February 16, 2026, Is the New Deadline: Prepare for 42 CFR Part 2 Enforcement 

Organizations treating substance use disorders (SUDs) face a major compliance deadline on February 16, 2026. On that date, all applicable organizations must fully comply with the updated Confidentiality of Substance Use Disorder Patient Records regulations at 42 C.F.R. Part 2. Also, effective February 16, the public may file complaints alleging violations, and the HHS Office for Civil Rights (OCR) may initiate investigations and enforcement actions.  

Originally finalized in 2024 by the OCR and the Substance Abuse and Mental Health Services Administration (SAMHSA), the rule strengthens confidentiality protections and improves care coordination while aligning certain aspects of Part 2 with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act. 

Who Must Comply? 

The regulation applies to federally assisted programs and entities that provide SUD diagnosis, treatment, or referral services and create or receive Part 2 records.  

By February 16, which marks the end of the transition period, all applicable organizations should have: 

• Updated policies and procedures 
• Revised consent workflows 
• Modified Notices of Privacy Practices 
• Implemented breach reporting processes 

OCR also established a right for individuals to file complaints directly with the Secretary for alleged violations, raising the stakes for proactive compliance.  

How PrivaPlan Supports Compliance 

The OCR will provide additional information about Part 2 in a future announcement, including how to file Part 2 complaints and breach reports, and share a Model Part 2 Patient Notice, as well as an Updated HIPAA Privacy Rule Notice of Privacy Practices. 

PrivaPlan will also provide its customers with sample SUD language for the Notice of Privacy Practices (NPP), helping organizations streamline their HIPAA policy updates while maintaining regulatory alignment. Please contact our HIPAA experts for more information. 

Why Part 2 Matters Now 

Part 2 safeguards records related to the “identity, diagnosis, prognosis, or treatment” of patients receiving SUD services, helping reduce fear of discrimination and encouraging individuals to seek care.  

The final rule implements provisions of the CARES Act that align aspects of Part 2 with HIPAA and HITECH requirements, signaling a broader federal push toward interoperability without sacrificing confidentiality.  

For healthcare IT leaders and compliance teams, this alignment means privacy programs must now account for overlapping yet distinct regulatory expectations. 

Major Changes Healthcare Organizations Should Understand 

1. Simplified Patient Consent. Patients can provide a single consent covering future uses and disclosures for treatment, payment, and healthcare operations, reducing administrative friction while supporting integrated care. 
2. Stronger Enforcement Structure. The rule replaces prior criminal penalties with civil enforcement authorities aligned with HIPAA, including monetary penalties for violations. 
3. Breach Notification Requirements. Organizations must follow HIPAA-style breach notification requirements when unsecured Part 2 records are compromised. 
4. Expanded Patient Rights. Patients gain rights to request disclosure, accounting, and restriction—protections consistent with the HIPAA Privacy Rule. 
5. Updated Notice Requirements. Patient notice obligations are now aligned with HIPAA Notices of Privacy Practices, reinforcing transparency expectations. 

Notably, Part 2 still imposes stricter protections in certain contexts—such as limiting the use of records in legal proceedings without patient consent or a court order. For a deeper analysis, see PrivaPlan’s article, Is Your Organization Ready for the HIPAA 42 CFR Part 2 Updates?

Enforcement Reality: Preparing for OCR Oversight 

With OCR authorized to investigate complaints and impose corrective actions, healthcare entities should treat Part 2 readiness as a near-term operational priority, not a future compliance project. 

Key risk areas include: 

• Data segmentation and governance 
• Consent lifecycle management 
• Vendor and business associate oversight 
• Workforce training on redisclosure rules 

Technology teams should evaluate whether EHR workflows, interoperability tools, and privacy controls support the updated consent and disclosure requirements. 

What Has Not Changed in Part 2? 

As has always been the case under Part 2, patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written patient consent or a court order. 

Records obtained in an audit or evaluation of a Part 2 program may not be used to investigate or prosecute patients without the patients’ written consent or a court order that meets Part 2 requirements.