/Passle/67292836ee4aa642c0980b65/SearchServiceImages/2026-02-18-23-43-19-546-69964e972d09af0dd6cea8ae.jpg)
The HHS Office for Civil Rights (OCR) announced a new robust civil enforcement program to protect substance use disorder (SUD) patient records under 42 C.F.R. § Part 2 (Part 2). Effective February 16, 2026, the Part 2 regulations were recently updated to more closely align with HIPAA. They apply to Part 2 SUD treatment programs, their qualified service organization vendors, and other lawful holders of SUD records—including many HIPAA-regulated entities. OCR stated that it will investigate complaints alleging noncompliance with Part 2 and data breaches involving SUD records under the same framework it uses for HIPAA. OCR’s finding of a Part 2 violation may result in civil money penalties.
From a compliance perspective, organizations should treat SUD records with the same baseline privacy and security rigor as other protected health information (“PHI”), while accounting for additional consent, redisclosure, and documentation requirements that are unique to Part 2. An organization with SUD records should consider updating internal policies, public privacy notices, and internal data breach response protocols to reflect those distinctions.
Compliance Obligations
- Breach Reporting: The Part 2 regulations require organizations to report breaches of unsecured SUD records using the same framework as the HIPAA Breach Notification Rule. For example, for data breaches involving Part records affecting 500 or more individuals, the HIPAA Breach Notification Rule requires organizations to submit a report to OCR within 60 days of discovery. Reports are submitted through OCR's breach portal, which includes one submission path for data breaches involving PHI and a separate submission path for data breaches involving SUD records. This means that a single data breach may lead to two reports to OCR: one HIPAA breach report covering unsecured PHI (which may also include SUD records) and a separate Part 2 breach report specific to SUD records.
- Notices of Privacy Practices: According to the Part 2 regulations, Part 2 programs and HIPAA-covered entities that receive or maintain SUD records must have patient privacy notices that describe protections specific to SUD records (e.g., prohibiting use of SUD records in certain legal proceedings without consent or a qualifying court order). HHS has released long-awaited revised model notices to assist Part 2 programs and covered entities with compliance.
Enforcement and Consequences of Noncompliance
- Complaints: Starting February 16, 2026, patients and members of the public were able to file complaints directly with OCR for any suspected improper use or disclosure of SUD records under Part 2. OCR will likely review these with the same scrutiny as complaints of alleged noncompliance with HIPAA.
- Civil Enforcement Authority & Dual Penalties: OCR has the express authority to enforce Part 2 under the CARES Act amendments to 42 U.S.C. § 290dd-2, which extended HIPAA’s enforcement mechanisms to Part 2 violations. As a result, noncompliance with Part 2 may trigger OCR resolution agreements, corrective actions, monetary settlements, and civil money penalties. OCR’s press release confirms that Part 2 penalties "align with the penalties available under" HIPAA's Privacy, Security, and Breach Notification Rules, meaning the tiered HIPAA fine schedule now applies to SUD record breaches. Civil monetary penalty amounts are set forth in 45 C.F.R. § 160.404 and adjusted annually pursuant to 45 C.F.R. Part 102. Fines can reach up to approximately $70,000 per day per violation and $2.1 million per year for repeated offenses. Practically, this means that a single data breach could result in noncompliance with each of HIPAA and Part 2 (e.g., an impermissible disclosure of PHI that is also a Part 2 record), which may result in doubling monetary penalties.
Key Takeaways
Organizations should take note of three critical compliance developments that became effective February 16, 2026. First, entities that maintain SUD records must have an updated Notices of Privacy Practices to address SUD-specific protections. Second, data breaches involving SUD records require a separate Part 2 breach report to OCR in addition to any HIPAA breach report for the same breach. Third, OCR has the authority to investigate and enforce Part 2 violations just as it does HIPAA violations. Until OCR provides further guidance clarifying how it will handle overlapping HIPAA and Part 2 violations, organizations should consider that Part 2 violations may result in double penalties.
Reed Smith will continue to follow developments with regard to the regulation of SUD records. If you have any questions about this announcement or regulation of records under Part 2, please do not hesitate to reach out to the authors