On February 13, 2026, the U.S. Department of Health and Human Services (“HHS”) Office for Civil Rights (“OCR”) announced a new civil enforcement program for the confidentiality of substance use disorder (“SUD”) patient records under 42 CFR Part 2 (“Part 2”). The program’s start date is February 16, 2026—and OCR is now accepting (i) complaints alleging Part 2 violations and (ii) breach notifications involving SUD patient records.
This is a meaningful shift for the regulated community because it operationalizes a core feature of the February 2024 Part 2 Final Rule (implementing CARES Act ? 3221): Part 2 confidentiality is no longer “compliance-by-policy.” It is now a HIPAA-style civil enforcement regime with OCR’s familiar tools—investigations, corrective action commitments, resolution agreements, monetary settlements, and civil money penalties.
Why This Announcement Matters: Part 2 Now Looks (and Feels) Like HIPAA Enforcement
Historically, many providers treated Part 2 as a specialized behavioral-health rule that sat “next to” HIPAA. OCR’s announcement confirms that Part 2 is now part of the same practical enforcement ecosystem as HIPAA—particularly because OCR is accepting breach notifications for SUD patient records.
In other words: if your organization experiences an incident involving Part 2 data, the event is no longer just an internal risk-management exercise. It can become an OCR matter through the front door.
The Compliance Date Is Here (and OCR Can Enforce)
The February 2024 Final Rule modifying Part 2 became effective in April 2024 and set a February 16, 2026 compliance date for applicable requirements. OCR’s February 2026 announcement makes clear that civil enforcement is now live.
Who Needs to Pay Attention (Hint: It’s Not Only “Rehab Clinics”)
Part 2 compliance risk is not limited to standalone SUD treatment facilities.
Yes—Part 2 programs are the obvious stakeholders. But the more overlooked exposure is the “Part 2 adjacent” organization that touches Part 2 data through ordinary healthcare operations, such as referrals, record ingestion, care coordination, population health platforms, or health information exchange connectivity.
Practical example: if a primary care practice receives records containing SUD treatment information (from a Part 2 program or a hospital unit that qualifies as a Part 2 program), that practice may become a ‘lawful holder’ of Part 2 records (for that information) and must handle those records consistent with Part 2/HIPAA-aligned requirements. Receipt alone does not make the provider a Part 2 program, and the 2024 Final Rule allows HIPAA covered entities/BAs to use/redisclose Part 2 records for TPO consistent with HIPAA when received under a valid Part 2 TPO consent—subject to Part 2’s remaining limits. See https://www.federalregister.gov/d/2024-02544/p-80.
OCR Resources: Model Patient Notice + Updated Model NPPs
OCR has also published a Model Part 2 Patient Notice and updated model HIPAA Notices of Privacy Practices (“NPPs”) materials designed to reflect Part 2 confidentiality requirements. For organizations that have not yet updated patient-facing notices, OCR’s model language provides a useful starting point—but it must be operationalized and tailored to your workflows and state-law overlay.
Key Takeaway for Part 2 Clients: Optimize Data Privacy + HIPAA Compliance Now
This enforcement launch is a reminder that Part 2 compliance is inseparable from modern data privacy and HIPAA compliance fundamentals.
OCR is now accepting breach notifications involving SUD patient records. That single fact should drive Part 2 clients to pressure-test the core building blocks of their privacy/security program (the same blocks OCR expects under HIPAA): risk analysis discipline, access controls, audit logging, incident response, vendor oversight, and workforce training.
If your HIPAA program is dated or under-resourced, Part 2 enforcement risk increases—because breaches and complaint intake are often what converts “theoretical compliance gaps” into OCR investigations.
A Practical “Do This Now” Checklist (30–60 Day Sprint)
Below is a short list of high-yield actions for Part 2 programs and organizations that receive or maintain Part 2 records:
- Map where Part 2 data lives.Identify every system that stores, receives, transmits, or replicates Part 2 records (EHR modules, document management, interface engines, analytics platforms, ticketing systems, cloud repositories).
- Validate access controls.Confirm role-based access is real (not aspirational), termination workflows work, and privileged access is governed and logged.
- Confirm audit logging and retention.Ensure audit logs are enabled for systems holding Part 2 data and that logs are retained in accordance with your investigation and security needs.
- Update incident response for Part 2.Run a tabletop exercise assuming a Part 2 breach; confirm decisioning, documentation, and escalation pathways.
- Update notices.Deploy updated NPP / Part 2 patient notice language and document version control, effective dates, and distribution method.
- Review consent workflows.Ensure Part 2 consent capture and downstream honoring of consent are consistent across clinical and administrative workflows (not just “the form”).
- Review vendor relationships.Confirm that vendors touching Part 2 data are contractually and operationally aligned with your confidentiality, security, and incident response obligations.
- Train your workforce.Staff must be able to recognize Part 2 data, understand re-disclosure sensitivity, and escalate incidents quickly.
Bottom Line
OCR’s civil enforcement program for Part 2 is now operational, and OCR is accepting both complaints and breach notifications involving SUD patient records. For Part 2 programs—and organizations that are “Part 2 adjacent”—this is the moment to modernize privacy, tighten HIPAA security fundamentals, and treat Part 2 readiness as an enterprise risk issue rather than a niche behavioral-health requirement.
For more information regarding Part 2 compliance, HIPAA alignment, incident response readiness, or updating your notices and workflows, please contact Clinton Mikel (cmikel@thehlp.com) from The Health Law Partners, P.C.