On February 16, 2026, the HHS Office for Civil Rights (OCR) began enforcing the updated 42 CFR Part 2 regulations โ the federal rules specifically governing records related to substance use disorder (SUD) diagnosis, treatment, and referral.
This enforcement commencement date matters because 42 CFR Part 2 is not HIPAA. It is a separate, stricter federal privacy regime that applies to a defined category of health information and carries its own consent requirements, disclosure prohibitions, and enforcement mechanisms. Organizations that have built their health data compliance programs around HIPAA may have significant gaps in their Part 2 compliance โ and those gaps are now in an active enforcement environment.
The timing also matters for the broader digital health ecosystem. Behavioral health technology platforms, mental health apps, integrated health systems handling substance use disorder care, and any technology vendor that processes Part 2 records as a business associate all became subject to enforcement under the updated rules on February 16, 2026.
What 42 CFR Part 2 Is and Why It Exists
42 CFR Part 2 was originally promulgated in 1975 โ before HIPAA โ as a response to a specific policy concern: that fear of criminal prosecution, employment discrimination, and social stigma was preventing individuals with substance use disorders from seeking treatment.
The congressional finding underlying Part 2 was explicit: if people believed that their participation in a federally assisted drug or alcohol treatment program could be used against them in criminal proceedings, they would not seek treatment. The human cost of that deterrence effect would be substantial. Part 2 was designed to remove that deterrent by creating stringent confidentiality protections that go beyond standard medical record privacy.
The key features that make Part 2 stricter than HIPAA:
Prohibition on use in legal proceedings. Part 2 records โ defined as any records identifying a patient as having or having been treated for a substance use disorder in a federally assisted program โ cannot be used in criminal, civil, or administrative proceedings against the patient without the patientโs written consent or a specific court order. This prohibition applies regardless of whether the requester is law enforcement, a court, an employer, or a government agency.
Specific consent requirements. Disclosure of Part 2 records requires patient consent that meets specific requirements: the consent must identify the specific person or organization to whom disclosure will be made, specify what information will be disclosed, state the purpose of the disclosure, and include an expiration date or condition.
Prohibition on re-disclosure. Recipients of Part 2 records who received them with patient consent are prohibited from re-disclosing the records to any other party without a new, specific consent โ even to parties who could access the information independently.
Federal preemption. Part 2 preempts state law to the extent that state law is less protective. State health privacy laws that would permit disclosure of SUD records in circumstances where Part 2 prohibits it are overridden by federal law.
What the 2024 Final Rule Changed
The updated 42 CFR Part 2 regulations, finalized by HHS in 2024 and with enforcement commencing February 16, 2026, made several significant changes to align Part 2 with HIPAAโs framework while preserving its stricter protections in key areas.
Care Coordination Alignment
The 2024 rule allows Part 2 records to be used for Treatment, Payment, and Health Care Operations (TPO) โ the same framework that governs most HIPAA-covered disclosures โ when the patient has provided a single consent to disclosure for these purposes.
This is a meaningful change from the prior rule, which required specific consent for each disclosure. Under the updated rule, a patient who signs a TPO consent at the time they enter treatment can have their Part 2 records flow through integrated health care systems for coordination and payment purposes without requiring a new consent for each disclosure.
The practical effect: integrated health systems that use shared electronic health records for care coordination can now receive and use Part 2 records within their systems for TPO purposes without encountering the per-disclosure consent requirement that previously made care coordination operationally difficult.
What the Change Does Not Eliminate
The 2024 rule does not eliminate the core protections that distinguish Part 2 from HIPAA.
The prohibition on use in legal proceedings remains. Even if Part 2 records are flowing through an integrated health system for TPO purposes, they cannot be disclosed to law enforcement, courts, or government agencies for use in proceedings against the patient without specific consent or court order.
The re-disclosure prohibition is maintained with modifications. Recipients of Part 2 records who received them through the TPO pathway are still subject to Part 2โs confidentiality requirements and must treat those records as Part 2-protected when considering further disclosures.
Sensitive categories within Part 2 are preserved. Records specifically documenting substance use disorder diagnosis and treatment retain their heightened protection even as the rule allows more care coordination flexibility.
Breach Notification Alignment
The 2024 rule requires Part 2 programs to apply the same breach notification requirements as HIPAA โ notifying OCR and affected individuals within the same timeframes. This closes a gap in the prior rule, which had less explicit breach notification requirements for Part 2 programs that were not otherwise HIPAA-covered entities.
Who Is Subject to Part 2
Part 2 applies to โPart 2 programsโ โ defined as any program that holds itself out as providing substance use disorder diagnosis, treatment, or referral for treatment, and that is federally assisted in any way.
โFederally assistedโ is defined broadly: it includes any program that receives federal funding (including Medicaid and Medicare reimbursement), is licensed under federal law, is operated by or within a federal agency, or benefits in any way from federal assistance. In practice, this covers the vast majority of addiction treatment programs, substance use disorder clinics, and related services in the United States.
The 2024 rule extends Part 2 obligations to:
Business associates of Part 2 programs. Organizations that receive Part 2 records in the course of providing services to a Part 2 program โ including electronic health record vendors, behavioral health technology platforms, billing services, analytics companies, and cloud storage providers โ are now directly subject to Part 2 requirements as part of the business associate framework.
This is a significant expansion. Under the prior rule, Part 2 obligations ran primarily to the covered program itself. The 2024 rule explicitly brings business associates into the Part 2 compliance framework, with direct obligations and direct enforcement exposure.
Health systems receiving Part 2 records through care coordination. A general acute care hospital that receives Part 2 records from a substance use disorder treatment program through the new TPO pathway must treat those records in compliance with Part 2 โ not just HIPAA โ as to any further disclosures.
OCRโs Expanded Enforcement Priorities in 2026
The February 16 enforcement commencement for Part 2 is part of a broader expansion of OCR enforcement priorities in 2026.
Risk Analysis Initiative. OCR has maintained an ongoing enforcement initiative focused on HIPAA covered entitiesโ compliance with the Security Ruleโs risk analysis requirement โ the obligation to conduct a thorough assessment of potential risks and vulnerabilities to electronic protected health information. In 2026, OCR Director Paula M. Stannard has stated that the risk analysis initiative will expand to include risk management: not just whether a risk analysis was conducted, but whether the organization actually implemented safeguards in response to identified risks.
This expansion matters because many organizations have conducted risk analyses that produce detailed findings โ and then failed to remediate the identified gaps on a documented timeline. An organization that can produce a risk analysis showing known vulnerabilities but cannot produce evidence of follow-on risk management actions is in a worse position in an OCR investigation than an organization with no risk analysis, because it has documented knowledge of the risks it failed to address.
42 CFR Part 2 as a New Investigation Category. With enforcement commencing February 16, Part 2 is now an active enforcement category for OCR. The agency has new delegated authority to investigate Part 2 violations โ previously, Part 2 enforcement was handled differently within HHS โ and has signaled that it will use that authority.
Penalty Structure. The 2026 HIPAA penalty structure has been adjusted for inflation:
- Tier 1 (Lack of Knowledge): $141 to $36,298 per violation
- Tier 2 (Reasonable Cause): $1,452 to $72,596 per violation
- Tier 3 (Willful Neglect, Corrected): $14,522 to $72,596 per violation
- Tier 4 (Willful Neglect, Not Corrected): $72,596 to $2,190,294 per violation
The calendar-year cap per violation category is $2,190,294. Criminal penalties remain up to 10 years imprisonment for knowing violations.
Implications for Digital Health and Behavioral Health Technology
The intersection of Part 2โs enforcement commencement with the broader behavioral health technology market creates specific compliance obligations that digital health companies need to address.
Electronic Health Record Vendors. EHR vendors that store, transmit, or process Part 2 records as a business associate are now directly subject to Part 2โs confidentiality requirements. This includes obligations to maintain audit trails of Part 2 record access, implement access controls that differentiate Part 2 records from standard HIPAA PHI, and report breaches to OCR under the same timeline as HIPAA breaches.
Behavioral Health Apps and Platforms. Platforms providing services in the substance use disorder treatment space โ including digital therapeutics, medication-assisted treatment support apps, peer support platforms, and telehealth services for SUD โ that receive, store, or process Part 2 records must implement the consent framework the 2024 rule requires. Generic HIPAA-compliant authorization forms are not sufficient; Part 2-specific consent documentation is required.
Analytics and AI Companies Receiving Health Data. Companies that receive health system data for analytics, population health management, or AI model development must determine whether the data they receive includes Part 2 records. If it does, the 2024 ruleโs business associate obligations apply โ and the re-disclosure prohibitions limit how that data can be used in ways that standard HIPAA business associate agreements do not address.
Claims and Billing Processors. Billing and revenue cycle management companies processing claims that may include SUD treatment encounters are receiving Part 2 records in the course of their operations and are subject to the business associate framework under the 2024 rule.
The Practical Compliance Checklist
Organizations that touch substance use disorder records or provide services to programs that do should assess their current compliance against the following:
Determine whether Part 2 applies. Review your operations and business associate relationships to identify whether you are a Part 2 program, a business associate of a Part 2 program, or a downstream recipient of Part 2 records through care coordination pathways.
Audit consent documentation. If you are a Part 2 program, confirm that your patient consent forms satisfy the 2024 ruleโs requirements โ including specificity of recipient, disclosure purpose, and expiration conditions. Generic HIPAA authorizations do not satisfy Part 2โs consent standard.
Segregate Part 2 records in electronic systems. Access controls, audit logs, and disclosure tracking must operate differently for Part 2 records than for standard HIPAA PHI. Systems that treat all health records uniformly are likely to have Part 2 compliance gaps.
Review business associate agreements for Part 2 provisions. Standard HIPAA business associate agreements do not include Part 2-specific provisions. If you are a Part 2 program, your BAAs with vendors who receive Part 2 records need to include obligations that reflect the 2024 ruleโs requirements.
Implement breach notification protocols for Part 2. Confirm that your breach detection and notification process applies to Part 2 records with the same timeliness as HIPAA breach response โ including OCR notification and patient notification.
Confirm risk analysis and risk management documentation. Given OCRโs expanded focus on risk management outcomes (not just risk analysis existence), ensure that identified security risks have documented remediation timelines and that completed remediation is documented.
42 CFR Part 2โs enforcement commencement on February 16, 2026 is one of the least-publicized but most consequential health privacy developments of the year. For the large portion of the U.S. health system now involved in substance use disorder care โ through integrated health systems, behavioral health technology platforms, and the full ecosystem of vendors that support them โ Part 2 is now operative law with active enforcement authority behind it.
For broader context on the digital health compliance environment, see our analysis of digital therapy compliance and the intersection of HIPAA, 42 CFR Part 2, and FTC regulation.
Sources: HHS Office for Civil Rights (42 CFR Part 2 Enforcement Commencement, February 16, 2026); HHS Final Rule on 42 CFR Part 2 (2024); Mercer (HHS adjusts 2026 HIPAA, certain ACA and MSP monetary penalties); Medcurity (HIPAA Penalties in 2026); OCR Director Statement on Risk Analysis Initiative Expansion; Network Intelligence (HIPAA Enforcement Rule 2026); HIPAA Journal (HIPAA Violation Fines Updated 2026). This article is provided for informational purposes only and does not constitute legal advice.
