HHS Launches SUD Data Privacy Enforcement Program and Breach Portal

The Department of Health and Human Services (HHS) has launched a new data privacy enforcement program for substance use disorder records (SUD) covered by the 42 CFR Part 2 regulations. The HHS Office for Civil Rights (OCR) has been tasked with enforcing the 42 CFR Part 2 regulations, which protect the confidentiality of SUD patient records maintained by federally assisted programs. In a February 13, 2026, announcement, the HHS confirmed that civil enforcement mechanisms for protecting Part 2-covered data have been established for the first time.

The Part 2 regulations were enacted in 1975 to afford greater protection for SUD records, due to their sensitivity and potential for discrimination against individuals who undergo treatment for SUDs. The Part 2 regulations required patient consent before most disclosures of SUD records, and those records had to be kept separate from other types of information. While the Part 2 regulations are important for privacy, they have hampered care coordination.

In 2020, section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act instructed the Secretary of the HHS to align certain requirements of the Part 2 regulations with HIPAA to improve coordination amongst providers treating patients for SUDs. Among the changes implemented by the HHS in a February 2024 final rule were the removal of the requirement to separate SUD treatment information from other healthcare data, allowing a single consent to be provided by a patient covering further disclosures of SUD records, permitting a joint notice of privacy practices for Part 2 Programs that are also HIPAA-covered entities, aligning the breach reporting requirements with HIPAA, and adopting the same penalty structure as HIPAA for Part 2 violations.

The HHS started accepting complaints alleging violations of the Part 2 confidentiality and breach notification provisions on February 16, 2026. OCR added a new section to its website that makes it easy for individuals to file complaints and view a summary of large breaches of SUD records, as is the case for breaches of protected health information and violations of HIPAA. “At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative,” HHS Secretary Robert F. Kennedy, Jr. “Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections.”

OCR Director Paula M. Stannard has previously confirmed that Part 2 violations will be an enforcement priority for OCR. “OCR’s civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers,” said Stannard. “At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens.”

While the HHS Secretary delegated responsibility for enforcement of the Part 2 regulations to OCR, OCR has yet to receive an increase in its budget. The agency was already struggling with limited resources due to the increase in complaints about HIPAA violations and a doubling of investigations of breaches of protected health information between 2018 and 2022. Data breaches have continued to be reported in similarly high numbers for the past five years, and adding investigations of Part 2 violations will require much better use of its resources to prevent the backlog of investigations from growing.

HIPAA
Compliance
Checklist

Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

Download Free Checklist

About Liam Johnson

Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/