On February 13, 2026, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced a new civil enforcement program focused on protecting the confidentiality of substance use disorder (SUD) patient records under 42 C.F.R. Part 2 (Part 2). This announcement follows the February 16, 2026 compliance deadline for entities subject to the 2024 Part 2 Final Rule.

Expanded Enforcement Activity 

As part of OCR’s new enforcement program, the agency has begun:

• Accepting complaints of Part 2 confidentiality requirement violations
• Investigating potential Part 2 noncompliance
• Receiving breach notifications of Part 2-protected SUD patient records

Enforcement under Part 2 is now aligned with the Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security, and Breach Notification Rules. As a result, OCR has the ability to not only investigate violations, but to impose corrective action plans, administer civil monetary penalties, and enter into resolution agreements. These enforcement powers extend to a wide range of entities, including: 

• Part 2 Programs
• Lawful holders and intermediaries
• Qualified Service Organizations (including Business Associates)
• HIPAA-covered entities

In announcing the initiative, HHS Secretary Robert Kennedy Jr. stated, “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative….” This signals heightened scrutiny and a more aggressive enforcement posture.

Key Risk Areas for Providers

Given this stance from HHS, organizations involved with Part 2 programs should evaluate their compliance efforts, particularly regarding the following risk areas:

• Improper disclosure of Part 2 information
• Failure to include proper Part 2 statements in Notice of Privacy Practices or patient notices
• Deficient patient consent and authorization documentation
• Improper use of SUD records in legal proceedings
• Inadequate workforce training 
• Failure to conduct appropriate risk assessments for Part 2 programs
• Missing or insufficient Qualified Service Organization or Business Associate Agreements

Compliance Steps 

Providers should ensure that the following processes and documentation have been updated to meet the requirements of the Part 2 Final Rule:

• Policies and procedures regarding the use and disclosure of Part 2 information, including for legal proceedings and other third-party requests
• Notice of Privacy Practices and Patient Notices for distribution to patients
• Patient consent and authorization forms to align with Part 2
• Employee training to include the duties and responsibilities regarding protecting Part 2 information
• Qualified Service Organization and Business Associate Agreements that incorporate required Part 2 language

It’s Not Too Late to Act 

Although the compliance deadline has passed, organizations can and should take immediate steps to comply with the Part 2 Final Rule. Proactive compliance efforts can significantly reduce enforcement risk as OCR ramps up oversight.

For assistance with updating policies, documentation, or training to meet Part 2 requirements, please contact Natalie Lesnick.