Legal Bulletins

As of February 16, 2026, all covered entities (“Providers”) under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”)  that receive and maintain substance use disorder (“SUD”) patient records were required to update their notice of privacy practices (“NPP”) to include information addressing the modified Confidentiality of SUD patient records regulations at 42 CFR part 2 (“Part 2”). Specifically, Providers must include the following statement in their NPP:

To the extent that we have your substance use disorder patient records, subject to 42 CFR part 2, we cannot use or share information in those records in civil, criminal, administrative, or legislative investigations or proceedings against you without (1) your consent or (2) a court order and a subpoena.

Providers must also give patients adequate notice about the potential for such records to no longer be protected by federal law upon redisclosure. To address this, Providers may consider incorporating the following language into their NPPs:

Please be aware that after we have shared your information in a permitted way, it is possible for the information to be redisclosed by the recipient, including substance use disorder treatment records. Upon redisclosure, this information will no longer be protected by the HIPAA Privacy Rule.

In February 2024, the U.S. Department of Health & Human Services (“HHS”) announced a final rule modifying Part 2. With this final rule, HHS aligned certain aspects of Part 2 with HIPAA by implementing the confidentiality provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security Act. Accordingly, entities subject to Part 2 requirements and HIPAA covered entities that maintain Part 2 records are required to update their notice of privacy practices to align with the final rule. 89 FR 12472.

Applicability 

Part 2 rules apply to any federally assisted program that provides SUD diagnosis, treatment, or referral for treatment (“Part 2 programs”). The law provides safeguards and procedures for using and disclosing Part 2 records, including criteria for court orders to authorize disclosure of SUD records. See 42 CFR § 2. Some Part 2 requirements also apply to Qualified Service Organizations, HIPAA covered entities, business associates, intermediaries, and investigative agencies that may receive and maintain Part 2 records. In accordance with the final rule, these providers had until February 16, 2026, to include information about Part 2 records in their NPP as discussed above.  Additionally, Part 2 programs are required to provide a new patient notice that is aligned more closely with the HIPAA NPP. 

Specific Changes 

Part 2 previously restricted the redisclosure of SUD patient records from a Part 2 program absent a specific, separate authorization for each disclosure. Now, Part 2 allows a single consent for all future uses and disclosures for treatment, payment, and health care operations (“TPO”) purposes. This means Part 2 programs may revise patient consent forms to remove the previous prohibition on redisclosure, creating easier collaboration among providers.

Providers that are not Part 2 programs may now also receive records under the single TPO consent and redisclose Part 2 records in accordance with HIPAA regulations. However, authorization restrictions still apply to the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings against patients. Under these circumstances, Providers must receive explicit patient consent or a court order prior to disclosure. 42 CFR § 2.12(d)(1). A court order authorizing use or disclosure must be accompanied by a subpoena or other legal requirement compelling disclosure before the requested record is used or disclosed. 42 CFR §2.61. 

Providers who fail to comply with these updated changes risk facing additional enforcement measures from the Department of Health and Human Services.

To avoid any compliance concerns, Providers are encouraged to review and revise their current NPPs based on suggested options published by HHS here.

If you are a Provider who is unsure whether these changes apply to you or if you have any questions about proper implementation, please do not hesitate to contact our Health Care Team.

If you have any questions, please contact Kennedy Hagens or Darci M. Smith. 

Kennedy Hagens
410-576-4146 • khagens@gfrlaw.com 

Darci M. Smith
410-576-4153 • dsmith@gfrlaw.com