February 16, 2026: Compliance Deadline for Part 2 Final Rule
The deadline for compliance with the 42 CFR Part 2 Confidentiality of Substance Use Disorder (SUD) Patient Records (Part 2) Final Rule was February 16, 2026. Entities subject to the Part 2 regulations must ensure compliance with the new requirements, which are now in effect and being actively enforced. The Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records was announced by the HHS’ Office for Civil Rights (OCR) on February 13, 2026. In that announcement, OCR confirmed that, from February 16, 2026, OCR will accept complaints alleging violations of the regulation that protects the confidentiality of SUD patient records and alleged breach notification violations. OCR has made noncompliance with the Part 2 regulations an enforcement priority.
The final rule was issued by OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA) on February 8, 2024, to better align the Part 2 regulations with the Health Insurance Portability and Accountability Act (HIPAA). The final rule took effect on April 16, 2024, and entities covered by the Part 2 regulations were given 11 months to comply with the new requirements.
Aligning the Part 2 regulations more closely with HIPAA removes barriers to information sharing and should improve care coordination, without eliminating important privacy protections. The final rule expanded patient rights regarding uses and disclosures of SUD records and has made compliance less complex for entities subject to both sets of regulations.
Some of the key new requirements are detailed below:
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
- A single patient consent for all future uses and disclosures of SUD records for treatment, payment, and healthcare operations is permitted
- HIPAA-regulated entities may redisclose SUD records received under that consent in accordance with the HIPAA Privacy Rule
- Part 2 records no longer need to be segregated
- SUD records may be disclosed to public health authorities if de-identified in accordance with HIPAA standards
- Patients may obtain an accounting of disclosures of their SUD records
- Patients may request restrictions on certain disclosures of their SUD records
- Patients may file complaints with the HHS about potential Part 2 violations
- Covered entities must establish a complaints program
- Restrictions on the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order
- A safe harbor requires investigative agencies to take steps if they discover they have received Part 2 records without having first obtained the required court order
- The HIPAA Breach Notification Rule requirements apply to Part 2 records. Entities experiencing a breach of Part 2 records must self-report the data breaches to the HHS and issue individual notifications
A final rule issued under the Biden administration in December 2024 – HIPAA Privacy Rule to Support Reproductive Health Care Privacy – to prohibit disclosures of reproductive health information related to criminal, civil, or administrative investigations was overturned by a Texas judge last year. The final rule included a section relating to 45 C.F.R. 164.520 (notice of privacy practices – NPP), concerning SUD records, which remains in place. The deadline for updating and distributing NPPs to reflect the heightened protections for SUD records is also February 16, 2026.
The requirements under HIPAA for NPPs are detailed in this post – HIPAA Notice of Privacy Practices. Before the February 16, 2026, deadline, entities subject to the Part 2 regulations must update their NPPs. The NPP must notify individuals about the permitted uses and disclosures of Part 2 records, explain the legal rights of individuals with respect to their Part 2 records, explain the more stringent limits on Part 2 records and how they differ from HIPAA, how the use of SUD records in civil, criminal, administrative, or legislative proceedings against an individual are limited, and notify individuals that the use or disclosure of Part 2 records for treatment, payment, and health care operations generally requires the individual’s written consent.
If SUD records are created or maintained by the entity, the additional elements that must be included in the NPP are explained below:
- Notice about rights with respect to SUD records – Individuals must receive “adequate notice of the uses and disclosures of such records, and of the individual’s rights and the covered entity’s legal duties with respect to such records.” While HIPAA permits certain uses and disclosures of protected health information without authorization, the rules are different for SUD records. If the HIPAA NPP and the Part 2 NPP are combined, then the NPP must contain all of the required elements under 42 CFR 2.22.
- Limits on the Use of SUD Records – Covered entities must state the difference between Part 2 and HIPAA. A statement must be included with respect to SUD treatment records to explain that “[SUD Records] received from programs subject to 42 CFR part 2, or testimony relaying the content of such records, shall not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on written consent, or a court order after notice and an opportunity to be heard is provided to the individual or the holder of the record, as provided in 42 CFR part 2. A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed.”
- Notice about other laws that are more restrictive than HIPAA – The permitted uses and disclosures explained in the NPP are limited by laws more restrictive than HIPAA, such as Part 2, and the description of uses and disclosures must reflect the more stringent law. If another law permits or requires disclosures, the description in the NPP about uses and disclosures must include sufficient detail to place the individual on notice of uses and disclosures permitted or required by HIPAA, along with any other applicable law, including Part 2.
- Notice about redisclosure of Part 2 records – The NPP must contain a statement advising patients about the potential redisclosure of records. If information is disclosed pursuant to the HIPAA Privacy Rule, the records could potentially be redisclosed and will no longer be protected under the HIPAA Privacy Rule.
- Fundraising – If an entity that creates or maintains Part 2 records intends to use that information for fundraising purposes for the benefit of the covered entity, individuals must be presented with a clear and conspicuous opportunity to choose not to receive fundraising communications.
In August 2025, HHS Secretary Robert F. Kennedy Jr. delegated the authority for enforcing compliance with the Part 2 regulations to OCR. Enforcement of compliance with the Part 2 regulations will follow the same process as enforcement of HIPAA compliance, meaning OCR can enter into resolution agreements, monetary settlements, and corrective action plans with entities subject to the Part 2 regulations and can also impose civil monetary penalties for noncompliance. The financial penalties for noncompliance also align with HIPAA, increasing from $500 for a first offense and $5,000 for subsequent offenses to the current HIPAA penalties, which in 2025, range from $141 to $2.1 million, with criminal penalties also possible. The penalty amounts are subject to annual increases in line with inflation.
