Privacy & Cybersecurity Law Blog

Recent changes to 42 CFR Part 2 (“Part 2”) mean many covered entities must update their Health Insurance Portability and Accountability Act (“HIPAA”) Notices of Privacy Practices.  

Overview of the Part 2 Final Rule

In February 2024, the U.S. Department of Health & Human Services finalized revisions to the federal confidentiality rules governing substance use disorder (“SUD”) patient records. The rule implements statutory changes enacted through the Coronavirus Aid, Relief, and Economic Security Act and adjusts Part 2 to better align with HIPAA and the Health Information Technology for Economic and Clinical Health Act, while preserving additional protections for SUD-related information.

Although the rule modernizes how Part 2 operates within today’s health care ecosystem, it does not eliminate Part 2’s heightened confidentiality standards. Instead, it reframes those protections within a structure that more closely resembles HIPAA.

Updates to Notices of Privacy Practices

One of the most immediate compliance implications of the final rule involves patient-facing privacy disclosures. Covered entities that create, receive, or maintain Part 2 records must ensure their HIPAA Notice of Privacy Practices accurately explains how SUD records are handled under the revised Part 2 framework.

This obligation extends beyond traditional SUD treatment programs. Organizations may need to revise their Notice of Privacy Practices (“NPP”) if Part 2 records move through broader operations, such as through digital health platforms or health plan activities.

An NPP that covers Part 2 records should clearly describe:

• How SUD records may be used and disclosed;
• Patient rights that apply specifically to Part 2 records, including limits on redisclosure and restrictions on use in legal or administrative proceedings;
• That Part 2 imposes requirements that are more restrictive than HIPAA in certain circumstances; and
• The limitations on the use of a patient’s SUD records in civil, criminal, administrative, or legislative proceedings.

Fundraising Opt-Out Considerations

The final rule also introduces a new fundraising-related requirement for entities that handle Part 2 records. If a covered entity intends to use or disclose SUD records to support fundraising activities for its own benefit, it must first give individuals a clear and conspicuous opportunity to opt out of receiving fundraising communications. Organizations that engage in fundraising should confirm that their NPP and related workflows reflect this opt-out right.

Implications for Business Associate Agreements

Updating an NPP, by itself, does not automatically require changes to business associate agreements (“BAAs”). However, if a business associate processes Part 2 records for a covered entity, the covered entity should assess whether existing BAAs adequately address Part 2 obligations.

Next Steps for Covered Entities 

Covered entities should begin by confirming whether Part 2-protected information exists anywhere within their operations. Organizations should then evaluate whether their current NPP adequately describes the handling of SUD records under the revised Part 2 framework and identify any targeted updates needed to meet the new requirements.

In parallel, organizations should inventory vendors and business associates that may access Part 2 records and determine whether BAAs, service agreements, or subcontractor terms require targeted updates to support compliant use and redisclosure.

Final Takeaway

The Part 2 final rule represents a meaningful adjustment in how SUD records are regulated and communicated to patients. Organizations that receive or maintain Part 2-protected information must revise their HIPAA NPP to reflect the updated rule by February 16, 2026. This requirement may reach entities that do not traditionally identify as Part 2 programs but encounter SUD records in the course of broader health care operations.

Because Part 2 retains confidentiality restrictions that go beyond HIPAA in certain respects, an existing HIPAA-compliant notice may not sufficiently describe how SUD records are handled. Entities should review their notice language alongside their actual data practices and vendor relationships to ensure alignment before the compliance deadline.

Read the final rule here and read the HSS Fact Sheet here.