By: Christopher Parrella, Esq., CPC, CHC, CPCO
Parrella Health Law, Boston, MA.
A Health Care Provider Defense and Compliance Firm.

A major regulatory shift for behavioral health and addiction treatment providers officially began on February 16, 2026. For the first time in the history of the federal confidentiality rules governing substance use disorder treatment records, the U.S. Department of Health and Human Services Office for Civil Rights will begin civil enforcement of 42 CFR Part 2.

For decades, Part 2 has protected the confidentiality of substance use disorder patient records but enforcement has been limited and largely administrative. That is about to change. Under a new enforcement program announced by OCR, violations of the SUD confidentiality rules will now be subject to civil enforcement mechanisms similar to those used under HIPAA. That means investigations monetary settlements corrective action plans and civil monetary penalties are now firmly on the table.

Beginning February 16, OCR will accept both complaints alleging violations of Part 2 and breach notifications involving SUD patient records. Once a complaint or breach report is filed, OCR will have the authority to open an investigation just as it does with HIPAA cases. The possible outcomes include resolution agreements, financial settlements, corrective action plans or civil monetary penalties.

For providers, this creates both opportunities and risks. The updated framework allows better integration of behavioral health information into broader medical records, which can improve treatment outcomes and coordination across care teams. But it also means providers must ensure their privacy practices meet a more complex regulatory structure that blends elements of HIPAA with the stricter confidentiality protections unique to Part 2.

Many providers mistakenly believe that compliance with HIPAA automatically satisfies Part 2. That assumption is dangerous. Part 2 still contains unique requirements around patient consent, redisclosure limitations and protections related to law enforcement and legal proceedings. Those provisions are now enforceable with the same seriousness regulators bring to HIPAA cases.

This change also places additional responsibility on organizations that share SUD patient data with business associates, care coordination networks, electronic health record vendors and other providers. Improper disclosures or failures to follow consent requirements can now trigger investigations and financial penalties.

Call to Action for SUD and Behavioral Health Providers: Substance use disorder treatment providers should immediately review their compliance programs to ensure they align with the updated Part 2 framework before enforcement begins. Organizations should confirm that privacy policies properly address Part 2 requirements update Notices of Privacy Practices using OCR’s model guidance review consent forms and evaluate how SUD records are integrated within electronic health records.

Providers should also assess breach response procedures, workforce training and vendor relationships to ensure staff understand when SUD information may be shared and when additional consent is required. The bottom line is that Part 2 is no longer just a confidentiality rule. It is now an enforceable regulatory regime. Behavioral health providers who prepare now will be far better positioned than those who wait until a complaint or breach report lands on OCR’s desk.

If you have any questions or comments about the subject of this blog or want assistance evaluating your organization’s compliance with 42 CFR Part 2, please contact Parrella Health Law at 857.328.0382 or Chris directly at cparrellahealthlaw.com.