top of page
Search

HIPAA and SUD Records

  • Writer: Jessica Zeff
    Jessica Zeff
  • Feb 21
  • 3 min read
Illustration representing HIPAA Part 2 enforcement showing substance use disorder records integrated under HIPAA oversight, symbolizing OCR enforcement of SUD confidentiality requirements.

The Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) have begun enforcing Part 2 requirements as part of the HIPAA privacy framework. This means organizations that handle substance use disorder treatment records must understand what Part 2 data is, how it differs from traditional HIPAA protected health information (PHI), and what federal enforcement means in practice.


Before we dive in, I want to call out a well-written analysis by Joe Wynn, CEO at Seiso, that serves as an excellent companion resource on this topic. His blog thoughtfully outlines the enforcement environment and organizational readiness challenges — and it’s worth a read if you want practical context behind today’s enforcement shift.


What Are Part 2 Records?

Part 2 refers to the federal regulation 42 CFR Part 2, which governs the confidentiality of substance use disorder (SUD) patient records created by federally assisted programs. These records have historically had stricter confidentiality protections than standard HIPAA PHI because of the stigma and legal sensitivities around addiction treatment.


Key characteristics of Part 2 data:


  • It includes patient identifiers and treatment information.


  • It requires specific consent from the patient for disclosure.


  • It prohibits most disclosures without explicit authorization, even for treatment or payment purposes that would otherwise be allowed under HIPAA.


Under prior guidance, Part 2 programs often operated in a separate regulatory space from HIPAA, creating confusion and compliance challenges.


What Was the Compliance Deadline?

HHS/OCR established a compliance deadline of February 2026 for entities subject to Part 2 and HIPAA to:


  • Fully implement Part 2 privacy protections within their HIPAA policies and procedures.


  • Ensure that Part 2 data is properly identified, segregated (or otherwise protected), and disclosed only in permitted circumstances.


  • Update business associate agreements (BAAs), consent processes, and data handling workflows to address the interplay between Part 2 and HIPAA.


The compliance deadline was significant because it effectively aligned enforcement of Part 2 confidentiality with broader HIPAA enforcement, which means:


  • OCR can now investigate breaches or improper disclosures of Part 2 data.


  • Monetary penalties, corrective action plans, and reputational risk now apply to Part 2 compliance failures in the same way they do to HIPAA violations.


Why This Enforcement Matters Now

This is a major shift — not just because enforcement has begun, but because it puts Part 2 enforcement squarely in the HIPAA compliance ecosystem.


Here’s what that means:

  1. Heightened Regulatory Risk

    Part 2 records are no longer in a regulatory “safe harbor.” OCR can investigate and enforce violations, along with the associated penalties that come with HIPAA compliance failures.

  2. Broader Scope of OCR Audits and Investigations

    OCR audits and complaint investigations will now include Part 2 data, meaning:


    1. Unauthorized disclosures of SUD records can trigger HIPAA breach reporting requirements.


    2. Organizations may be required to implement corrective action plans for Part 2 compliance gaps.


    3. Enforcement may involve financial penalties depending on the nature of the violation and the organization’s compliance posture.


  3. Policy, Process, and System Changes

    Organizations must:


    1. Update policies and procedures to explicitly address Part 2 protections.


    2. Train workforce members on the differences between HIPAA PHI and Part 2 data.


    3. Evaluate technical and administrative safeguards for segregating and sharing Part 2 records.


How This Affects Healthcare Providers and Partners

For many healthcare organizations — especially those that integrate behavioral health, primary care, and population health — this enforcement shift requires:


  • Policy alignment between HIPAA and Part 2 protections.


  • Cross-departmental coordination between compliance, legal, IT, clinical, and revenue cycle teams.


  • Careful handling of sharing and disclosure workflows to ensure that patient consents are valid and operationalized correctly.


Where to Go From Here

If you’re responsible for compliance, privacy, risk, or operations in a setting that handles SUD records:


  1. Review your current policies and risk assessment for Part 2 vs HIPAA protections.


  2. Update workforce training and consent forms to reflect Part 2 confidentiality requirements.


  3. Assess technical safeguards for identifying, tagging, and protecting Part 2 data within your EHR or data repositories.


  4. Audit your contracts and BAAs to ensure downstream partners understand and comply with Part 2 provisions.


And again — if you haven’t yet, I recommend taking a look at Joe Wynn’s blog on Part 2 enforcement for additional operational insights.


Final Takeaway

Federal enforcement of Part 2 records under HIPAA is no longer theoretical — it’s active, it’s real, and it has compliance implications across care settings, business associates, and partners. This is a critical agenda item for 2026 and beyond.

If your organization needs help interpreting the Part 2 enforcement requirements, conducting a Part 2 risk assessment, or aligning your HIPAA compliance program, let’s talk.

Jessica Zeff, JD, CHC, CHPC, Founder & Principal Consultant - Simply Compliance

 

Comments

bottom of page