Skip to Content
Close
Kaufman Dolowich, LLP Kaufman Dolowich, LLP

Kaufman Dolowich, LLP

|
(844) 860-1010 |

Imminent Deadline for New Substance Use Disorder Privacy Rules and Required HIPAA Notice Updates, by Abbye Alexander, Christopher Tellner and Henry Norwood, 2-13-2026

News & Resources

Imminent Deadline for New Substance Use Disorder Privacy Rules and Required HIPAA Notice Updates, by Abbye Alexander, Christopher Tellner and Henry Norwood, 2-13-2026

Posted Feb 13, 2026

Healthcare providers and organizations that treat substance use disorders (“SUD”) or create, receive, maintain, or transmit SUD treatment records face significant compliance obligations that must be implemented by February 16, 2026.

Two related regulatory developments converge on that date:

  1. Revised federal confidentiality rules for SUD records under 42 C.F.R. Part 2 (“Part 2”) require compliance; and
  2. Amendments to the HIPAA Privacy Rule, including revisions to 45 C.F.R. § 164.520, require covered entities to update Notices of Privacy Practices (‘NPPs’) to reflect the revised Part 2 framework.

Organizations subject to HIPAA, Part 2 or both should ensure they are in compliance.

Background

The U.S. Department of Health and Human Services (“HHS”) finalized significant revisions to 42 C.F.R. Part 2 in February 2024 to better align confidentiality protections for SUD treatment records with HIPAA, while preserving enhanced safeguards for particularly sensitive information. The final rule implements section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act.

In April 2024, HHS published a separate final rule amending the HIPAA Privacy Rule, including 45 C.F.R. § 164.520, to require covered entities to update their Notices of Privacy Practices to reflect the enhanced confidentiality protections and enforcement framework applicable to Part 2 records.

On June 18, 2025, the U.S. District Court for the Northern District of Texas vacated, on a nationwide basis, most of the “HIPAA Privacy Rule to Support Reproductive Health Care Privacy,” eliminating the rule’s heightened protections and attestation requirements for reproductive health information. However, the court’s decision left in place unrelated NPP amendments—such as those addressing SUD and Part 2 records—and HHS and subsequent guidance have confirmed that covered entities must still comply with the surviving NPP modification requirements, including those related to confidentiality of SUD records, by February 16, 2026.

Who Is Affected?

The revised Part 2 rules apply to:

  • Federally assisted “Part 2 programs” that provide SUD diagnosis, treatment, or referral for treatment;
  • Entities that meet the regulatory definition of a federally assisted “Part 2 program,” including certain providers that hold themselves out as providing SUD diagnosis, treatment, or referral services;
  • HIPAA-covered entities and business associates that create, receive, maintain, or transmit Part 2-protected records; and
  • Other healthcare providers, health plans, and entities that receive and maintain Part 2 records, even if they do not themselves provide SUD treatment.

Organizations must determine whether they qualify as a “Part 2 program,” are otherwise regulated persons under the revised rule, or receive records subject to Part 2 protections, and assess how the updated requirements apply to their operations.

Enforcement and Penalties

Beginning February 16, 2026, violations of Part 2 will be subject to enforcement by HHS’s Office for Civil Rights (“OCR”) under the HIPAA enforcement framework.

The revised regulations incorporate HIPAA’s civil monetary penalty structure, investigative procedures, and compliance resolution processes. Impacted individuals may file complaints with OCR regarding alleged Part 2 violations.

Importantly:

  • Civil monetary penalties will follow HIPAA’s tiered penalty regime (as adjusted annually for inflation).
  • Breaches of unsecured Part 2 records will be subject to HIPAA’s breach notification requirements, including notification to affected individuals, HHS, and in certain cases the media.
  • OCR will have authority to investigate complaints and conduct compliance reviews of Part 2 programs and other regulated persons.

While the revisions align Part 2 enforcement more closely with HIPAA’s civil enforcement model, criminal penalty provisions applicable to Part 2 arise under the Public Health Service Act and remain distinct from HIPAA’s criminal enforcement provisions. Nonetheless, overall enforcement exposure is materially greater than under the prior Part 2 regime.

HIPAA Notices of Privacy Practices Must Be Updated

In parallel with the Part 2 revisions, HHS amended the HIPAA Privacy Rule—specifically 45 C.F.R. § 164.520—to require updates to covered entities’ NPPs.

HIPAA-covered entities that create, receive, or maintain Part 2 records must review and update their NPPs as necessary to comply with the amended requirements by February 16, 2026.

Required NPP updates may include:

  • Revised descriptions of permitted uses and disclosures of protected health information, including SUD and Part 2 records;
  • Clarification of consent requirements for certain treatment, payment, and healthcare operations disclosures involving Part 2 records;
  • Updated language regarding redisclosure limitations and related protections;
  • Statements describing restrictions on the use and disclosure of SUD records in civil, criminal, and administrative proceedings;
  • Notice that individuals may file complaints with OCR regarding alleged Part 2 violations; and
  • Updated descriptions of patient rights and complaint procedures, as applicable.

Covered entities must also ensure proper redistribution of the updated NPP, including posting at service locations and on websites and making copies available as required under HIPAA. Although HHS provides model Notice of Privacy Practices templates, those templates have not yet been revised to incorporate the new Part 2 requirements.

Next Steps

With the compliance deadline approaching, healthcare organizations should consider:

  • Conducting a Part 2 applicability assessment;
  • Identifying whether they qualify as a Part 2 program or otherwise receive Part 2-protected records;
  • Reviewing and revising privacy policies and procedures;
  • Updating consent forms and authorization templates, where necessary;
  • Revising Notices of Privacy Practices;
  • Training workforce members on the revised standards;
  • Coordinating with electronic health record vendors to ensure technical system alignment;
  • Reviewing breach response protocols in light of expanded notification and enforcement obligations.

Because Part 2 violations will now be subject to OCR enforcement and HIPAA’s civil monetary penalty framework, organizations face materially increased regulatory risk compared to the historical Part 2 enforcement structure.

AuthorsAbbye Alexander and Christopher Tellner, Co-Chairs of the Health Care/Managed Care Practice Group and Of Counsel Henry Norwood


White Paper - Impact of COVID-19
Search
News & Resources
Follow Us on Linkedin
Subscribe
Archives

Our Firm's Awards & Honors

No aspect of the advertisement has been approved by the Supreme Court. Learn more about the selection methodology of awards and honors.

Super Lawyers Best Law Firms 2025 Super Lawyers Martindale Hubbel AV Preeminent Law 360