Policy Updates

Federal Enforcement of Part 2 Begins: What Healthcare Organizations Must Know About the New Compliance Landscape

wchinsights

A critical regulatory shift brings substance use disorder treatment programs under OCR’s civil enforcement model, with significant implications for the broader healthcare sector

On February 16, 2026, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) officially began enforcement of 42 CFR Part 2, marking a watershed moment in healthcare privacy regulation. For the first time, the longstanding federal confidentiality protections for substance use disorder treatment will operate under the HIPAA-aligned civil enforcement model administered by OCR. Individuals can now file complaints directly with OCR regarding violations of Part 2 protections, and covered programs face potential civil monetary penalties for non-compliance.

This development represents far more than a procedural change. While the underlying legal obligations to protect SUD patient information have existed for decades, the enforcement exposure has materially elevated. The shift affects federally assisted programs providing substance use disorder treatment services, as well as mental health and addiction treatment programs that handle Part 2-protected information.

Understanding Part 2’s Evolution and Prior Enforcement

Originally enacted in the 1970s as 42 U.S.C. § 290dd-2 and implemented through regulations at 42 CFR Part 2, these federal confidentiality protections were designed to encourage individuals struggling with substance use disorders to seek treatment without fear that their sensitive information would be disclosed and used against them in criminal, civil, or employment contexts.

Part 2 has always been federal law. However, the enforcement mechanisms historically differed substantially from what healthcare organizations experience under HIPAA:

Previous Enforcement Framework:

  • Criminal sanctions through the Department of Justice for knowing violations
  • Potential termination of federal funding for programs found in violation
  • Administrative oversight through the Substance Abuse and Mental Health Services Administration (SAMHSA)
  • Limited direct patient complaint mechanisms
  • No standardized civil monetary penalty structure

New OCR-Administered Model:

  • Direct patient complaint pathway to OCR
  • Civil monetary penalties aligned with HIPAA’s tiered penalty framework
  • Systematic compliance investigations and reviews
  • Corrective action plans and ongoing monitoring
  • Integration with existing OCR enforcement infrastructure

For decades, Part 2 operated with stricter confidentiality requirements than the Health Insurance Portability and Accountability Act (HIPAA), creating a dual-compliance framework that healthcare organizations found challenging to navigate. Part 2 required explicit, written patient consent for most disclosures of SUD treatment information, even within integrated healthcare systems.

Recent years have seen significant regulatory evolution aimed at harmonization. The CARES Act of 2020 and subsequent rulemaking efforts worked to better align Part 2 with HIPAA while maintaining robust patient protections, facilitating care coordination while preserving confidentiality. The February 16, 2026 enforcement transition represents the culmination of these alignment efforts.

The Enforcement Shift: What’s Actually Changed

The new enforcement framework introduces several critical changes that healthcare organizations must understand:

Direct Federal Complaint Mechanism: Individuals who believe their Part 2 rights have been violated can now file complaints directly with OCR, using processes similar to HIPAA complaints. Previously, patient recourse was less direct and often relied on state mechanisms or reporting to SAMHSA.

Civil Monetary Penalties: OCR now has authority to impose civil monetary penalties for Part 2 violations, bringing enforcement in line with HIPAA’s penalty structure. While specific penalty amounts will vary based on violation severity and culpability level, the threat of substantial fines creates immediate financial risk for non-compliant organizations.

Investigative Authority: OCR can initiate compliance reviews and investigations of Part 2-covered programs, examining policies, procedures, consent forms, and actual disclosure practices using its established HIPAA investigation methodology.

Corrective Action Plans: Organizations found in violation may be required to implement corrective action plans, undergo monitoring, and provide evidence of sustained compliance—processes familiar from HIPAA enforcement but representing new territory for Part 2 compliance.

Who Must Comply: Broader Than You Think

A critical misunderstanding persists about which organizations must comply with Part 2. The regulations apply to any “federally assisted” program that holds itself out as providing substance use disorder diagnosis, treatment, or referral for treatment, or has an identified unit that holds itself out as providing such services.

The “holds itself out” standard is critical. It focuses on how the program represents its services to the public, in advertising, intake forms, or other communications. A program holds itself out as providing SUD services if it advertises such services, identifies itself to patients or the public as a provider of such services, or is licensed or certified to provide such services.

“Federally assisted” is broadly defined and includes programs that receive federal funding (even indirect funding through state block grants), are authorized or conducted by federal agencies, or may include participation in federally funded programs such as Medicare or Medicaid, depending on the program’s structure and representation of services. This encompasses:

  • Specialized addiction treatment centers
  • Hospital-based substance use disorder units
  • Mental health facilities that hold themselves out as providing SUD treatment
  • Opioid treatment programs
  • Counseling services that advertise or represent themselves as addressing substance use
  • Healthcare systems with identified SUD treatment components

Notably, general medical practices that occasionally treat patients with substance use disorders as part of overall healthcare—but do not hold themselves out as specializing in SUD services—may not be covered. However, the line can be murky, and many integrated healthcare organizations have Part 2 obligations for specific programs or units even if their primary focus is general medical care.

The mental health sector faces particular complexity. Many mental health programs address co-occurring substance use disorders, potentially triggering Part 2 requirements if they hold themselves out as providing SUD services alongside HIPAA compliance for mental health information generally.

Immediate Compliance Priorities

Healthcare compliance officers and legal teams are treating this enforcement shift as a critical priority, and organizations should immediately focus on several key areas:

Consent Forms and Processes: Part 2 consent requirements differ significantly from HIPAA. Consents must be written, contain specific elements mandated by regulation (including the name or general designation of the program making the disclosure, the name of the individual or entity receiving the disclosure, the purpose of the disclosure, and an expiration date or event), and clearly identify what information can be disclosed. Organizations must audit existing consent forms to ensure they meet all Part 2 requirements and train staff on proper consent procedures.

Notice of Privacy Practices (NPP): Organizations covered by both HIPAA and Part 2 must ensure their NPPs accurately reflect both sets of protections. Many organizations have outdated NPPs that don’t adequately explain Part 2 rights or the circumstances under which SUD treatment information may be disclosed. This is particularly critical now that patients can file OCR complaints about inadequate notice.

Policies and Procedures: Written policies governing the use and disclosure of Part 2 information must be comprehensive, current, and actually followed. OCR investigations will examine whether policies exist on paper only or reflect operational reality.

Staff Training: Perhaps the most critical element, staff at all levels—from front desk personnel to clinicians to billing departments—must understand Part 2 requirements. Unauthorized disclosures often occur through well-intentioned but improperly trained staff who don’t recognize that SUD information requires special handling.

Business Associate Agreements and QSOAs: This area requires particular attention following harmonization with HIPAA. Part 2 now largely adopts the HIPAA business associate framework, but important distinctions remain. Organizations must ensure that:

  • Contracts with vendors, billing companies, electronic health record providers, and others who handle Part 2 information include required Part 2 clauses in addition to standard HIPAA business associate provisions
  • Qualified Service Organization Agreements (QSOAs) remain a distinct Part 2 construct and require specific acknowledgments
  • Standard HIPAA Business Associate Agreements alone may not be sufficient without the additional Part 2-required language
  • Organizations understand which entities qualify as business associates under HIPAA versus qualified service organizations under Part 2

Breach Response Protocols: Organizations need clear procedures for responding to potential Part 2 breaches, including investigation, notification requirements, and reporting to OCR when required.

The Integration Challenge

One of the most complex compliance challenges involves integrated healthcare delivery. Modern healthcare emphasizes care coordination and information sharing to improve outcomes, yet Part 2’s stricter consent requirements can create operational barriers.

Recent regulatory changes have attempted to facilitate integration. For example, Part 2 now allows single consents to cover future disclosures for treatment, payment, and healthcare operations to certain entities, rather than requiring consent for each individual disclosure. Organizations can also segment records, applying Part 2 protections only to SUD-specific information while sharing other health information under HIPAA.

However, implementing these provisions requires sophisticated technical capabilities, clear policies, and thorough staff training. Electronic health record systems must be configured to properly segment and protect Part 2 information while allowing appropriate access for care coordination.

The harmonization efforts have reduced some friction between Part 2 and HIPAA, but significant differences remain. Organizations must maintain dual compliance frameworks and cannot simply treat Part 2 as identical to HIPAA.

Industry Reaction: Urgency and Concern

The healthcare compliance community has responded to the enforcement shift with intensified preparation efforts. Several industry associations have emphasized the need for immediate action.

“Organizations that haven’t already prepared for this transition are now facing significant compliance risk,” noted healthcare privacy attorneys in recent guidance. “The enforcement exposure has fundamentally changed, even though the underlying obligations existed previously.”

Behavioral health organizations, particularly smaller addiction treatment programs operating with limited compliance resources, face challenges in meeting the sophisticated requirements that OCR enforcement will demand.

Mental health providers are expressing particular concern about the intersection of Part 2 requirements with their existing HIPAA obligations. “There’s considerable confusion about when Part 2 applies versus when HIPAA alone is sufficient,” compliance consultants report. “The dual framework creates real operational challenges, especially in integrated care settings.”

Looking Ahead: Enforcement Expectations

While OCR has not announced specific enforcement priorities for Part 2, experience with HIPAA enforcement suggests likely focus areas:

  • Large-scale breaches affecting multiple patients
  • Systemic failures in consent processes
  • Inadequate policies and training
  • Repeated violations or failure to correct identified problems
  • Cases involving significant patient harm

Organizations should expect that OCR will apply similar investigation methodologies to Part 2 as it does to HIPAA, including requesting extensive documentation, interviewing staff, and examining actual practices beyond written policies.

It may be weeks or months before the first complaints are filed and OCR begins active investigations under the new framework. However, organizations should not treat this as a grace period. OCR has made clear that compliance obligations existed before the enforcement authority transferred, and organizations are expected to be in full compliance immediately.

Strategic Recommendations

Healthcare organizations should treat Part 2 compliance with the same rigor as HIPAA compliance. This means:

  1. Conducting comprehensive compliance assessments specifically focused on Part 2 requirements
  2. Updating all relevant documentation (consents, NPPs, policies, training materials)
  3. Implementing robust training programs for all staff who handle patient information
  4. Establishing clear accountability for Part 2 compliance within the compliance or legal department
  5. Creating response protocols for potential violations
  6. Regularly auditing compliance through internal reviews
  7. Ensuring business associate agreements include all required Part 2 provisions beyond standard HIPAA clauses

For organizations that have not yet begun this work, the priority should be immediate risk assessment. Which programs or units are covered by Part 2? Do any programs hold themselves out as providing SUD services? Are current consent forms compliant? Do staff understand the requirements? Are business associate agreements adequate?

Organizations should also consider engaging external expertise if internal compliance resources are limited. The complexity of Part 2 requirements, particularly in conjunction with HIPAA, makes this an area where specialized knowledge can prevent costly mistakes.

The Bigger Picture

The transition to OCR enforcement represents an opportunity to strengthen privacy protections for one of healthcare’s most vulnerable populations. Organizations that take this transition seriously—investing in proper systems, training, and oversight—will not only avoid enforcement actions but also build stronger, more trustworthy relationships with the patients they serve.

As the healthcare sector continues to grapple with privacy challenges ranging from cybersecurity threats to emerging technologies, Part 2 compliance serves as a reminder that robust privacy protections remain both a legal requirement and an ethical imperative. While the enforcement model has changed, the underlying obligation—protecting patients seeking help for substance use disorders—has remained constant for nearly five decades.

The coming months will reveal how OCR approaches Part 2 enforcement, what violations trigger investigations, and what penalties organizations may face. What is certain is that the enforcement exposure has materially increased, and healthcare organizations must respond accordingly.

Sources

  1. U.S. Department of Health and Human Services. “42 CFR Part 2: Confidentiality of Substance Use Disorder Patient Records.” Federal Register, 2024-2025.
  2. Substance Abuse and Mental Health Services Administration (SAMHSA). “Part 2 Guidance and Resources.” SAMHSA.gov, 2025-2026.
  3. Office for Civil Rights, U.S. Department of Health and Human Services. “Enforcement of 42 CFR Part 2.” HHS.gov, February 2026.
  4. American Hospital Association. “Regulatory Advisory: Part 2 Enforcement Transition to OCR.” AHA Health Law Resources, February 2026.
  5. National Association of Addiction Treatment Providers. “Part 2 Compliance Framework for SUD Treatment Programs.” NAATP.org, 2025-2026.
  6. Healthcare Compliance Association. “Part 2 and HIPAA: Navigating Dual Compliance Requirements.” Compliance Today, February 2026.
  7. The CARES Act, Public Law 116-136 (2020), Section 3221: Confidentiality of Substance Use Disorder Patient Records.
  8. American Health Law Association. “OCR Enforcement of Part 2: Implications for Healthcare Organizations.” AHLA Health Lawyer, February 2026.
  9. Office of the National Coordinator for Health Information Technology. “Part 2 and Health Information Exchange: Updated Guidance.” HealthIT.gov, 2025.
  10. Foley & Lardner LLP. “Part 2 Final Rule: Key Changes and Compliance Considerations.” Health Care Law Today, 2024.

Discover more from Doctor Trusted

Subscribe to get the latest posts sent to your email.

Related Posts

Horizon: modifiers CQ/CO reimbursement policy to be implemented

Horizon BC BS NJ will change how it considers and reimburses certain professional claims based on our new reimbursement policy…

Your questions answered

WCH Service Bureau has been working hard on keeping you on the same page with all the relevant regulations and…

Policy guidelines to be applied to Horizon NJ Health patients with varicose veins/venous insufficiency

Beginning November 30, 2022, policy guidelines (Treatment of Varicose Veins/Venous Insufficiency) will be used when providing services to members enrolled…

Discover more from Doctor Trusted

Subscribe now to keep reading and get access to the full archive.

Continue reading