HHS Office for Civil Rights Establishes Part 2 Enforcement Program
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has established a civil enforcement program for the 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records (Part 2) regulations.
The Coronavirus Aid, Relief, and Economic Security (CARES) Act, an economic stimulus bill signed into law on March 27, 2020, included a section (Section 3221) related to the confidentiality and disclosure of substance use disorder (SUD) records. The CARES Act directed the HHS to implement changes to align the Part 2 regulations more closely with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules, to enhance protections and improve patient rights, while allowing a more flexible approach to the sharing of SUD records with patient consent to improve care coordination.
In February 2024, the HHS issued a final rule that modified the Part 2 regulations by implementing the changes mandated by Section 3221 of the CARES Act. The final rule improves coordination among providers treating patients for SUD, aligns certain Part 2 requirements with the HIPAA Privacy Rule and HIPAA Breach Notification Rule, and enhances integration of behavioral health information with other medical records to improve patient health outcomes.
The final rule also implemented a new penalty structure, mirroring that of HIPAA, as amended by the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. OCR has been granted authority to enforce compliance, and if violations are identified, they will be subject to the same range of enforcement mechanisms as HIPAA. Violations of the Part 2 regulations can be resolved with civil monetary penalties, resolution agreements, monetary settlements, and corrective action plans to address areas of noncompliance.
The enforcement program uses newly established mechanisms of civil enforcement to protect the confidentiality of SUD records by covered SUD programs. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” said HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”
This is the first time that mechanisms have been established and will help to ensure that the privacy of Americans seeking treatment for substance use disorder is protected. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said OCR Director Paula M. Stannard. “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”
OCR must be notified about any breach of SUD records, and the agency will investigate breaches to determine if they were the result of noncompliance. On February 16, 2026, OCR started accepting complaints about potential violations of the Part 2 regulations, including civil rights and breach notifications related to SUD records.
Complaints about potential Part 2 violations should be submitted via the OCR breach portal. Individuals are encouraged to file a complaint if they believe that their civil rights or health information privacy have been violated, but also if they suspect that the civil rights or health information privacy of other individuals have been violated. Complaints will be investigated, and if substantiated, violations will be resolved through the newly established enforcement mechanisms.
The OCR breach portal has been updated to show entities and individuals that have experienced breaches of Part 2 records. As with the section of the OCR breach portal for HIPAA breach reports, a summary of each breach of Part 2-covered records is listed. The listings include basic information about the breach – The name of the Part 2 Program, state, individuals affected, breach submission date, type of breach, and the location of breached information. When OCR has completed its investigation of the breach, the complaints will be moved to the archive, with brief notes added from OCR’s investigation. As is the case with breach reports under HIPAA, OCR will investigate all breaches affecting 500 or more individuals, and may choose to investigate smaller breaches to determine if they were due to noncompliance.
The breach portal only includes large breaches of SUD records – those affecting 500 or more individuals. Smaller breaches are not made public, but OCR still needs to be notified. For smaller breaches, the deadline is within 60 days of the end of the calendar year when the breach was discovered, rather than within 60 days of the date of discovery of the breach, and media notices are not required. Individuals must still be notified within 60 days of the discovery of the breach.
OCR has long been working with a limited budget due to an increasing workload. OCR has sought additional funding from Congress to support its HIPAA enforcement activities, but no further funding has been provided. There is currently a backlog of data breach investigations under HIPAA, and the additional responsibility of investigating breaches of Part 2 health data will stretch its resources further.
In a press call attended by Steve Alder of the HIPAA Journal, Stannard and OCR Deputy Director for Health Information Privacy Tim Noonan were questioned about whether the department has sufficient resources for its Part 2 enforcement program. They explained that they have been working within the department to ensure sufficient support can be provided for its Part 2 enforcement program, confirming that the department has “adequate resources to pursue investigations at this point.”
OCR anticipates that there will be relatively few large breaches. The majority of data breaches are expected to affect a small number of individuals, and up to 1,100 complaints about potential violations by Part 2 programs are expected in the first year. OCR confirmed that it has the resources to deal with the anticipated volume of data breaches and complaints, at least in the first year.
Since OCR created a new Part 2 section to its breach portal, OCR has received some complaints about potential privacy violations by Part 2 programs. OCR was authorized to enforce the Part 2 regulations starting on February 16, 2026. Stannard confirmed that OCR will not investigate any complaints about violations that occurred before that date.
Any individual who has reason to believe that their privacy has been violated, or the privacy of other individuals with respect to their Part 2-covered data, should file a complaint. OCR is committed to ensuring strong enforcement and protection of SUD records, as patient privacy is of vital importance to ensure that individuals are not discouraged from seeking treatment for SUDs.
This article has been updated since publication to include additional information and comment following a press call with the HHS’ Office for Civil Rights.
