Our Health Care Group discusses a new role for the HHS Office for Civil Rights (OCR) in enforcing HIPAA Part 2 provider confidentiality rules for patients’ substance use disorder records.
- Under its new authority, OCR can impose monetary penalties for Part 2 providers’ failure to comply with the confidentiality rules
- The agency can enter into resolution agreements, monetary settlements, and corrective action plans with Part 2 providers that don’t comply
- In investigating Part 2 providers’ noncompliance, OCR has the authority to issue subpoenas for witness testimony and documents
Department of Health and Human Services (HHS) Secretary Robert Kennedy Jr. has delegated authority to the HHS Office for Civil Rights (OCR) to enforce the confidentiality of substance use disorder (SUD) patient records under 42 CFR Part 2.
As a reminder, Part 2 is generally stricter than the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and seeks to “address concerns that discrimination and fear of prosecution deter people from entering treatment for SUD.”
The delegation of authority published by HHS in the Federal Register on August 27, 2025 authorizes OCR to:
- Impose civil money penalties against SUD providers for failures to comply with Part 2.
- Enter into resolution agreements, monetary settlements, and corrective action plans with SUD providers to resolve indications of noncompliance with Part 2.
- Issue subpoenas for witness testimony and document production to SUD providers to investigate noncompliance with Part 2.
In February 2024, HHS amended Part 2 to align the confidentiality requirements for SUD patient records under Part 2 with the confidentiality requirements for protected health information under the HIPAA Privacy, Security and Breach Notification Rules.
Among other changes, the amendments to Part 2 apply the same breach notification requirements under HIPAA to Part 2 (including HIPAA’s presumption of a breach) and align the penalties for Part 2 violations with the same civil and criminal penalties under HIPAA.
OCR has long held the authority to investigate and enforce noncompliance with HIPAA. Now, through the delegation granted by Kennedy, OCR will have the same authority to investigate and enforce noncompliance with Part 2 as it currently has for HIPAA. SUD providers can expect the same investigation procedures that OCR has used for HIPAA-covered entities and business associates to investigate issues involving SUD patient records, such as sending detailed data requests following the report of a breach or receipt of an individual complaint.
The Part 2 alignment with HIPAA and the enforcement authority granted to OCR mark significant and sweeping changes for SUD providers. SUD providers have until February 16, 2026 to comply with the 2024 changes to Part 2, and they should prepare now for compliance and the new regime for OCR investigation and enforcement.
[View source.]
