Skip to content
Saint Health Group
All Posts·Compliance

42 CFR Part 2 Compliance in 2026: What Every SUD Program Needs to Know Now

Saint Health GroupJuly 8, 202612 min read

The compliance deadline has already passed. As of February 16, 2026, the updated 42 CFR Part 2 regulations governing the confidentiality of substance use disorder patient records are in force, and the HHS Office for Civil Rights is actively accepting complaints and opening investigations under its new civil enforcement program. If your program has not yet updated its consent forms, notice of privacy practices, breach response procedures, and staff training, you are not early to this. You are behind, and every day of continued gaps in 42 CFR Part 2 compliance is a day of exposure to a federal complaint, a payer audit finding, or a licensing deficiency.

This guide walks through what actually changed under the final rule, what OCR enforcement now looks like, and the concrete steps a treatment program, opioid treatment program, or addiction medicine practice needs to take to close the gap, whether you are just starting to catch up or want a second set of eyes on work you have already done.

A Quick Refresher: What Is 42 CFR Part 2?

42 CFR Part 2 is the federal regulation that protects the confidentiality of records created by "Part 2 programs," federally assisted providers that hold themselves out as providing substance use disorder diagnosis, treatment, or referral for treatment. It has historically been stricter than HIPAA, requiring specific written patient consent for nearly every disclosure of SUD treatment information, including disclosures to other treating providers, payers, and even within an integrated health system.

That strictness was rooted in a real concern: patients avoiding treatment for fear that seeking help for addiction could be used against them in custody disputes, employment decisions, or criminal proceedings. But it also created friction that HIPAA-covered providers do not face: segmented records, duplicate consent processes, and care coordination gaps that many in the field argued did not serve patients well in an era of integrated, value-based care.

What Changed Under the 2024 Final Rule

Acting on a mandate from Section 3221 of the CARES Act, SAMHSA and OCR jointly issued a final rule on February 8, 2024, that substantially aligns Part 2 with the HIPAA Privacy Rule, Security Rule, Breach Notification Rule, and Enforcement Rule. The rule gave the field roughly two years to prepare, with a compliance date of February 16, 2026, a date that has now come and gone.

A Single Consent Now Covers Treatment, Payment, and Operations

The single biggest operational change is consent. Under the prior rule, many programs needed a new, disclosure-specific consent every time SUD records moved to a new recipient. Under the final rule, a patient can now sign one consent authorizing all future uses and disclosures of their SUD records for treatment, payment, and health care operations (TPO), similar to how HIPAA-covered entities already operate. Once that TPO consent is on file, records can flow to other treating providers, payers, and business associates without a new consent for every transaction.

This does not eliminate consent. It restructures it. Patients still have to affirmatively consent, and revocation rights, the right to request restrictions, and the right to an accounting of disclosures all still apply. Programs that read "single consent" as "consent no longer required" are setting themselves up for a serious compliance failure.

Redisclosure Is Now Permitted Within HIPAA's Framework

Previously, nearly every redisclosure of Part 2 information required its own consent trail, which made data flow into shared EHRs, health information exchanges, and integrated care networks genuinely difficult. Under the final rule, once information has been properly disclosed with patient consent, HIPAA-covered recipients may redisclose it consistent with the HIPAA Privacy Rule, rather than triggering a fresh Part 2 consent requirement at every hop. Records also no longer need to be physically or electronically segregated from the rest of the medical record in the way many programs previously assumed was required.

SUD Counseling Notes Are Carved Out and Held to a Higher Standard

The rule creates a defined category of "SUD counselor's notes," a clinician's private analysis of an individual or group counseling session, maintained separately from the rest of the record. These notes cannot be swept into the new single TPO consent. They require their own specific, session-level consent, mirroring how HIPAA treats psychotherapy notes. Programs that keep detailed clinical impressions inside the general chart, rather than in a genuinely separate file, should not assume this carve-out protects them by default. The separation has to be real and documented.

Notice of Privacy Practices Requirements Are Aligned

Part 2 programs must now provide patients a notice describing their privacy rights that mirrors the HIPAA Notice of Privacy Practices, and many organizations are combining their HIPAA NPP and Part 2 notice into a single document rather than maintaining two. Whatever approach a program takes, the notice needs to explicitly address SUD record protections and the restriction on using those records in criminal, civil, or administrative proceedings without a court order.

Patients Gained New Rights

Patients now have the right to request an accounting of disclosures of their SUD records and the right to request restrictions on certain disclosures, rights that already exist under HIPAA but were previously unavailable, in this form, under Part 2. Programs need a documented process for receiving, evaluating, and responding to these requests, not an ad hoc one.

Breach Notification Now Follows the HIPAA Rule, Even When HIPAA Wouldn't Require It

This is the change catching the most programs off guard. As of the compliance date, Part 2 programs must report breaches of SUD patient records according to the HIPAA Breach Notification Rule's timelines and thresholds. Critically, some legal analyses have flagged that this obligation can apply even in situations where the same incident would not trigger HIPAA breach reporting on its own, because the definition of a reportable event under Part 2 sweeps in unauthorized "acquisition, access, use, or disclosure" more broadly. Programs relying solely on their existing HIPAA breach response plan may not actually be covering this obligation correctly.

Free Resource

Get the free OHA Licensing Checklist

A practical step-by-step reference used by Oregon behavioral health programs preparing for OHA certification.

Schedule a Consultation

Enforcement Is Real, Not Theoretical

OCR formally launched its civil enforcement program for Part 2 confidentiality violations effective February 16, 2026, and is now accepting complaints. Its toolkit includes investigations, resolution agreements, corrective action plans, monetary settlements, and civil money penalties. Those penalties are tiered and adjusted annually for inflation, ranging from roughly $141 per violation at the lowest tier (where the violator did not know and, by exercising reasonable diligence, would not have known of the violation) up to over $2.1 million per identical violation per year at the highest tier, for willful neglect that goes uncorrected. Knowing violations involving false pretenses or intent to sell SUD records can carry criminal penalties as well, including substantial fines and prison time.

For programs that have treated Part 2 as a background legal requirement handled once at intake, this is the moment that calculus changes. OCR has an active complaint intake process, a defined enforcement structure, and a public compliance date that has already passed, which means "we were still working on it" is a weaker position with each month that goes by.

What Programs Need to Do Now

If your program has not completed a full Part 2 update, the priority is a focused gap-closing effort, not a slow rebuild. The core workstreams look like this.

  • Consent forms. Replace disclosure-specific consent language with a compliant single TPO consent, while preserving a separate, clearly distinct consent process for SUD counseling notes.
  • Notice of privacy practices. Update or combine your HIPAA NPP and Part 2 notice so patients receive one clear, compliant document describing their rights, including the restriction on use in legal proceedings.
  • Policies and procedures. Formalize written procedures for consent management, subpoena and court order response, redisclosure notices, accounting-of-disclosures requests, restriction requests, and breach response specific to Part 2's broader definition of a reportable event.
  • Staff training. Train clinical, front desk, billing, and records staff on what the new consent actually authorizes, how to explain it to patients (particularly patients early in recovery who may be wary of any information sharing), and how to recognize a Part 2-reportable incident. OCR has signaled that a lack of documented training can be read as evidence of willful neglect.
  • EHR and health information exchange configuration. Confirm your EHR consent management workflows actually reflect the new single-consent model, correctly segregate SUD counseling notes, and produce the audit trail needed to support an accounting-of-disclosures request. If your current system cannot do this cleanly, it may be time to revisit choosing a behavioral health EHR.
  • Business associate and data-sharing agreements. Review agreements with EHR vendors, billing partners, and any health information exchange participation to confirm redisclosure permissions and breach reporting obligations are current with the final rule, not the prior regulation.
  • A documented gap assessment. Before assuming you are compliant, run a structured review against each requirement above and document what was found and fixed. In an OCR investigation, a documented remediation history is worth far more than an informal assurance that "we handled it."

Common Mistakes Programs Are Still Making

A few misreadings of the final rule keep showing up across the field. Some programs believe the single TPO consent means consent is no longer required at all, which is incorrect and risks unauthorized disclosures. Others assume the SUD counseling notes carve-out applies automatically to any clinical documentation, when it only applies to notes that are genuinely and consistently kept separate from the rest of the record. Still others have updated their HIPAA breach response plan and assumed it now covers Part 2, without accounting for the broader trigger for what counts as a reportable event under Part 2 specifically. Each of these gaps looks small in a policy binder and becomes significant the moment OCR opens a file.

Compliance Doesn't Exist in Isolation

Part 2 compliance sits alongside, not instead of, your state licensing and accreditation obligations. Oregon and Washington programs are still operating under OHA and DOH behavioral health rules, CARF or Joint Commission standards if accredited, and payer-specific documentation requirements, all of which now need to reflect the same consent and disclosure framework. A Part 2 update done in isolation from your broader compliance and risk infrastructure, licensing and accreditation support, and revenue cycle and payer operations tends to create new inconsistencies rather than resolving the original ones. The programs handling this well are treating it as one coordinated update across policy, clinical documentation, technology, and billing, not four separate projects running on different timelines.

How Saint Health Group Helps Programs Close This Gap

Saint Health Group does not just hand a program a memo describing what changed in the final rule. We write the actual consent forms, notice of privacy practices language, and Part 2-specific policies and procedures your program needs, then implement them directly across intake, clinical, records, and billing workflows. We train your staff on the new consent model and the broadened breach-reporting trigger so the people handling records every day actually understand what changed and why. We build the documentation and audit-trail infrastructure needed to respond to an accounting-of-disclosures request or a restriction request without scrambling. And where it matters most, we run a full on-site readiness review of your Part 2 compliance posture (the same way we approach an accreditation mock survey) so your program can demonstrate a genuine, documented compliance program if OCR, a state licensing surveyor, or a payer ever comes asking.

If your program is still working through what the final rule means for your consent process, your EHR configuration, or your breach response plan, reach out to Saint Health Group. We will tell you exactly where the gaps are and then close them, so you have one accountable partner handling this end to end rather than a compliance project spread across your legal counsel, your EHR vendor, and your own team with no one owning the whole picture.

Insights

Practical guides on behavioral health compliance, licensing, and operations — delivered when we publish.

No spam. Unsubscribe anytime.

Saint Health Group
Typically replies in seconds
Saint Health
Hi — I'm here to help. Ask me anything about behavioral health licensing, revenue cycle, compliance, or how Saint Health works.