Publication
42 CFR Part 2 and Privacy Rule Compliance: Action Required by February 16, 2026
Healthcare organizations that create, receive, or maintain substance use disorder (SUD) records, which are referred to as Part 2 programs and subject to strict confidentiality regulations, are required to update their Notices of Privacy Practices (NPPs) and related policies before the February 16, 2026, compliance deadline established under the 2024 Final Rule revising 42 CFR Part 2 (the “Final Rule”). Below, we provide a summary of what steps healthcare organizations should take to meet the upcoming compliance deadline.
Background – Requirements in the Final Rule
In 2024, the U.S. Department of Health and Human Services (HHS) issued a Final Rule that significantly revised the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2 to better align them with the Health Insurance Patient Accountability & Affordability Act’s (HIPAA) Privacy Rule. The compliance deadline is February 16, 2026.
The Final Rule authorizes Part 2 programs to utilize a single consent for all treatment, payment, and healthcare operations (TPO). Covered entities, business associates, and Part 2 programs that receive records under a valid TPO consent may redisclose those records consistent with HIPAA, except for use or disclosure in civil, criminal, administrative, or legislative proceedings against the patient, absent the patient’s written consent or a court order. Of note is that any court order authorizing disclosure must be accompanied by a subpoena or similar legal mandate to compel disclosure. The Final Rule also clarifies that a Part 2 program, covered entity, or business associate receiving records based on a single TPO consent is not required to segregate or segment such records.
In addition to the above changes, the Final Rule established a firm February 16, 2026, compliance deadline for entities subject to 42 CFR Part 2 and for covered entities that create, receive, or maintain Part 2 records to update their NPPs.
Which Entities Must Comply
Part 2 Programs. Entities that are Part 2 programs — defined as federally assisted programs providing substance use disorder diagnosis, treatment, or referral for treatment subject to 42 CFR Part 2 — must update their NPP Notice to include all Part 2-required elements, aligned with HIPAA, to ensure that the notice complies with the amended Part 2 requirements under 42 CFR § 2.22.
HIPAA Covered Entities That Receive or Maintain Part 2 Records. HIPAA covered entities that receive or maintain Part 2 records — even if the covered entity is not itself a Part 2 program — must revise their NPPs to address Part 2-specific protections and limits on uses and disclosures of those records.
Core NPP Updates for Part 2 Programs
Revised Headers. The Final Rule requires specific language for Part 2 NPPs, which is not required for standard Privacy Rule NPPs.
Permitted Uses and Disclosures. Part 2 programs must include descriptions of uses and disclosures of Part 2 records, including permitted uses and disclosures without patient consent, and those that specifically require patient consent.
Part 2 Rights. The Part 2 NPP must include identification and sufficient detail regarding the patient’s Part 2 rights, including a statement that the patient may provide a single consent for all future uses and disclosures for TPO purposes.
Part 2 Program Obligations. The Part 2 NPP must include statements about the Part 2 program’s duties and responsibilities.
Core NPP Updates for Covered Entities That Receive or Maintain SUD Records
Notice of Rights Concerning Part 2 Records. Covered entities’ NPPs must inform individuals that the entity creates, receives, or maintains substance use disorder records covered by 42 CFR Part 2, and must describe how such Part 2 records may be used and disclosed by the entity, including more restricted use rules compared to general HIPAA protected health information. The covered entity must ensure that an individual who is the subject of records protected under Part 2 receives notice of the uses and disclosures of such records, and of the individual’s rights and the covered entity’s legal duties with respect to such records. The NPP must also explain that Part 2 records are not treated like other HIPAA-protected health information and generally cannot be disclosed for TPO without specific patient consent under Part 2, unless otherwise permitted.
Limitations on Use and Disclosure. NPPs must now include language explaining that Part 2 records cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings without written consent or a court order after notice and opportunity to be heard consistent with Part 2. Additionally, the NPP must explain that any disclosure of Part 2 records is subject to the stricter Part 2 standards, even if HIPAA might otherwise permit a use or disclosure without authorization.
Fundraising Opt-Out. If the covered entity intends to use Part 2 records for fundraising, the NPP must provide patients with a clear and conspicuous opportunity to opt out of receiving fundraising communications.
Enforcement Risks
Failure to comply with the Final Rule could result in civil monetary penalties or other enforcement actions from HHS’ Office of Civil Rights, which has the authority to investigate allegations of non-compliance.
Summary of Action Steps for Part 2 Programs and HIPAA Covered Entities that Receive or Maintain SUD Records
Revise Notices. Part 2 programs and covered entities that create, receive, or maintain SUD records (collectively, “Organizations”) should revise existing NPPs templates to incorporate Part 2-specific language as required by amended 45 CFR § 164.520 and 42 CFR § 2.22. HHS has clarified that Organizations may combine their Privacy Rule NPP and Part 2 NPP into one document, provided that the notice includes all required information under 45 CFR § 164.520 and 42 CFR § 2.22. Organizations should also review and update distribution practices to ensure all existing and future patients receive the updated notice.
Update Policies and Procedures. Organizations should update consent and authorization forms as appropriate to reflect new disclosure practices. Organizations should also ensure that Part 2 consent protocols are consistent with combined Privacy Rule and Part 2 requirements.
Proactive engagement with counsel can help ensure alignment with both Privacy Rule and Part 2 requirements and mitigate potential enforcement risks.
About Snell & Wilmer
Founded in 1938, Snell & Wilmer is a full-service business law firm with more than 500 attorneys practicing in 17 locations throughout the United States and in Mexico, including Phoenix and Tucson, Arizona; Los Angeles, Orange County, Palo Alto and San Diego, California; Denver, Colorado; Washington, D.C.; Boise, Idaho; Las Vegas and Reno-Tahoe, Nevada; Albuquerque, New Mexico; Portland, Oregon; Dallas, Texas; Salt Lake City, Utah; Seattle, Washington; and Los Cabos, Mexico. The firm represents clients ranging from large, publicly traded corporations to small businesses, individuals and entrepreneurs. For more information, visit swlaw.com.
