medcomply.ai
Intel
HIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000 — A Warning Every HR Department Needs to Read · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis — 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2 — What Behavioral Health Providers Must Know Now · Rule Update15 Million Records Exposed — MMG Fusion Settlement Shows Business Associates Are Squarely in OCR's Crosshairs · OCR EnforcementOCR Expands Enforcement to Risk Management — What Changed in 2026 and What You Must Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties — Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security RuleHIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready? · Rule Update2026 HIPAA Penalty Amounts — Updated Figures Every Compliance Officer Needs · OCR EnforcementOCR Fines Employer-Sponsored Health Plan $245,000 — A Warning Every HR Department Needs to Read · OCR EnforcementAssured Imaging Fined for Never Conducting a Risk Analysis — 244,813 Patients Affected · OCR EnforcementOCR Begins Enforcing Part 2 — What Behavioral Health Providers Must Know Now · Rule Update15 Million Records Exposed — MMG Fusion Settlement Shows Business Associates Are Squarely in OCR's Crosshairs · OCR EnforcementOCR Expands Enforcement to Risk Management — What Changed in 2026 and What You Must Do Now · Rule UpdateOCR Issues $1.165 Million in Ransomware Penalties — Four Settlements in One Day · OCR EnforcementThe HIPAA Security Rule — A Complete Guide for 2026 · Security RuleUnderstanding the HIPAA Breach Notification Rule · Data BreachHIPAA breach notification overview · Data BreachHow to respond to a HIPAA breach · Data BreachHIPAA compliance checklist for covered entities · AnalysisOCR audit preparation checklist and evidence map · OCR EnforcementPatient rights under HIPAA: practical guide · Rule UpdateHIPAA staff training requirements and cadence · AnalysisHIPAA for SaaS and technology vendors · SaaS & TechnologyHIPAA Security Rule overview for compliance teams · Security Rule

Rule Update

OCR Begins Enforcing Part 2 — What Behavioral Health Providers Must Know Now

TL;DR

Effective February 16, 2026, the HHS Office for Civil Rights began accepting complaints and breach reports under the updated 42 CFR Part 2 regulations governing confidentiality of substance use disorder patient records. Part 2 now carries HIPAA-equivalent civil penalties and is enforced by OCR directly. Behavioral health providers, hospitals, and any organization treating SUD patients must review their Part 2 compliance immediately.

Effective February 16, 2026, the HHS Office for Civil Rights began accepting complaints and breach reports under the updated 42 CFR Part 2 regulations governing confidentiality of substance use disorder patient records. Part 2 now carries HIPAA-equivalent civil penalties and is enforced by OCR directly. Behavioral health providers, hospitals, and any organization treating SUD patients must review their Part 2 compliance immediately.

As of February 16, 2026, OCR began civil enforcement of the updated Part 2 regulations protecting substance use disorder patient records. Behavioral health providers face a new compliance obligation that runs alongside and partially overlaps with HIPAA.

medcomply.ai editorial teamPublished May 3, 2026Updated May 3, 20266 min read

For years Part 2 — the federal regulation governing confidentiality of substance use disorder patient records — operated in a separate enforcement universe from HIPAA. Different rules. Different standards. Different agencies. And, critically, different consequences for violation.

That changed on February 16, 2026.

What happened on February 16, 2026

Beginning February 16, 2026, entities and persons subject to the regulation protecting the confidentiality of SUD patient records must comply with all applicable requirements. The penalties for noncompliance align with the penalties available under HIPAA Privacy, Security, and Breach Notification Rules.

OCR will begin accepting complaints alleging violations of the regulation that protect the confidentiality of SUD patient records, and notification of breaches of SUD patient records.

This is a significant enforcement expansion. Before this date, Part 2 violations were enforced through a different mechanism with limited penalty authority. As of February 16, 2026, OCR — the same agency that enforces HIPAA — is now the enforcement authority for Part 2, with the same penalty structure it applies to HIPAA violations.

Who is affected

Part 2 applies to any program that provides substance use disorder diagnosis, treatment, or referral for treatment and receives any form of federal assistance. The definition of federal assistance is deliberately broad.

Organizations subject to Part 2 include hospitals with SUD treatment programs, federally qualified health centers, opioid treatment programs, residential rehabilitation facilities, outpatient SUD treatment programs, and any provider that accepts Medicare or Medicaid patients for SUD treatment.

Critically, this is not limited to specialized addiction treatment centers. A general hospital with a detox unit, a primary care practice that provides medication-assisted treatment for opioid use disorder, and a mental health center that also treats substance use disorders are all potentially subject to Part 2.

Note

If your organization is registered with the DEA, accepts Medicare or Medicaid, has federal tax-exempt status, or receives any federal grant funding — and you provide any SUD treatment services — you are almost certainly subject to Part 2.

How Part 2 differs from HIPAA

The core distinction between Part 2 and HIPAA is the consent standard for disclosure.

Under HIPAA, covered entities can use and disclose PHI for treatment, payment, and healthcare operations without patient authorization. A primary care doctor can share records with a specialist. A hospital can share records with an insurance company for billing. These disclosures do not require individual patient consent.

Under Part 2, disclosures of SUD records historically required specific written patient consent for nearly every disclosure — including many disclosures HIPAA would permit without consent. This stricter standard reflects Congress's judgment that the stigma associated with substance use disorder creates unique barriers to treatment that heightened confidentiality protections can help address.

The 2024 rule modifications aligned some Part 2 requirements more closely with HIPAA — allowing, for example, a single consent form to cover both HIPAA and Part 2 disclosures in certain treatment contexts. But the core principle of heightened protection for SUD records remains intact.

42 CFR Part 2

What OCR's enforcement program covers

OCR investigations conducted under the new program may be resolved through a range of civil enforcement mechanisms. These include OCR entering into resolution agreements, securing monetary settlements, obtaining commitments for corrective action, or imposing civil money penalties for the failure to comply.

This mirrors exactly how OCR enforces HIPAA. Resolution agreements, corrective action plans, and civil money penalties are all available remedies — the same tools OCR uses in ransomware breach investigations and right of access enforcement.

OCR Director Paula Stannard stated that OCR's civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers, and that compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens.

The updated Notice of Privacy Practices requirement

One immediate compliance action every affected organization must take: update its Notice of Privacy Practices.

HHS developed a model patient notice and updated its model HIPAA Notices of Privacy Practices for regulated entities to use in providing notice to patients on how federal law protects the confidentiality of SUD patient records.

Patients receiving SUD treatment must be informed of their specific Part 2 rights. The updated NPP templates are available on the HHS website and should be reviewed and adopted immediately.

What behavioral health providers must do now

Step 1 — Determine whether Part 2 applies to your organization. Assess whether you provide any SUD diagnosis, treatment, or referral services and whether you receive any form of federal assistance. If both conditions are met, Part 2 applies.

Step 2 — Review your consent forms. Your patient consent forms must specifically authorize Part 2 disclosures. A general HIPAA authorization is not sufficient for Part 2 SUD records. Review your forms with legal counsel to ensure they meet both HIPAA and Part 2 requirements.

Step 3 — Update your Notice of Privacy Practices. Use HHS's updated model NPP to ensure your privacy notice accurately reflects patients' Part 2 rights alongside their HIPAA rights.

Step 4 — Train your workforce. Staff who handle SUD patient records must understand the heightened confidentiality requirements Part 2 imposes — including restrictions on disclosures that HIPAA would otherwise permit. This training should be documented.

Step 5 — Establish a breach response process for SUD records. Part 2 breach notifications must now be reported to OCR using the same breach portal used for HIPAA breaches. Your incident response procedures must be updated to address Part 2 breaches specifically.

Step 6 — Audit your business associate agreements. If you share SUD patient records with business associates, your BAAs may need to be updated to address Part 2 obligations in addition to HIPAA requirements.

Warning

The February 16, 2026 enforcement date is not a grace period start — it is when enforcement began. OCR is now accepting Part 2 complaints. If your organization treats SUD patients and has not reviewed its Part 2 compliance, it is exposed today.

Part 2 enforcement is not a future concern for behavioral health providers — it is a present one. OCR is now the enforcement authority, carries HIPAA-equivalent penalty authority, and is actively accepting complaints. Organizations that treat substance use disorder patients must review their consent forms, NPP, workforce training, and breach response procedures immediately.

Sources & citations

  • HHS OCR — Part 2 Civil Enforcement Program AnnouncementOpen
  • 42 CFR Part 2 — Confidentiality of SUD Patient RecordsOpen
  • HHS Final Rule — Part 2 Modifications 2024Open

All content verified against official HHS guidance and the Code of Federal Regulations.

Frequently asked questions

What is 42 CFR Part 2 and how is it different from HIPAA?
42 CFR Part 2 is a federal regulation that provides heightened confidentiality protections specifically for records of patients treated for substance use disorders. Historically it was stricter than HIPAA in several ways — requiring specific written consent for most disclosures rather than the broader treatment/payment/operations exceptions HIPAA allows. The 2024 rule changes aligned some Part 2 requirements more closely with HIPAA while preserving core SUD-specific protections.
Who is subject to Part 2?
Part 2 applies to any individual or organization that provides, in whole or in part, alcohol or drug abuse diagnosis, treatment, or referral for treatment, and that is federally assisted. Federal assistance is defined broadly — including Medicare, Medicaid, DEA registration, federal tax exemption status, and federal grants. Most hospitals, federally qualified health centers, and substance use disorder treatment programs are covered.
What changed in the 2024 Part 2 rule that took effect in 2026?
The 2024 modifications aligned Part 2 more closely with HIPAA, allowing covered entities with HIPAA-compliant consent forms to use a single consent for both HIPAA and Part 2 purposes in certain circumstances. It also enhanced care coordination by allowing disclosure with patient consent for treatment, payment, and operations. Critically, it added HIPAA-equivalent civil penalty authority — now enforced by OCR.
What penalties apply to Part 2 violations?
As of February 16, 2026, Part 2 violations carry the same civil money penalty structure as HIPAA violations — ranging from $141 to $1,919,173 per violation category per year depending on culpability. OCR enforces these penalties using the same four-tier structure it applies to HIPAA.
Do we need to update our Notice of Privacy Practices for Part 2?
Yes. HHS developed updated model HIPAA Notices of Privacy Practices that incorporate Part 2 patient notice requirements. Covered entities subject to both HIPAA and Part 2 should update their NPP to reflect both sets of protections. OCR has made model notices available on its website.

Related intelligence

Rule Update

HIPAA Security Rule Overhaul — Final Rule Expected May 2026. Is Your Organization Ready?

7 min read

Rule Update

OCR Expands Enforcement to Risk Management — What Changed in 2026 and What You Must Do Now

6 min read

Rule Update

Patient rights under HIPAA: practical guide

1 min read

Not legal advice. medcomply.ai provides compliance intelligence for educational and operational planning. Consult qualified counsel for legal interpretation.