Time to Update Your Notice of Privacy Practices and Ensure Your SUD Confidentiality Compliance

Published On

February 5, 2026

Authors

Alexander Dworkowitz
Partner
New York
Randi Seigel
Partner
New York
Rakabe Abraham
Associate
Boston

Time to Update Your Notice of Privacy Practices and Ensure Your SUD Confidentiality Compliance

Almost two years ago, the U.S. Department of Health and Human Services (HHS) issued a significantly modifying the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 CFR Part 2 (“Part 2”). Now, the February 16, 2026, compliance deadline is around the corner. Part 2 programs and recipients of their data, including other providers and health plans, must ensure compliance in light of the possibility of increased enforcement of the rule.

Background

Part 2 applies to Part 2 programs, which are entities that are “federally assisted” and “hold [themselves] out as providing . . . substance use disorder diagnosis, treatment, or referral for treatment.” Part 2 programs include, for example, opioid treatment programs.

Importantly, Part 2 also applies to most entities that receive Part 2 data from a Part 2 program, even if those entities don’t operate SUD programs. This means that health care providers, health plans and other organizations need to comply with certain Part 2 requirements with respect to SUD data they receive from Part 2 programs. Compliance with Part 2 often presents operational challenges because Part 2 generally is stricter than the Health Insurance Portability and Accountability Act (HIPAA) privacy rule, the primary federal health care privacy regulation.

Part 2 has historically been unenforced; however, in March 2020, Congress enacted the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which modified the statute underlying Part 2 and subjected Part 2 violations to the HIPAA enforcement regime, including civil monetary penalties. As a result, there is now a risk of increased enforcement of its regulatory requirements.  

Obligations Under the Final Rule

The Final Rule more closely aligns Part 2 with HIPAA several respects, while maintaining greater Final Rule privacy protections for SUD data than those offered to other health care data. The following describes some of the key new compliance obligations under the Final Rule.

Required Updates to Part 2 Notice of Privacy Practices (NPP)

Like HIPAA-covered entities, Part 2 programs must issue NPPs. Still, there are important distinctions. Among others, Part 2 NPPs must explain uses and disclosures of patient SUD data and must supplement existing requirements to inform patients of protections to SUD data.

Required Updates to HIPAA NPPs

The HHS Office for Civil Rights separately amended HIPAA regulations to require covered entities that receive Part 2 data to include information in their NPPs about their practices related to Part 2 data. Among other requirements, they must include a separate statement about the limited use of SUD data, including that they will not be used in proceedings against the patient, absent consent or a court order.

Entities subject to both HIPAA and Part 2 may either combine or issue separate NPPs.

Prohibition Against Disclosures Against Patients

The Final Rule generally prohibits Part 2 data from being used in “any civil, criminal, administrative, or legislative proceedings against a patient.” Patients may consent to use of their data for such purpose, but such a consent must be limited to that purpose.

New Obligations Accompanying Disclosures

The Final Rule requires recipients to understand when data they receive is subject to Part 2. Part 2 programs sharing data must include either a copy of the consent form or a “clear explanation of the scope of the consent.”

SUD Counseling Notes

Part 2 programs that maintain “SUD counseling notes”—notes documenting an SUD counseling session that are separated from the remainder of the patient’s record—cannot disclose such notes under their standard consent forms. Instead, such programs must use a separate consent form that applies solely to those notes.

New Flexibilities

Part 2 programs and data recipients have been able to take advantage of the new flexibilities under the Final Rule ever since its effective date in April 2024. Nevertheless, the compliance date is an opportune time for organizations to consider operationalizing those flexibilities, if they have not already done so.

The Final Rule allows for the use of treatment, payment and health care operations (TPO) consents, allowing easier disclosure and redisclosure of Part 2 data. In particular, covered entities and business associates that receive Part 2 data under a TPO consent generally can use and disclose that data in compliance with HIPAA, so long as they ensure that the data is not used or disclosed in a legal proceeding against the patient (see above). 

In addition, Part 2 programs may create and disclose de-identified data pursuant to HIPAA standards.

Conclusion

The 2024 Part 2 Final Rule significantly changed the landscape of federal SUD privacy protections. While the Final Rule promotes the sharing of such information for certain purposes, it also includes several important new compliance obligations. In light of , both Part 2 programs and recipients of Part 2 data should carefully review those obligations and finalize their compliance posture now.

342 C.F.R. § 2.11 

42 C.F.R. § 2.22; 45 C.F.R. § 164.520

45 C.F.R. § 164.520; Purl v. US Dept. of Health and Human Services, 787 F. Supp. 3d 284 (N.D. Tex. 2025)

42 C.F.R. § § 2.12(d)(1), 2.31(d)

42 C.F.R. § § 2.12(d)(1), 2.31(d)

42 C.F.R. § 2.32

42 C.F.R. § 2.31; 89 Fed. Reg. 12472, 12549 (Feb. 16, 2024)

42 C.F.R. § 2.31, 2.33

42 C.F.R. § 2.54; 89 Fed. Reg. 12472, 12545, 12570 (Feb. 16, 2024)


Join our newsletter to stay up to date on features and releases.

ATTORNEY ADVERTISING, pursuant to New York DR 2-101(f)

© 2026 Manatt, Phelps & Phillips, LLP. All rights reserved.