Published on: | by

HHS DELEGATES ENFORCEMENT OF SUBSTANCE USE DISORDER CONFIDENTIALITY RULES TO OCR

On August 26, 2025, U.S. Dept. of Health and Human Services (“HHS”) Secretary Robert F. Kennedy, Jr. announced a significant shift in enforcement authority for the confidentiality of substance use disorder (“SUD”) patient records regulations under 42 CFR Part 2 (“Part 2”). The delegation empowers the Office for Civil Rights (the “OCR”) to administer and enforce these privacy protections.

 

Background on Part 2 and HHS’ 2024 Final Rule

Part 2 regulations safeguard the privacy of individuals receiving SUD treatment by imposing strict limits on the disclosure and use of patient records. In February 2024, HHS issued a Final Rule implementing Section 3221 of the CARES Act, with dual goals of:

  • Increasing coordination among healthcare providers treating SUD patients; and
  • Strengthening confidentiality protections through civil enforcement mechanisms.

The 2024 Final Rule also aligned certain Part 2 requirements with the HIPAA Privacy, Security, and Breach Notification Rules, aiming to better integrate behavioral health and medical records while preserving robust privacy protections.

 

Key provisions of the 2024 Final Rule include:

  • A public complaint process for alleged Part 2 violations;
  • Breach notification requirements for SUD treatment programs;
  • Aligns civil and criminal enforcement authorities under Part 2 with those that also apply to HIPAA;
  • Creates new protections for SUD counseling notes – similar to HIPAA’s safeguards for psychotherapy notes – requiring specific patient consent before they can be used or disclosed; and
  • Requires patient consent for legal proceedings to be separate from all other consent forms.

 

For more information on the 2024 Final Rule, HHS has published a Fact Sheet which can be accessed here.

 

OCR’s New Enforcement Powers

Under HHS’ delegation, the OCR now holds the authority to:

  • Negotiate resolution agreements, monetary settlements, and corrective action plans (CAPs) – or to impose civil money penalties for violations.
  • Issue subpoenas compelling testimony and production of evidence in investigations.
  • Interpret and implement Part 2 requirements during compliance reviews and enforcement actions.

This move parallels OCR’s existing role in enforcing HIPAA, potentially streamlining privacy oversight across different regulatory frameworks.

 

Compliance Timeline

Entities subject to Part 2 must ensure compliance with the 2024 Final Rule’s requirements by February 16, 2026. Failure to do so could result in significant enforcement actions, including civil penalties.

 

Practical Implications for Providers and Compliance Officers

Healthcare providers, behavioral health organizations, and other Part 2-covered entities should:

  1. Review internal policies and procedures for Part 2 compliance;
  2. Update breach response plans to address the new notification requirements;
  3. Conduct training to ensure staff understand the heightened enforcement risk; and
  4. Align Part 2 compliance programs with existing HIPAA frameworks where possible.

 

Given the OCR’s established track record in privacy enforcement, this delegation could signal an era of more aggressive and coordinated oversight in protecting SUD patient records. Providers should take action now to address any compliance gaps ahead of the 2026 deadline.

 

For more information on the issues relating to this article, please contact the Health Law Partners at (248) 996-8510 or by email to Abby Pendleton, Jessica Gustafson or Clinton Mikel.

Contact Information
Detroit
32000 Northwestern Hwy #240
Farmington Hills, MI 48334
P (248) 996-8510 F (248) 996-8525

The Health Law Partners, P.C.

New York City
15 W 38th St 4th Floor #735
New York, NY 10018
P (212) 734-0128 F (917) 210-2952

The Dresevic, Iwrey, Kalmowitz & Pendleton Law Group A Division of The Health Law Partners, P.C.

New York City
5 Franklin Pl #9C
New York, NY 10013
P (212) 734-0128 F (917) 210-2952

This is an attorney advertisement.

We serve the following localities: Alpena County, Alpena, Bay County, Auburn, Bay City, Essexville, Pinconning, Berrien County, Benton Harbor, Berrien Springs, Buchanan, Coloma, Niles, St. Joseph, Stevensville, Watervliet, Calhoun County, Albion, Battle Creek, Marshall, Charlevoix County, Boyne City, Charlevoix, East Jordan, Cheboygan County, Cheboygan, Crawford County, Grayling, Eaton County, and Bellevue. [ View More ]

This is an attorney advertisement.

Branding by Zoyes Creative

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please do not include any confidential or sensitive information in a contact form, text message, or voicemail. The contact form sends information by non-encrypted email, which is not secure. Submitting a contact form, sending a text message, making a phone call, or leaving a voicemail does not create an attorney-client relationship.

Copyright © 2025, The Health Law Partners, P.C.
JUSTIA Law Firm Blog Design