Key Points

• Recent changes to HIPAA regulations and the federal regulations regarding substance use disorder (SUD) treatment records under 42 CFR Part 2 (Part 2) required three changes by Feb.16, 2026.
• All providers that have SUD treatment programs subject to Part 2 (Part 2 Providers) must now publish Notices of Privacy Practices (NPPs).
• Providers that are HIPAA-covered entities but do not have a substance abuse program subject to Part 2 must update their NPPs.
• Health plans (including employer sponsors of self-insured group health plans) must update their published NPPs.

Coming to the rescue of providers that waited to make the required changes to their Notices of Privacy Practices regarding SUD treatment records, the federal government itself waited until February 16 to update its model Notice of Privacy Practices to provide sample language that can be used to update or help draft NPPs for Part 2 compliance.

What prompted the new Part 2 requirements and why are they important?

Providers with Part 2 substance abuse treatment programs[1] have long had separate requirements covering the confidentiality of their Part 2 records. Changes were made in the last two years to align Part 2 more closely with HIPAA. This is important because the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), the “HIPAA policeman,” is now also responsible for enforcing violations of Part 2, which were previously enforced by SAMHSA (the Substance Abuse and Mental Health Services Administration). OCR has already announced the launch of its new enforcement program, encouraging the submission of complaints. See: Office for Civil Rights Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records.

What are the requirements for HIPAA Covered Entities that do not have Part 2 substance abuse treatment programs?

Health care providers that do not have Part 2 substance abuse programs must update their NPPs if they receive Part 2 records from Part 2 substance abuse programs (for example, in the course of treating patients who have a history of SUD treatment). As mentioned above, OCR on Feb. 16 published a model notice of privacy practices. However, this model NPP must be customized to describe a specific provider’s uses and disclosures of protected health information and reflect any applicable state requirements, so it is likely simpler to take the model language regarding Part 2 records and add it to your current NPP:

“To the extent that we have your substance use disorder patient records, subject to 42 CFR part 2, we will not share that information for investigations or legal proceedings against you without (1) your written consent or (2) a court order and a subpoena.”

What are the requirements for Part 2 Programs?

Providers that operate Part 2 Programs that are not HIPAA covered entities are now required to publish NPPs that comply with Part 2. Part 2 Programs that are also HIPAA covered entities must update their NPPs to include information about substance abuse records, either by using a separate NPP for the Part 2 Program or creating a combined NPP that meets the requirements of HIPAA and Part 2. The Notice of Privacy Practices for Part 2 programs needs to include, for example:

• A statement that patients have the right to consent to most uses and disclosures of Part 2 records.
• A statement that patients may provide a single consent for all future uses or disclosures for treatment, payment and health care operations.
• Patients’ specific rights under the new Part 2 framework (e.g., rights to restrict disclosures or request accounting of disclosures).
• Limitations on disclosure of Part 2 records, particularly legal restrictions.
• Choose in advance whether to receive fundraising communications.

What policies and procedures need to be updated?

In addition to updating NPPs, all providers with Part 2 records should review and revise their internal privacy policies and procedures to ensure workforce members understand how to comply with the statements made in the NPP. Policies that may require updating include:

• Disclosures for judicial and administrative proceedings (a stand-alone Part 2 consent may be required in proceedings against a patient if there is no court order).
• Disclosures to law enforcement.
• Any other policy that could involve disclosures of Part 2 records in connection with civil, criminal, administrative or legislative proceedings involving a patient.

In addition, Part 2 Programs will need to create new consent forms to comply with the Part 2 requirements[2].

What are the requirements for group health plans?

Group health plans must also update their Notice of Privacy Practices, as Part 2 records may be received by the plan if a plan member receives services from a Part 2 Program that submits a claim to the plan. As with covered entity providers that are not Part 2 Programs, amending the NPP to simply add the Part 2-related language is likely the most efficient approach.

Please contact Margaret Davino at mdavino@foxrothschild.com or Elizabeth Litten at elitten@foxrothschild.com if you have questions about how these requirements apply to your organization or if you need assistance updating your NPP or related policies.

[1] A Part 2 substance abuse disorder treatment program is a program that holds itself out as providing, and provides diagnosis, treatment or referral for treatment of substance abuse disorders and receives federal assistance (as defined under Part 2) - for example, by participating in Medicare being registered to dispense a substance under the federal Controlled Substances Act to treat substance use disorders, by having IRS tax exemption, or by receiving any other form of federal funding.. A program that is entirely private pay is not covered under Part 2 if it does not receive any “federal assistance.” Part 2 also does not apply to information on substance use disorder patients maintained in connection with the Department of Veterans Affairs’ provision of health care services.

[2] Only Part 2 programs need to have Part 2 consent forms since non-Part 2 programs are subject to HIPAA with respect to records received from a Part 2 program and would use HIPAA authorizations for its “regular” records (not Part 2 consents).

This information is intended to inform firm clients and friends about legal developments, including the decisions of courts and administrative bodies. Nothing in this alert should be construed as legal advice or a legal opinion. Readers should not act upon the information contained in this alert without seeking the advice of legal counsel. Views expressed are those of the authors and not necessarily this law firm or its clients.