HHS Announces Civil Enforcement Program for Substance Use Disorder Records

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) has announced that for the first time civil enforcement mechanisms will be used to protect the confidentiality of substance use disorder (SUD) patient records.

OCR said the new program executes the SUD confidentiality provisions of section 3221 of the CARES Act and its implementing regulation at 42 CFR part 2 (“Part 2”). 

Beginning Feb. 16, 2026, entities and persons subject to the regulation protecting the confidentiality of SUD patient records must comply with all applicable requirements. The penalties for noncompliance align with the penalties available under HIPAA.

OCR investigations conducted under the new program may be resolved through a range of civil enforcement mechanisms. These include OCR entering into resolution agreements, securing monetary settlements, obtaining commitments for corrective action, or imposing civil money penalties for the failure to comply.

“OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens,” said Paula M. Stannard, director of the HHS OCR, in a statement. “OCR is uniquely positioned to enforce patient rights and the regulated community's obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”

Beginning Feb. 16, OCR will begin accepting:
• Complaints alleging violations of the regulation that protect the confidentiality of SUD patient records.
• Notification of breaches of SUD patient records.

Here are some of the ways the Part 2 rule was modified in 2024:

The Patient Consent
• Allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.
• Allows HIPAA covered entities and business associates that receive records under this consent to redisclose the records in accordance with the HIPAA regulations.


Other Uses and Disclosures
• Permits disclosure of records without patient consent to public health authorities, provided that the records disclosed are de-identified according to the standards established in the HIPAA Privacy Rule.
• Restricts the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.


• Penalties: Aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.

• Breach Notification: Applies the same requirements of the HIPAA Breach Notification Rule to breaches of records under Part 2.

• Patient Rights: Provides new rights for patients under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule. Note, the compliance date for the accounting of disclosures will be set when the same right is revised in the HIPAA Privacy Rule.
• 
Patient Notice: Aligns Part 2 Patient Notice requirements with the requirements of the HIPAA Notice of Privacy Practices.

OCR has also developed a model patient notice and updated its model HIPAA Notices of Privacy Practices for regulated entities to use in providing notice to patients on how federal law protects the confidentiality of SUD patient records. OCR’s Part 2 webpage has more information and resources.