In February, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a new program to implement statutory and regulatory requirements that protect the confidentiality of substance use disorder (SUD) patient records.
This update impacts the “Part 2” regulation 1 and aligns SUD record protections with HIPAA requirements, including single patient consent, updated privacy notices, breach notification, and business associate duties. Part 2 Programs carry the largest burden, but any clinician that receives or keeps SUD records from a Part 2 Program must also comply. This is an overview of the new rules, which became effective on February 16, 2026. For more information visit the Department of Health and Human Services (HHS) fact sheet 2 on the major changes.
WHAT IS A PART 2 PROGRAM?
- Individuals, entities, or units in a hospital or clinic that provide SUD treatment, diagnosis, or referral.
- Includes medical personnel or staff in a general medical facility whose primary function is to provide SUD services and who are identified as SUD providers.
WHAT RECORDS ARE PROTECTED?
- Only SUD records originating with a Part 2 Program—protections follow the records, even if the holder is not a HIPAA-covered entity or Part 2 Program.
- Clinicians are not required to segregate Part 2 data from other patient records.
WHAT DOES THIS MEAN FOR CLINICIANS?
- Revise Notice of Privacy Practices: Part 2 Programs and HIPAA-covered entities who receive SUD records must add Part 2‑specific content, including how clinicians use or disclose SUD records, a statement of patient rights and clinician responsibilities for those records, and patient rights to opt out of fundraising communications. HHS revised its Model Notices of Privacy Practices 3 consistent with the new rule.
- Honor enhanced patient rights: Patients have the right to request an accounting of disclosures and to ask for restrictions on certain treatment, payment, and operations (TPO) disclosures, and disclosures to health plans for services paid in full by the patient. Part 2 Programs must have a process to receive complaints about Part 2 violations. Clinicians may use one written patient consent covering all future TPO uses and disclosures unless revoked in writing.
- Comply with HIPAA breach notification and security requirements: Apply HIPAA breach notification timelines to Part 2 records and apply the minimum necessary rule to all requests and disclosures.
- Modify Business Associate Agreements (BAAs): BAAs must address Part 2, and business associates are subject to the same Part 2 obligations as covered entities. BAAs must define permitted and required uses and disclosures of Part 2 records, require safeguards, mandate reporting of non-permitted uses and breaches, and require making relevant records available to HHS.
1 www.hhs.gov/hipaa/part-2/index.html
2 www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
3 www.hhs.gov/hipaa/for-professionals/privacy/guidance/model-notices-privacy-practices/index.html
The information provided herein does not, and is not intended to constitute legal, medical, or other professional advice; instead, this information is for general informational purposes only. The specifics of each state’s laws and the specifics of each circumstance may impact its accuracy and applicability, therefore, the information should not be relied upon for medical, legal, or financial decisions and you should consult an appropriate professional for specific advice that pertains to your situation.
Article originally published in Copic’s Copiscope 2Q26 newsletter.
