The Compliance Deadline for 42 CFR Part 2 Amendments Is Looming: Are You Ready?

The compliance deadline for the recent amendments to 42 CFR Part 2 is February 16, 2026. The clock is ticking for healthcare organizations that provide substance use disorder (SUD) services to review their privacy practices to ensure compliance with Part 2’s new requirements and minimize the risk of fines and penalties.

What Is 42 CFR Part 2?

42 CFR Part 2 is the core federal law that protects the confidentiality of substance use disorder (SUD) records and information. Part 2 was enacted in 1975 to address public policy concerns that SUD information could be used against patients in legal proceedings and other contexts, deterring patients from getting treatment.

Unlike HIPAA, which applies to a wide array of patient information, Part 2 focuses only on SUD information. Part 2 gives enhanced privacy protection to this sensitive type of information and includes narrow exceptions for when SUD information can be used or disclosed without patient consent. Part 2 generally applies to healthcare organizations and providers that receive federal assistance (such as through Medicare or Medicaid) and provide SUD-related services.

What’s New?

Part 2 was amended in the Final Rule published on February 16, 2024, by the U.S. Department of Health and Human Services (HHS). HHS identified key goals of the amendments to include aligning Part 2 more closely with HIPAA; allowing for increased coordination among providers who treat SUD patients; and increasing protections for patients.

The key amendments can be broken down into three main categories. Each category will be explored in subsequent alerts.

• Patient Consent: Part 2 now allows patients to execute a single consent form to authorize all future uses and disclosures of SUD information for treatment, payment, and healthcare operations purposes. The amendments also include new consent requirements related to legal proceedings and SUD counseling notes.
• Patient Rights: The amendments include a range of new patient rights, such as the right to request privacy protection of their SUD records, the right to request an accounting of disclosures, and the right to file a complaint with an entity regulated by Part 2. Regulated entities must also make updates to their Notice of Privacy Practices.
• Breaches and Enforcement: The requirements of HIPAA’s Breach Notification Rule now expressly apply to breaches of SUD records under Part 2. The amendments also align penalties for violating Part 2 with the civil and criminal penalties and enforcement authorities that apply to HIPAA violations.

Next Steps for Providers

With the compliance deadline looming, regulated entities should review and update their policies and procedures to reflect the changes, including their Notice of Privacy Practices and patient consent forms for authorizing disclosures of SUD information. Regulated entities should train and educate key employees on the changes to promote compliance.

The Woods Rogers Pulse Check offers concise, timely insights on emerging trends and key developments in healthcare law—keeping you informed and ahead of change. Our multidisciplinary team understands the complexities of the healthcare industry and provides strategic legal guidance tailored to your needs. Whether you're facing a challenging compliance issue, a critical business transaction, a government investigation, or potential litigation, we deliver clear, coordinated solutions. With deep experience in regulatory, transactional, and litigation matters, our attorneys work collaboratively to help healthcare organizations navigate risk and move forward with confidence. 

Want the latest healthcare updates delivered directly to your inbox? Sign up for our Health Law mailing list.