Feb. deadline approaches for Part 2 compliance and NPP updates: What providers need to know

Alert

Healthcare providers and others who create, receive or maintain substance use disorder (SUD) patient identifying information should be aware of an upcoming compliance deadline on February 16, 2026, which will require many providers to update their Notice of Privacy Practices (NPP), among other things. In 2024, the Department of Health and Human Services (HHS) issued a Final Rule, which published regulations as required by the CARES Act. The Final Rule implemented changes to the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations, also known as “Part 2,” to implement CARES Act provisions and align Part 2 more closely with HIPAA regulations.  

Part 2 is a set of regulations designed to place specific restrictions around the use of SUD records to ensure that individuals receiving SUD treatment do not suffer criminal or certain other consequences because of their decision to seek SUD treatment. Part 2 is intended to prevent stigma against SUD patients and encourage people to seek SUD treatment.

Applicability

Healthcare providers and companies that access SUD information should review whether and how Part 2 applies to them, if they have not already done so. The Part 2 regulations apply to Part 2 programs, as well as various healthcare providers and others who receive or maintain Part 2 records or related information. Part 2 protection follows and continues to apply to Part 2 records and related patient identifying information even after it leaves the Part 2 program. For example, Part 2 records continue to be protected under Part 2 (and HIPAA) after being disclosed to a lawful holder, qualified service organization/business associate or intermediary. The obligations of each party depend in large part on how it received the Part 2 records.

The Part 2 regulations define four main categories of providers and Part 2 record recipients under Part 2: Part 2 programs, lawful holders of Part 2 records, qualified service organizations, and intermediaries. The Final Rule added lawful holder and intermediary definitions and revised the definition of qualified service organization.

  • In general, a Part 2 program is a facility or other provider that holds itself out as providing SUD diagnosis, treatment or referral for treatment and receives some form of federal assistance.
  • A lawful holder of Part 2 records is an individual or entity who has received SUD information either pursuant to a written consent accompanied by a notice identifying the information as subject to Part 2 or pursuant to an exception to the Part 2 written consent requirements, such as a physician who receives Part 2 records from a Part 2 program with a Part 2 disclosure, or a business associate/qualified service organization that provides services to the Part 2 program.
  • A qualified service organization is an individual or entity that provides services to a Part 2 program and has agreed in writing to be bound by the Part 2 regulations when dealing with Part 2 records and to resist efforts to obtain access to patient identifying information related to SUD diagnosis, treatment or referral for treatment except as permitted under Part 2. The Final Rule clarified that a business associate of a Part 2 program is a qualified service organization with respect to the use or disclosure of protected health information that is also a Part 2 record. 
  • An intermediary is an organization (other than a Part 2 program, HIPAA covered entity or business associate) who has received Part 2 information under a general patient consent for disclosure to the intermediary’s member participant(s) for treatment purposes. Examples of an intermediary include a health information exchange, an accountable care organization, a research institution, or a care management organization.
Changes to Part 2 regulations

A major goal of the Final Rule is to more closely harmonize HIPAA regulations and Part 2 regulations. A few examples of increased alignment with HIPAA include:

  • Ensuring that de-identification standards between HIPAA and Part 2 are consistent.
  • Part 2 records are subject to the same breach notification requirements that exist under HIPAA.
  • Patient consents are aligned with HIPAA’s patient consent disclosure allowances for treatment, payment, or healthcare operations. A single consent can generally be used for HIPAA and Part 2, although a Part 2 consent for use or disclosure in a civil, criminal, administrative, or legislative investigation or proceeding cannot be combined with a consent to use and disclose a record for any other purpose.
  • Similar to HIPAA, as part of the regulatory updates, Part 2 programs must develop a process through which patients may lodge a complaint with the Part 2 program. Patients also have the opportunity to now submit complaints directly to the HHS Secretary.
  • Covered entities that are also Part 2 programs are allowed to use a single NPP if desired.
  • Part 2 is now subject to enforcement by the HHS Office for Civil Rights and to the same penalties as under HIPAA. Scrutiny and related enforcement risks under Part 2 are therefore expected to increase.

NPPs are required to be updated by February 16, 2026. Required NPP provisions for Part 2 programs include:

  • A description of any permissible uses or disclosures, as well as restrictions, that reflect the more stringent Part 2 restrictions.
  • A statement that Part 2 records may not be used or disclosed in civil, criminal, administrative, or legislative proceedings against the individual unless based on specific written consent or a court order.
  • Warning that Part 2 records that are disclosed to a part 2 program, covered entity or business associate may be further disclosed by the recipient without the patient's written consent to the extent permitted under HIPAA regulations.
  • If Part 2 records will be used for fundraising purposes, there must be a conspicuous opportunity to opt out of fundraising communications.
Next steps

Healthcare providers that receive or maintain Part 2 records should review and update their NPP and business associate agreements (and/or qualified service organization agreements), as well as Part 2 and HIPAA policies and procedures, keeping in mind that obligations may differ based on what category you or your organization fall into under Part 2. Patient consent/authorization forms should be updated to reflect the Final Rule. As changes are implemented, it is important to educate your workforce through adequate training.

If you have any questions or would like assistance with your Part 2 or HIPAA updates, please contact Patrick Campbell or Rick Hindmand.

Related Services

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

scullery23