templates can be referred to as guidelines, but we highly encourage you to work with legal counsel to review for accuracy and confirm that the final notices will be compliant. We also recommend working with counsel to confirm there are adequate processes and training measures in place, as organizations may vary in compliance needs.
- Model Part II Patient Notice
- Model Notice of Privacy Practice for HIPAA Covered Healthcare Provider
- Model Notice of Privacy Practices for HIPAA Health Plan
Action Steps
Review your current NPP immediately to determine if it adequately addresses the use and disclosure of SUD records governed by Title 42 CFR Part 2.
- Use the HHS resources linked above as guidelines to update your NPP accordingly.
- Consult with counsel to confirm compliance.
- Distribute the revised NPP and ensure staff are trained on how to comply with the new disclosures.
- Document your compliance efforts to demonstrate adherence to the February 16, 2026, deadline.
Impending Organizational Changes
If your organization is not currently subject to these requirements but anticipates upcoming transactions or shifts in the business model that may render the regulation applicable, it is prudent to evaluate whether you may soon become within scope. Early planning will help avoid last-minute compliance challenges.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
