The U.S. Department of Health and Human Services (HHS) on Aug. 27, 2025, published a Statement of Delegation of Authority (Statement) in the Federal Register. HHS Secretary Robert F. Kennedy Jr. delegated authority to the HHS Office for Civil Rights (OCR) to administer and enforce the "Confidentiality of Substance Use Disorder Patient Records" (SUD) regulations at 42 C.F.R. Part 2 (Part 2 Regulations), which protect the privacy of patients' SUD treatment records.
In 2024, HHS modified the Part 2 Regulations to implement Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act to better harmonize the Part 2 Regulations with certain requirements under the Heath Insurance Portability and Accountability Act of 1996 (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH) Act (the Amendments). We previously published a Holland & Knight client alert on this topic.
Similar to the rights afforded to individuals under HIPAA, the public now has the ability to file complaints alleging violations of the Part 2 Regulations. The amendments also granted HHS enforcement authority to impose civil monetary penalties for violations of the Part 2 Regulations to the same extent as HIPAA-regulated entities subject to penalties for HIPAA violations. Resolution of enforcement actions will be similar to HIPAA enforcement and include voluntary compliance, corrective action and/or resolution agreements. The amended Part 2 Regulations align with the HIPAA Privacy Rule and apply to non-HIPAA-regulated entities, as well as HIPAA-regulated entities that are providers of substance use disorder services identified as Part 2 Programs and those who are lawful holders of Part 2 records. It is notable that HHS declined to align the more general Part 2 security obligations for Part 2 Programs and lawful holders of Part 2 records with the more detailed HIPAA Security Rule regulations (45 C.F.R. Part 306, et seq.). However, for those Part 2 Programs and lawful holders that are also HIPAA-regulated entities, compliance with the HIPAA Security Rule, including performance of security risk analyses, is imperative in protecting Part 2 records from cyberattacks.
Following the March 2025 announcement of the HHS reorganization plan, which involved deep cuts to the Substance Abuse and Mental Health Services Administration (SAMHSA), it was unclear which agency or office would be delegated the authority to administer and enforce the Part 2 Regulations. With this mystery solved, OCR can now step forward in taking on this additional regulatory enforcement activity.
According to the Statement, the director of OCR may take the following actions pertaining to the confidentiality of SUD records:
- impose civil monetary penalties on persons and entities for failures to comply with the Part 2 Regulations
- enter into resolution agreements, monetary settlements and corrective action plans to resolve indications of noncompliance with the Part 2 Regulations
- issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to an investigation or compliance review for failure to comply with the Part 2 Regulations
Compliance Requirements
Except for certain requirements that are delayed until similar revisions to the HIPAA regulations are finalized (e.g., accounting of disclosures for treatment, payment and healthcare operations through an electronic health record), persons and entities must comply with the modified Part 2 Regulations by Feb. 16, 2026. Part 2 programs and HIPAA-covered entities and business associates should take this opportunity to review their consent and authorization forms, policies and procedures. That includes required updates to the notice of privacy practices and processes for responding to legal requests for records, such as subpoenas, and implementing or amending them as necessary to comply with the Part 2 Regulations. Business associate agreements and qualified service organization contracts should include provisions to address compliance with the Part 2 Regulations and HIPAA. In addition, these entities should update their training materials and tools and have staff trained on the new requirements. Part 2 programs will also need to become accustomed to the HIPAA breach notification requirements and establish breach response policies and procedures.
