The US Department of Health and Human Services (HHS), Office for Civil Rights (OCR) announced a new program to implement and enforce statutory and regulatory requirements that protect the confidentiality of substance use disorder (SUD) patient records. This program marks the first time civil enforcement mechanisms will be available to protect the confidentiality of SUD patient records by covered SUD programs. The new program executes the SUD confidentiality provisions of section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act and its implementing regulation at 42 CFR part 2 (“Part 2”). Beginning February 16, 2026, entities and persons subject to the regulation protecting the confidentiality of SUD patient records must comply with all applicable requirements.
The penalties for noncompliance align with the penalties available under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy, Security, and Breach Notification Rules. OCR investigations conducted under the new program may be resolved through a range of civil enforcement mechanisms. These include OCR entering into resolution agreements, securing monetary settlements, obtaining commitments for corrective action, or imposing civil money penalties for the failure to comply.