Part 2 Gets Teeth: HHS Empowers OCR With Enforcement Authority

On August 26, 2025, the U.S. Department of Health and Human Services (“HHS”) displayed in the Federal Register a delegation of authority from Secretary Robert F. Kennedy, Jr., to the Office for Civil Rights (“OCR”) to administer and enforce the “Confidentiality of Substance Use Disorder (‘SUD’) Patient Records” regulations at 42 CFR part 2 (Part 2), which protect the privacy of patients’ SUD treatment records.¹

HHS published a final rule revising the Part 2 regulations in 2024, implementing the changes proscribed by Section 3221 of the Coronavirus Aid, Relief, and Economic Security (“CARES”) Act. These statutory and regulatory changes were intended to better align Part 2 with the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) Rules, as well as the Health Information Technology for Economic and Clinical Health Act (“HITECH”) Act.²

This delegation of authority to OCR is notable given the quickly approaching February 16, 2026, implementation deadline for compliance with the Part 2 Final Rule. Providers required to comply with Part 2 should be aware of this delegation as it points to an organized approach to enforcement, which traditionally has been lacking in this space.

Background on Part 2

Originally promulgated in 1975, Part 2 was designed to protect individuals seeking SUD treatment from discrimination, stigmatization, and legal consequences.³ The regulations created safeguards for records created by Part 2 programs that identify a patient’s diagnosis, prognosis, or treatment for SUD, and prohibited disclosure without explicit patient consent.⁴ The Part 2 regulations were promulgated prior to the onset of electronic medical records, greater technological abilities to segregate data, and an emphasis on care coordination across physical and mental/behavioral healthcare treatment. As patient care modalities and technology advanced and patient regulatory frameworks were implemented and subsequently modified governing protected health information, Part 2 remained largely unchanged. This led to data silos, gaps in treatment, and other unintended consequences, as Part 2 had differing definitions and requirements for how data could be used.

Regulatory updates to Part 2 in 2017 were the first major overhaul of the regulations and took steps to bring data use into the 21^st century.⁵ More was needed, however, to bring Part 2 into alignment with HIPAA and HITECH to ensure providers and other entities had access to necessary patient data while also balancing the heightened need for confidentiality and other protections for patients. Despite additional regulatory updates in 2018, 2020, and 2021, it was not until the 2024 Final Rule that there was near alignment with HIPAA.⁶

Notably, in the CARES Act, Congress replaced the criminal violations for Part 2 violations with the HITECH civil penalty structure that is applied to violations of the HIPAA regulations, as well as criminal penalties for certain violations.⁷ The 2024 Final Rule did not specify which regulatory entity – OCR, SAMHSA, or another agency – would be responsible for civil enforcement.⁸ Secretary Kennedy’s announcement clarifies the enforcement authority.⁹

Part 2 Enforcement

Historically, enforcement of Part 2 was limited to criminal penalties under federal law, and the Department of Justice (“DOJ”) was responsible for enforcement. In practice, enforcement was rare to nonexistent. There were virtually no prosecutions or formal actions taken under Part 2 in its nearly 50-year history. The addition of civil penalties and this recent delegation of authority to OCR suggests that HHS intends to vigorously enforce Part 2. Notably, OCR is also the entity responsible for enforcing HIPAA and, thus, has at its disposal an existing infrastructure for investigation and enforcement.

Under HIPAA, OCR is responsible for investigating complaints, conducting compliance reviews, and performing education and outreach to foster compliance.¹⁰ OCR reviews information it gathers and may determine that there was no violation. However, in cases of non-compliance OCR will attempt to resolve the case with a covered entity through voluntary compliance, corrective action, and/or resolution agreement.¹¹ If an entity does not satisfactorily resolve the matter, OCR may decide to impose civil money penalties, which are determined based on a tiered civil penalty structure.¹² The secretary of HHS has discretion in determining the amount of the penalty based on the nature and extent of the violation and the nature and extent of the harm resulting from the violation.¹³ Although enforcement of Part 2 by OCR is nascent, it seems reasonable for Part 2 programs to expect a similar approach.

How Providers Should Prepare

While programs that are subject to Part 2 are typically also governed by HIPAA and may be familiar with the civil money penalty and enforcement regime, the changes to Part 2, particularly around logging complaints of improper disclosure and logging breaches, are key topics that providers should revisit ahead of the compliance deadline. While there is greater alignment with HIPAA, entities subject to Part 2 should do a comprehensive analysis of their policies, procedures, patient notices, and consents to ensure that they are in compliance with the revised requirements.

Because Part 2 only applies to records created by providers that meet the specific definition of a program (defined at 42 CFR 2.11), rather than SUD patient records more generally, there have been historical questions regarding applicability of these requirements. Given the clarified penalties and enhanced risk associated with noncompliance, providers holding themselves out as rendering SUD diagnosis, treatment, or referral for treatment should use these next few months to review their program for Part 2 applicability and ensure adherence to all federal and state privacy and confidentiality requirements.

All entities subject to the revised Part 2 regulations must comply with the new requirements by February 16, 2026. Some of the major changes for providers to keep in mind as they review existing policies and practices have been highlighted below:

Patient Consent

• Patients may now provide a single consent for all future uses and disclosures for treatment, payment, and healthcare operations.
• HIPAA-covered entities and business associates may redisclose records received under this consent in accordance with HIPAA.
• Consent for use and disclosures in legal proceedings must be separate from other consents.
• Providers must obtain separate consent for the use and disclosure of SUD counseling notes.
• Each disclosure made with patient consent must include either a copy of the consent or a clear explanation of its scope.

Uses and Disclosures

• Providers may disclose de-identified records to public health authorities without patient consent.
• Providers may not use records and testimony in legal proceedings against patients unless the patient consents or a court order is obtained.

Enforcement and Penalties

• Enforcement authority is now delegated to OCR. Historically, OCR enforced HIPAA but not Part 2. With this final rule, OCR may impose monetary penalties, enter into settlements, and implement corrective action plans for providers that do not comply. Additionally, the OCR has the power to issue subpoenas for testimonies and documents.
• Criminal penalties under Part 2 are replaced with civil and criminal enforcement mechanisms.

Breach Notification

• The HIPAA Breach Notification Rule now applies to breaches of Part 2 records, requiring covered entities and business associates to notify the HHS and affected individuals of breaches involving unsecured protected health information.

Patient Notice Alignment

• Part 2’s patient notice requirements are now consistent with HIPAA’s Notice of Privacy Practices, requiring covered entities to provide individuals with adequate notice of how the entity may use and disclose their protected health information.

Safe Harbor for Investigative Agencies

• Investigative agencies have limited civil and criminal liability when they act with reasonable diligence to determine whether a provider is subject to Part 2 before requesting records during an investigation.
• If an agency inadvertently obtains Part 2-protected records without a court order, it must take specific remedial steps to address the unauthorized acquisition.
• To qualify for safe harbor protections, investigative agencies must check the Substance Abuse and Mental Health Services Administration’s (“SAMHSA”) treatment facility locator and review a provider’s Patient Notice or HIPAA Notice of Privacy Practices before requesting records to determine whether the provider is subject to Part 2.

[1] 90 Fed. Reg 41,833 (Aug. 27, 2025), https://www.govinfo.gov/content/pkg/FR-2025-08-27/pdf/2025-16391.pdf.

[2] Fact Sheet 42 C.F.R. Part 2 Final Rule, U.S. Dep’t of Health & Hum. Servs. (Feb. 8, 2024), https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html.

[3] Id.

[4] Id.

[5] 82 Fed. Reg. 6,052 (Jan. 18, 2017).

[6] 83 Fed. Reg. 239 (Jan. 3, 2018); 85 Fed. Reg. 42,986 (July 15, 2020); 87 Fed. Reg. 80,626 (Dec. 14, 2020); 89 Fed. Reg. 12,472 (Feb. 16, 2024).

[7] Coronavirus Aid, Relief, and Economic Security (CARES) Act, Pub. L. No. 116-136, § 3221, 134 Stat. 281, 377 (2020).

[8] 89 Fed. Reg. 12,472, 12,485 (Feb. 16, 2024).

[9] 90 Fed. Reg 41,833 (Aug. 27, 2025).

[10] 45 C.F.R. §§ 160.304, 160.308.

[11] 45 C.F.R. § 160.312.

[12] 45 C.F.R. §§ 160.402, 160.404, 160.406, 160.408.

[13] 45 C.F.R. § 160.408.