HHS OCR launches civil enforcement program for Part 2: What SUD providers and lawful holders need to do now

On Feb. 13, 2026, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced the launch of a new civil enforcement program for the confidentiality of substance use disorder (SUD) patient records under 42 C.F.R. Part 2 (Part 2). Civil enforcement authority begins today, Feb.16, 2026, which is also the deadline for compliance with the 2024 Final Rule implementing Section 3221 of the CARES Act.

This announcement confirms what many providers anticipated: Part 2 is no longer a largely complaint-driven, criminal enforcement framework. It is now aligned with HIPAA-style civil enforcement, with OCR empowered to investigate, impose corrective action plans, enter into resolution agreements, and assess civil monetary penalties.

For healthcare providers and organizations that create, receive, or maintain SUD patient-identifying information, enforcement risk goes up significantly beginning Feb. 16.

What OCR announced

OCR’s new program formally implements the civil enforcement provisions added by the CARES Act and incorporated into the Feb. 2024 Final Rule modifying 42 C.F.R. Part 2.

Beginning Feb. 16, 2026, OCR will:

  • Accept complaints alleging violations of Part 2 confidentiality requirements
  • Accept breach notifications involving SUD patient records
  • Investigate compliance
  • Resolve matters through resolution agreements, corrective action plans, monetary settlements, and/or civil monetary penalties

Penalties now align with those available under HIPAA’s Privacy, Security, and Breach Notification Rules.

This is the first time OCR will exercise civil enforcement authority over Part 2-regulated entities in a manner comparable to HIPAA enforcement.

Reminder: Feb.16 compliance deadline

As discussed in our Feb. 9 alert, “Feb. deadline approaches for Part 2 compliance and NPP updates: What providers need to know," the 2024 Final Rule significantly harmonizes Part 2 with HIPAA while maintaining heightened protections for SUD records.

Key required updates by Feb.16, 2026 include:

  • Updating Notices of Privacy Practices (NPPs)
  • Revising patient consent/authorization forms
  • Updating business associate agreements and qualified service organization agreements
  • Implementing incident response and breach notification processes aligned with the HIPAA Breach Notification Rule
  • Updating policies and procedures to reflect the Final Rule
  • Training workforce members

OCR’s announcement makes clear that these are not merely technical updates. They are now enforceable civil compliance obligations.

Why this matters

Historically, Part 2 enforcement was limited and primarily criminal in nature. The CARES Act changed that framework.

Now:

  • Civil monetary penalties are available
  • OCR can impose multi-year corrective action plans
  • Investigations may follow both complaints and breach reports
  • SUD confidentiality is now operationally tied to HIPAA compliance infrastructure

For Part 2 programs, as well as lawful holders, intermediaries, qualified service organizations (including business associates), and HIPAA covered entities that receive Part 2 data, this means enforcement exposure on two fronts.

Organizations that treated Part 2 compliance as a niche or siloed issue may now face scrutiny similar to HIPAA investigations.

Interaction with the CMS enforcement task force

OCR’s announcement also comes amid broader federal healthcare program integrity and compliance initiatives. CMS recently announced a healthcare enforcement task force focused on strengthening oversight, program integrity, and fraud prevention across federal healthcare programs.

While CMS and OCR operate under different statutory authorities, the policy direction is consistent:

  • Increased federal scrutiny of compliance frameworks
  • Greater interagency coordination
  • Heightened expectations for documentation, internal controls, and governance

Providers participating in Medicare and Medicaid, particularly those delivering behavioral health or SUD services, should anticipate a more coordinated enforcement environment in which privacy, billing, quality, and program integrity risks are evaluated together.

For organizations already under HHS scrutiny, deficiencies in Part 2 compliance could become additional exposure points.

Operational areas OCR is likely to examine

Based on OCR’s HIPAA enforcement history and the Part 2 Final Rule, enforcement may focus on:

  • Improper redisclosure of Part 2 information
  • Failure to perform appropriate risk analysis
  • Failure to include required Part 2 statements in NPPs
  • Inadequate consent documentation
  • Improper use of SUD records in legal proceedings
  • Failure to implement breach notification processes
  • Insufficient workforce training
  • Failure to execute or update Qualified Service Organization Agreements or business associate agreements.

The Final Rule’s introduction of the “lawful holder” and “intermediary” definitions may help clarify the universe of organizations exposed to Part 2 obligations under these categories.

Model Part 2 Patient Notice and HIPAA NPP

In its Feb. 13 announcement, OCR provided indirect access to a link to its model patient notice for Part 2 programs and its updated model HIPAA NPPs for HIPAA covered health care providers and health plans that create or maintain Part 2 records. These model notices may provide starting points for providers who have not updated their notices, keeping in mind that the model documents need to be customized to fit each provider.  Even providers who have updated their NPPs may find it helpful to review the model notices and compare their NPPs with comparable provisions in the model documents. Part 2 programs that are HIPAA covered entities are allowed to either provide separate Part 2 and HIPAA NPPs or a combined notice that meets the requirements of both the HIPAA NPP and the Part 2 Patient Notice.

Immediate action items

With enforcement beginning Feb.16, organizations should confirm that:

  1. Updated NPPs are finalized and ready for distribution and posting
  2. Authorization and Consent forms reflect new combined HIPAA/Part 2 allowances
  3. Business associate and QSO agreements are updated
  4. Breach response policies expressly address Part 2 records
  5. Workforce training has been completed and documented
  6. The organization (perhaps through governance and compliance committees) has reviewed Part 2 readiness

Documentation of good-faith compliance efforts will be critical in the event of OCR inquiry.

Final takeaway

OCR’s announcement signals that Part 2 is no longer a peripheral compliance issue. It is now squarely within OCR's civil enforcement program, right alongside HIPAA.

Aligning Part 2 with HIPAA makes care coordination easier and cuts down on administrative burden, but it also opens the door to real civil enforcement consequences.

Healthcare providers, behavioral health organizations, health information exchanges, ACOs, business associates, and others handling SUD patient records should treat Feb. 16, 2026 not simply as a deadline, but as the beginning of active enforcement.

If you have questions about Part 2 compliance, NPP updates, risk mitigation strategies or related issues, don't hesitate to get in touch with Patrick Campbell, Rick Hindmand, Taylor Semakula or your McDonald Hopkins relationship attorney.

Related Services

Jump to Page

McDonald Hopkins uses cookies on our website to enhance user experience and analyze website traffic. Third parties may also use cookies in connection with our website for social media, advertising and analytics and other purposes. By continuing to browse our website, you agree to our use of cookies as detailed in our updated Privacy Policy and our Terms of Use.

scullery23