On February 8, 2024, the Department of Health & Human Services (HHS) published its final rule updating the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations under 42 C.F.R. Part 2 (Part 2), bringing Part 2 requirements closer to the requirements of the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH). The changes take effect on February 16, 2026, and will materially impact how SUD programs and healthcare providers structure privacy compliance around SUD records.

Part 2 Overview

Part 2 was created to provide strong confidentiality protection for individuals seeking treatment for SUDs. The requirements were designed to restrict the disclosure of records related to the identity, diagnosis, prognosis, or treatment of patients involved in federally assisted SUD programs. By tightly controlling access to this information, Part 2 aimed to address concerns that stigma, discrimination, or possible legal consequences could discourage individuals from seeking necessary care related to substance use. This heightened level of privacy was intended to foster greater access to treatment and protect patient trust in one of the more sensitive areas of behavioral health.

However, the inconsistency between confidentiality requirements of Part 2 and HIPAA/HITECH has created operational challenges for providers subject to both regulatory frameworks. Part 2 requires patient consent for each use or disclosure of SUD records, while HIPAA generally permits covered entities to share protected health information for treatment, payment, and health care operations without separate written consent. When a hospital provided both general medical and SUD services and attempted to use a single electronic health record system for all patients, it often had to either silo SUD treatment data or require multiple consents for routine information sharing. This could complicate workflows and potentially delay coordinated patient care.

Consent, Redisclosure, and New Protections

The final rule will now allow patients to grant blanket consent for future use or disclosure of their SUD records for treatment, payment, and health care operations. For instance, an inpatient behavioral health facility can now obtain a single patient consent at intake, rather than requiring repeated authorizations each time a record must be shared for follow-up care or insurance purposes. HIPAA-covered entities and their business associates may subsequently redisclose these records in accordance with HIPAA standards. This change removes obstacles for care coordination and simplifies data sharing within integrated health systems.

Providers may also now disclose de-identified SUD data to public health authorities without patient consent, provided the data meets HIPAA’s de-identification requirements. That means a clinic participating in an opioid use surveillance program could submit aggregated, de-identified data to state public health officials to monitor trends without obtaining an individual consent from each patient whose de-identified information is disclosed.

Additionally, the rule introduces new protections and definitions for SUD counseling notes, modeled after HIPAA’s approach to psychotherapy notes. If a clinician keeps separate reflective notes on a counseling session, disclosure or use of these notes outside the individual’s care team will now require a distinct, standalone consent. Consent forms for legal proceedings cannot be combined with any other consent, and whenever SUD records are disclosed with patient consent, a copy of that consent or a clear explanation must accompany them.

Use of SUD records and patient testimony in legal or administrative proceedings remains prohibited without patient consent or a court order, preserving some of the traditional safeguards unique to Part 2.

Enforcement, Notice, and Record Management

The rule updates Part 2’s enforcement framework to match HIPAA’s approach. For example, a hospital network that suffers a breach of SUD records is now subject to HIPAA’s civil penalties and breach notification process, including notice to HHS, direct notice to affected individuals, and media notice where applicable under HIPAA.

The final rule also synchronizes patient notice requirements with HIPAA’s Notice of Privacy Practices (NOPP). SUD program providers can now deliver a single privacy notice containing substantially the same information required of other health care providers under HIPAA’s NOPP requirement. As a result, organizations can provide one standardized notice to all patients, rather than keeping separate disclosures for SUD and general health records.

Part 2 programs are also no longer required to physically or electronically segment protected SUD records from other types of medical data in their systems. This is especially relevant for electronic health records (EHR) administrators, as it removes the need to silo SUD records within multi-specialty healthcare environments.

Provisions Remaining Unchanged

SUD treatment records still cannot be used in criminal or civil proceedings, investigations, or prosecutions without written patient consent or a qualifying court order. Records accessed through audits or program evaluations remain shielded from law enforcement use unless all statutory requirements are met. These enduring rules continue to set SUD confidentiality apart from general medical records.

Compliance Timeline and Next Steps

Covered entities have until February 16, 2026, to bring their policies, forms, and internal processes into alignment with the new rule. For many organizations with Part 2 programs, this will mean revising patient intake forms to use a single consent model, updating privacy notices, reviewing data segmentation protocols in their EHRs, and training staff on the enhanced breach notification standards. Healthcare organizations should understand and prepare for these changes not just as a compliance exercise, but as an opportunity to update legacy workflows, strengthen patient trust, and support coordinated care across the behavioral health landscape.