With the February 16, 2026, compliance deadline rapidly approaching, health care providers that provide substance use disorder (SUD) treatment reimbursed by federal health care programs, including Medicaid, must ensure their privacy practices and notice procedures align with revised 42 CFR Part 2 (Part 2) regulations. Recent updates have fundamentally altered the enforcement landscape, delegating oversight to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and aligning penalties with the Health Insurance Portability and Accountability Act (HIPAA).
1. Enhanced Enforcement & Stiffer Penalties
Historically, enforcement of Part 2 was limited and primarily focused on criminal penalties. Under the new rules:
- OCR Oversight: Enforcement authority has been formally delegated to the OCR. This means providers should expect the same level of investigative rigor, compliance reviews, and audits that OCR undertakes with respect to HIPAA.
- Civil Monetary Penalties: Part 2 violations are no longer limited to small criminal fines. They now mirror the HIPAA tier-based penalty structure, with fines ranging from $141 to over $2.1 million per year (adjusted for inflation) depending on the level of culpability.
- Breach Notification: Providers must now follow the HIPAA Breach Notification Rule for Part 2 records. This includes reporting breaches to the Secretary of HHS and, in some cases, the media.
2. Critical Compliance Requirements
To avoid enforcement actions, providers must implement several key operational changes by the February deadline:
- Notice of Privacy Practices (NPP) Updates: All HIPAA-covered entities that receive or maintain Part 2 records must update their NPP. The notice must now include specific language regarding the heightened protections afforded to SUD records and the prohibition on using such records in legal proceedings against the patient without specific consent or a court order.
- Single Consent for Treatment, Payment, and Health Care Operations (TPO): The rules now allow for a “single consent” for all future uses and disclosures for TPO purposes. While this change eases care coordination, your forms must be updated to capture this specific authorization correctly. Note, requiring consent for TPO purposes is specific to Part 2; conversely, HIPAA permits disclosure of patient protected health information without patient consent for TPO disclosures.
- SUD Counseling Notes: The new rules establish a category of “SUD Counseling Notes” analogous to HIPAA psychotherapy notes. Like psychotherapy notes, SUD counseling notes must be maintained separate from a patient's medical record and require a specific, separate authorization for most disclosures. If the notes are not adequately separated, they forfeit their Part 2 protection!
- Redisclosure Protections: When Part 2 records are disclosed with consent, they must be accompanied by a specific notice prohibiting further redisclosure unless permitted by the regulations.
3. Action Items for Providers
- Audit Your NPP: Ensure your current NPP includes the mandatory Part 2 statements. Your NPP can include HIPAA and Part 2 language.
- Update Consent Forms: Revise your standard authorization forms to be compliant with Part 2 requirements. Ensure your clients sign a TPO consent at intake for your future TPO disclosures.
- Treat SUD Counseling Notes Appropriately: Ensure SUD counseling notes are kept separate from patients' medical records.
- Workforce Training: Conduct training sessions for all staff members who handle SUD records and treatment information. The OCR often views lack of training as a sign of “willful neglect” during investigations, so it is crucial to train your workforce accordingly.
- Review Vendor Agreements: If you provide SUD treatment services, not only must you have Business Associate Agreements (BAAs) with vendors that use or have access to protected health information, but you must also have Qualified Service Organization Agreements (QSOAs) that include Part 2 requirements. A QSOA is a Part 2 equivalent of a BAA. SUD providers should create a template BAA/QSOA that complies with both HIPAA and Part 2.
Contact a member of Shumaker's Health Law Service Line if you would like a checklist of the specific “must-have” language for your updated NPP, QSOA, or more!