On February 13, 2026, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a new civil enforcement program to protect the confidentiality of substance use disorder (SUD) patient records. The program carries out section 3221 of the CARES Act and the corresponding regulation at 42 C.F.R. Part 2 (Part 2). Beginning February 16, 2026, entities and individuals subject to Part 2 must comply with all applicable confidentiality requirements or face potential civil enforcement.
Part 2 applies to federally assisted programs that provide SUD diagnosis, treatment, or referral for treatment. Historically, violations of Part 2 could result in criminal penalties, but there was no dedicated civil enforcement mechanism comparable to HIPAA. Under the CARES Act amendments, enforcement authority has shifted to OCR, and penalties for noncompliance now align with those available under the HIPAA Privacy, Security, and Breach Notification Rules.
OCR, which operates within the US Department of Health and Human Services (HHS), will oversee the new enforcement initiative. According to OCR, investigations may be resolved through a range of civil enforcement mechanisms, including resolution agreements, corrective action plans, monetary settlements, and civil money penalties. OCR will also begin accepting complaints alleging violations of Part 2 and notifications of breaches involving SUD patient records.
The final rule modifying 42 C.F.R. Part 2 was issued in February 2024 to implement the CARES Act changes. The rule aligns certain Part 2 requirements more closely with HIPAA, enhances care coordination by permitting broader use and disclosure of SUD records for treatment, payment, and healthcare operations with patient consent, and strengthens confidentiality protections through civil enforcement.
OCR has published a model patient notice and updated model HIPAA Notices of Privacy Practices to help regulated entities explain how federal law protects the confidentiality of SUD patient records. Additional information and resources are available on OCR’s Part 2 webpage.
OCR stated that the enforcement program is intended to promote compliance, strengthen patient privacy protections, and encourage individuals to seek treatment for SUDs without fear that their records will be improperly disclosed.
Compliance Perspective
Issue
HHS OCR has announced that, effective February 16, 2026, it will begin civil enforcement of the confidentiality requirements for SUD patient records under 42 C.F.R. Part 2. As amended by the CARES Act, Part 2 aligns more closely with HIPAA and permits OCR to impose civil monetary penalties, corrective action plans, and settlement agreements for noncompliance. Federally assisted programs that provide SUD diagnosis, treatment, or referral for treatment are subject to Part 2. The updated regulation strengthens confidentiality protections, establishes breach notification requirements, and permits OCR to investigate complaints and enforce compliance in a manner similar to HIPAA enforcement. Entities subject to Part 2 must ensure that policies, workforce training, and internal oversight processes address the heightened enforcement risk.
Discussion Points
- Review and update policies and procedures related to the confidentiality of SUD patient records, including consent requirements, redisclosure limitations, breach notification, and record segregation where applicable. Ensure policies align with current Part 2 and HIPAA requirements. Facilities may consider working with their compliance consultant to conduct a focused regulatory review or mock assessment to identify potential gaps prior to enforcement activity.
- Provide education and training to appropriate staff regarding Part 2 confidentiality protections, including consent requirements, redisclosure limitations, and breach reporting obligations. Med-Net Academy offers the course Roles and Responsibilities of the Privacy Officer, which covers development of a privacy program, workforce training, complaint management, breach response, record retention, and oversight responsibilities under HIPAA.
- Conduct periodic audits to evaluate compliance with Part 2 requirements, including review of medical record requests, authorization forms, access controls, and breach response procedures. Audit findings should be addressed through corrective action when necessary. Organizations may benefit from engaging an external reviewer to perform targeted compliance audits or assist in developing and implementing plans of correction if deficiencies are identified.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*