Privacy & Cybersecurity Law Blog

The U.S. Department of Health and Human Services (“HHS”) recently delegated authority to the HHS Office for Civil Rights (“OCR”) to enforce new privacy rules governing substance use disorder treatment records, which are set to take effect in early 2026.

In a Statement of Delegation of Authority, HHS assigned OCR the responsibility of enforcing the regulations set forth in 42 C.F.R. Part 2 (“Part 2 Regulations”), which govern the privacy and confidentiality of substance use disorder treatment (“SUD”) records (“Part 2 records”). This responsibility previously was assigned to HHS’s Substance Abuse and Mental Health Services Administration.

The Part 2 Regulations protect the privacy of individuals treated for SUD. Specifically, the Part 2 Regulations protect “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”

In an effort to harmonize privacy requirements for Part 2 records with privacy rules governing other medical records, in February 2024, HHS issued a Final Rule amending the Part 2 Regulations to align them more closely with the HIPAA Privacy Rule. The 2024 amendments introduced new enforcement tools, breach notification requirements and clarified permissible disclosures. Entities subject to Part 2 must comply with the amended Part 2 Regulations by February 16, 2026.

Key provisions of the amended Part 2 Regulations include:

• A single patient consent can authorize future disclosures of Part 2 records for treatment, payment and healthcare operations.
• Part 2 privacy notices now conform to HIPAA’s Notice of Privacy Practices content requirements.
• Disclosure of Part 2 records without patient consent to public health authorities is permitted, provided the records are deidentified in accordance with HIPAA’s requirements.
• The use of Part 2 records in legal proceedings is restricted absent patient consent or a court order.
• Agencies that inadvertently receive Part 2 records without a court order are shielded from liability.
• The requirements set forth in the HIPAA Breach Notification Rule apply to breaches of Part 2 records.

OCR is now authorized to take the following actions:

• Investigate potential violations of the Part 2 Regulations and issue subpoenas.
• Make determinations regarding enforcement actions.
• Impose civil monetary penalties.
• Negotiate resolution agreements and corrective action plans.