The Office for Civil Rights (OCR) will assume responsibility for enforcing the “Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (“Part 2”), which protect the privacy of patients’ SUD treatment records. The announcement was published in the Federal Register on August 26.
The Part 2 regulations predate HIPAA and have provided special privacy protections for patients’ substance use disorder (SUD) treatment records since 1975. However, until 2024, HIPAA and Part 2 were not aligned, making compliance a challenge for both primary and behavioral healthcare providers.
This announcement sets the stage for OCR to assume enforcement responsibilities from the Substance Abuse and Mental Health Services Administration (SAMHSA), which has been merged into the new Administration for a Healthy America (AHA) under Robert F. Kennedy, Jr., Secretary of the U.S. Department of Health and Human Services (HHS).
The announcement was not unexpected, given recent organizational changes at HHS. OCR already enforces HIPAA and has the investigative staff and experience to enforce Part 2.
HIPAA and Part 2 Are Better Aligned
In February 2024, the HHS published a final rule to reduce conflicts between HIPAA and Part 2, promoting coordinated care.
The change, prompted by section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, was meant to increase coordination among providers treating patients for SUDs, strengthen confidentiality protections through civil enforcement, align certain Part 2 requirements with HIPAA, and enhance integration of behavioral health information with other medical records to improve patient health outcomes.
The final rule also:
- Provides the public with the ability to file complaints alleging violations of the Part 2 confidentiality provisions,
- Requires Part 2 programs to provide notification of breaches of Part 2 records, aligning them with HIPAA violations, and
- breaches of data covered by Part 2 will be subject to the same requirements as the HIPAA Breach Notification Rule,
- Implements HHS’s civil enforcement authority, including the potential for civil money penalties for violations of Part 2,
- Allows covered entities to disclose records without patient consent to public health authorities, as long as they de-identify the records in accordance with HIPAA.
A core element of Part 2 regulations has always been that SUD treatment records cannot be used to investigate or prosecute a patient without patient consent or a court order. This provision remains unchanged under the 2024 final rule. The February 2024 final rule fact sheet is here.
Part 2 Compliance Deadline
The 2024 final rule has a compliance deadline of February 16, 2026.
After February 16, OCR may:
- Enter into resolution agreements, monetary settlements, and corrective action plans, or impose civil money penalties for failures to comply with these requirements;
- Issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with these requirements; and
- Make decisions regarding the interpretation, implementation, and enforcement of these requirements.
Challenges of Part 2 Compliance
EHR Systems Must Adapt
Part 2 regulations date back to 1975, and HIPAA didn’t become law until 1996, both long before electronic health records (EHR) systems were adopted. While EHR systems effectively meet HIPAA requirements, they have yet to incorporate SUD records seamlessly.
Separate regulations and different privacy protections had the unintended consequence of siloing much of the substance abuse disorder records. While the 2024 final rule intends to better coordinate care, the reality is that reintegrating SUD records into the EHR system is challenging.
Improving coordinated record-keeping and reducing data silos will take time. New workforce training will be required to help staff understand the new rules and how to use EHR systems to facilitate compliance.
