top of page
Search

What’s Coming with SUD Records: Preparing for the 2026 42 CFR Part 2 Changes

  • Writer: Jessica Zeff
    Jessica Zeff
  • Jan 16
  • 5 min read
SUD records compliance illustration showing a consent form on a clipboard with a lock and key, distinguishing treatment, payment, and operations consent from SUD counseling notes, with HIPAA and 42 CFR Part 2 documents layered in the background to represent controlled access and privacy protections.

Late in 2024, the U.S. Department of Health & Human Services (HHS), through its agencies, issued a final rule updating the confidentiality regulations for substance use disorder (SUD) treatment records under 42 CFR Part 2.


The rule became effective on April 16, 2024, but regulated entities—including treatment programs, providers, health plans, and others—have until February 16, 2026 to come into full compliance.


That deadline is no longer “in the future.” As we enter the final stretch, compliance teams should be working in earnest to update policies, consent forms, notices, workflows, vendor & business‑associate contracts, training, and breach protocols.


What Has Changed — The Key Updates to Part 2


Single Consent for Treatment, Payment, and Operations (TPO) Disclosures


  • Under the updated rule, a patient may sign a single consent that authorizes future uses and disclosures of their SUD‑related records for treatment, payment, and health‑care operations (TPO). That consent can cover multiple disclosures going forward, rather than requiring a new consent for each instance.


  • Once a HIPAA‑covered entity or business associate receives Part 2 records under that consent, they—with appropriate HIPAA compliance—may further use or redisclose the data (subject to certain limitations).


This flexibility can significantly simplify workflows, especially in integrated care settings, but it also requires careful consent language and documentation.


Separate Consent Required for SUD Counseling Notes


  • The amended rule treats “SUD counseling notes” much like psychotherapy notes under HIPAA. These are the notes from a private or group SUD counseling session (separate from typical medical records), and cannot be disclosed under the general TPO consent. Instead, they require a standalone, separate consent for disclosure.


  • This means programs must be certain to segregate such notes (or at least treat them under stricter controls) and ensure that any consent covers only those notes (not broader SUD records or other PHI).


Revised Notice of Privacy Practices (NPP) & Patient Rights


  • Entities must update their Notice of Privacy Practices to reflect the Part 2 changes, including patients’ rights under the revised regulation. That includes the right to request restrictions on disclosures, the right to request an accounting of disclosures, and the right to file a complaint with HHS or the relevant oversight agencies.


  • Disclosures made under patient consent must be accompanied by a copy of the actual consent, or at least a clear explanation of the scope of consent.


Redisclosure & Public‑Health Disclosures (with Limitations)


  • Under the new consent regime, entities receiving Part 2 records may redisclose them (under HIPAA’s general policies), which could facilitate care coordination among providers.


  • There’s also a provision allowing for de‑identified SUD data to be disclosed to public health authorities without patient consent, under HIPAA‑compliant de‑identification standards.


But — importantly — Part 2 continues to restrict the use or disclosure of SUD records (or testimony based on them) in civil, criminal, administrative, or legislative proceedings against a patient, absent explicit consent or a qualifying court order.


What Has Not Changed


  • The heightened confidentiality for SUD treatment records remains. Part 2 records are still treated as especially sensitive, and the protections are not eliminated.


  • For SUD counseling notes, the protections remain very strong — separate consent still required, no bundling with other consents.


  • Use of SUD records in legal proceedings (especially criminal, civil, administrative, or legislative actions) remains heavily restricted.


In other words: the reforms are not a roll‑back of privacy — but rather a calibration to enable care coordination while retaining strict confidentiality guardrails.


What This Means Operationally

If you oversee compliance, privacy, or health‑information management in a Part 2 program (or a provider/plan that receives Part 2 records), here’s what you should be doing now — if you haven’t already:


  1. Assess whether you qualify as a “Part 2 program” or a “lawful holder.” Some providers or units may be subject to full Part 2 compliance obligations, others may not. Understand where you stand.


  2. Revise Consent Forms — Adopt a single TPO consent form for future disclosures, and create a separate consent template for SUD counseling notes. Ensure required language (scope, redisclosure risk, revocation rights, expiration, purpose, recipients) is included.


  3. Update Notice of Privacy Practices (NPP) — Incorporate the new patient rights, disclosure/distribution obligations, consent‑copy requirement, and how patients can complain or request restrictions/accounting of disclosures.


  4. Update Policies & Procedures — Revise organizational workflows for SUD record use, redisclosure, public health disclosures, legal requests/subpoenas, vendor and business‑associate agreements, data‑segregation or tagging procedures (if used), and incident response/breach notification plans.


  5. Train Staff and Stakeholders — Ensure that everyone (clinical and non‑clinical) understands the nuances of the amended Part 2: what can be shared under TPO consent, what needs separate consent, how to handle SUD counseling notes, what triggers breach notification, and when redisclosure is allowed.


  6. Review Vendor / BAA / Contract Agreements — Make sure business associates and vendors that handle Part 2 records comply with the updated requirements and that their agreements include Part 2 obligations (e.g., redisclosure limits, breach response, consent‑copy requirements, restrictions on legal‑proceeding disclosures).


Keeping an Eye Out


  • Enforcement is real now. As of summer 2025, enforcement authority was clearly delegated to OCR.  If audits, complaints, or breach reports arise post‑February 2026, entities may face civil monetary penalties, resolution agreements, subpoenas, or other corrective actions.


  • Part 2 vs HIPAA alignment — but not total unification. While many aspects are now aligned (consent, redisclosure under consent, breach notification), some unique protections remain — especially around counseling notes, legal‑proceeding disclosures, and separate consent for certain disclosures. Entities must treat Part 2 records as subject to dual regimes when applicable.


  • Patient understanding matters. Because the rule allows bundling of future TPO disclosures under a single consent, patients may unknowingly authorize broad sharing. Compliance teams should ensure that patients are educated — in clear, accessible language — about what they are consenting to and the potential for redisclosure under HIPAA.


  • Vendor / Business‑Associate risk is elevated. Once redistributed, Part 2 records may flow widely across providers, payers, care‐management vendors, analytics firms, etc. Organizations need to ensure downstream safeguards are in place, and that consent copies/information about scope accompany disclosures.


Why This Update Matters

From my vantage as a compliance professional, these changes to Part 2 strike a delicate — but sensible — balance between patient privacy and practical realities of modern, integrated care. The ability to use a single TPO consent can significantly ease administrative burdens and improve care coordination, while the separation of counseling notes and the continuing restrictions around redisclosure in legal proceedings preserve strong privacy protections for the most sensitive SUD data.


The enforced alignment with HIPAA standards — including breach notification and consistent enforcement mechanisms — brings Part 2 into a clearer, more enforceable regime. That clarity may finally make compliance less of a gray‑area gamble and more of a structured program for many providers.


But the window closes soon. February 16, 2026 isn’t far away. For many organizations, now is the moment for final policy edits, training, contract updates, patient‑notice rollouts, and compliance sign‑offs.


If you haven’t already launched your implementation project — now’s the time.


Do you have questions about this blog? Please contact jessicazeff@simplycomplianceconsulting.com

 

Comments

bottom of page