The Part 2 Rule Compliance Date is Approaching – Be Ready With This Operational Readiness Checklist

PDF

Enforcement of the updated 42 CFR Part 2 rule is slated to begin on February 16, 2026.  To prepare, covered entities and business associates under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) that create, receive, maintain, or transmit any substance use disorder (SUD) records must familiarize themselves with the requirements of the Part 2 rule and undertake a review of policies and procedures to ensure compliance.

The Part 2 Requirements

The Part 2 statute (42 U.S.C. 290dd-2) protects “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.” Confidentiality protections help address concerns that discrimination and fear of prosecution may deter people from entering treatment for SUD.

The updated 42 CFR Part 2 rule establishes strict federal confidentiality protections for SUD information, ensuring it is handled more carefully than other protected health information.  Part 2 applies to any record that identifies a patient as having a SUD, whether it comes from a SUD treatment program or is documented during routine care with any type of provider.  In other words, it is important to note that the rule applies to any entity that handles SUD records; it does not apply only to SUD treatment facilities.

Generally, SUD information cannot be used or disclosed for any reason without the patient’s written consent, and any redisclosure is tightly restricted unless a specific exception applies, such as medical emergencies, court orders, audits, and certain research activities, but each exception has strict conditions.  For example, emergency disclosures must be documented, and court‑ordered disclosures require specific judicial findings.

A valid consent must identify the patient, describe the information to be shared, specify who may receive it, state the purpose of the disclosure, and include a statement about the patient’s right to revoke consent. The Part 2 rule also requires covered entities to maintain appropriate safeguards, limit access to staff with a legitimate need to know, and include a redisclosure notice when sharing information in permitted circumstances.    

Operational Readiness Checklist for Providers

1. Operational assessments and employee education are critical to achieving compliance. We recommend that providers undertake a thorough review and update of policies, procedures, and compliance documentation, including data‑handling protocols, access controls, and breach-response processes when SUD information is involved.   
2. Providers must also update their Notices of Privacy Practices to reflect the new Part 2/HIPAA alignment, including information about patient rights, permitted uses and disclosures, and how SUD information is protected.
3. In addition, providers should also review and update their consent and redisclosure processes, ensuring that patient authorization forms, redisclosure notices, and internal workflows reflect the expanded permitted uses and disclosures under the revised rule, while still adhering to Part 2’s heightened confidentiality protections.
4. The assessment of procedures may involve adjustments to information flow within electronic medical record systems and segregation of SUD information. Specifically, providers should evaluate and, if necessary, modify their health IT systems to ensure they can properly identify, segregate, track, and restrict SUD data in accordance with Part 2’s redisclosure limitations and consent requirements.
5. Further, employees, contractors and agents who interact with SUD information should receive targeted training to understand how the Part 2 rules differ from traditional HIPAA requirements governing the use of other protected health information.
6. Lastly, because the Part 2 rules affect how SUD information may be shared with contractors and service providers, organizations should review and update Business Associate Agreements (BAAs) and other data‑sharing arrangements to ensure they accurately reflect the new permitted uses and obligations governing SUD information.

If we can assist with updates necessitated by Part 2, please reach out to any member of Maynard Nexsen’s Health Care team.