Part 2 changes under HIPAA

For years, healthcare providers treating patients with substance use disorders (SUD) have navigated a complicated, often confusing “double standard” of privacy. On one side, there was HIPAA; on the other, the much stricter 42 CFR Part 2 (Part 2).

The wait for alignment is over. The U.S. Department of Health and Human Services (HHS) has officially revised the Part 2 regulations to align more closely with HIPAA. These updates aim to improve care coordination while maintaining strong protections for patients seeking SUD treatment.

If you are a covered entity or a business associate, your workflow and paperwork need to change. For users of The HIPAA E-Tool®, we have updated your policies, procedures, and forms.

Here’s a breakdown of what you need to do differently starting today.

The Tale of Two NPPs: Which One Do You Use?

A significant change involves the Notice of Privacy Practices (NPP). Under the new modifications, there isn’t just a standard NPP update; the one you distribute depends on whether you treat patients or clients with substance use disorder.
  • The Revised HIPAA NPP: Every HIPAA covered entity (whether treating SUD patients or not) must update its standard NPP. The revised version now includes specific language regarding the privacy of SUD records.
  • The New Part 2 SUD NPP: This is a specialized notice. It is required for covered entities that participate in Part 2 Programs (providing SUD diagnosis, treatment, or referral). This notice is more robust, explaining the specific protections and limitations unique to SUD records, and the patient’s right to request restrictions on disclosures for treatment, payment, and health care operations (TPO) if they have paid out-of-pocket in full.
The Action Step: All covered entities should use the new revised HIPAA NPP for all patients and clients. If you are a provider that does not treat SUD patients and does not participate in Part 2 Programs, you do not need to use the new Part 2 SUD NPP. But if you are either 1) a general clinic, hospital, primary care group, or other provider that may treat SUD patients, or 2) a dedicated SUD treatment facility, you must also provide the new Part 2 SUD NPP.

The Single Consent Revolution for Part 2

Perhaps the most welcome change for providers is the simplification of Part 2 patient consent. Historically, Part 2 required a separate, highly specific written consent for nearly every disclosure of SUD records. This created huge obstacles for billing and integrated care.
The modifications now enable Part 2 programs to get a single consent from a patient for all future uses and disclosures related to Treatment, Payment, and Health Care Operations (TPO).
  • How it works: Once a patient signs this broad consent, the Part 2 program can share those records with other providers, clearinghouses, or business associates for TPO purposes, much like they do under HIPAA.
  • The Downstream Benefit: Once these records are disclosed to a HIPAA-covered entity (such as a primary care doctor or insurer) under the TPO consent, the receiving entity can further redisclose them in accordance with HIPAA regulations. This prevents the “siloing” of SUD information, which can threaten patient safety.

Breach Notification and Penalties

The modifications have also aligned outcomes in the event of a privacy breach.
  • Breach Notification: Part 2 programs are now required to comply with the same Breach Notification Rule that HIPAA covered entities have followed for years. If SUD data is compromised, the notification process is now standardized.
  • Enforcement: Penalties for Part 2 violations now follow HIPAA’s tiered penalty structure. This gives the Office for Civil Rights (OCR) more power to enforce Part 2, while also providing providers with a clearer view of the compliance landscape.

What This Means for Business Associates

If you are a Business Associate (BA) for an SUD provider, your role has become clearer and more streamlined. You can now manage SUD records within the same TPO framework as other Protected Health Information (PHI), as long as your Business Associate Agreement (BAA) and the patient consents are in place.

What Has Not Changed

Patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written consent from the patient or a court order.

Records obtained during an audit or evaluation of a Part 2 program cannot be used for investigation or prosecution unless there is written consent from the patient or a court order that complies with Part 2 requirements.

The HIPAA E-Tool® Has You Covered

We understand that “alignment” often seems like more work upfront. That’s why we’ve already handled the difficult part for our customers.
If you use The HIPAA E-Tool® your program has been updated with:
  1. The Revised HIPAA NPP for all covered entities.
  2. The New Part 2 SUD NPP for those providing SUD treatment.
  3. The New TPO Consent Forms that allow for that single, broad signature.
  4. Updated Policies and Procedures reflecting the new redisclosure rules and breach notification requirements.

As we mentioned in our previous review of these changes, the purpose of this alignment is to focus on the “whole patient” without the administrative hurdles of the past. By updating your forms and training your staff on these new consent rules, you aren’t just ensuring compliance—you’re offering better, more coordinated care.

Not an E-Tool user yet? Now’s the time to update your SUD privacy practices to ensure they’re current. Contact us today to learn how we can help automate your compliance.

Free HIPAA Checklist
What best describes you?