bar_chart

The HIPAA Update Most Independent Practices Missed: 42 CFR Part 2

Newsletter | By Michael Yablonowitz | May 19, 2026



A quiet but significant alignment between SUD records and the HIPAA rules took effect February 16, 2026. If you ever receive records from a substance use treatment program, this affects you.

If you run an independent practice, your team has probably heard of HIPAA a thousand times. You’ve probably never heard of 42 CFR Part 2.

That changed this year.

On February 8, 2024, HHS finalized a rule modifying 42 CFR Part 2, the regulation that protects records from federally-assisted substance use disorder (SUD) treatment programs. The compliance date was February 16, 2026. For most of our clients in PT, ophthalmology, DPC, and audiology, the changes don’t fundamentally rewrite what you do every day, but they do touch your Notice of Privacy Practices, your breach response plan, and how you handle records that come in from a SUD program.

Here’s what you need to know.

What is 42 CFR Part 2?

Part 2 is the federal confidentiality rule for SUD treatment records. It’s been around for decades and has historically been stricter than HIPAA. Patients had to give specific written consent for nearly every disclosure, and records received from a Part 2 program couldn’t be freely redisclosed even by HIPAA-covered entities. The original logic: people avoid SUD treatment when they fear their records will follow them into a courtroom, a custody dispute, or an employer’s hands.

That protection isn’t going away. It’s getting modernized.

What actually changed

The Final Rule, driven by Section 3221 of the CARES Act, aligns Part 2 more closely with HIPAA in several practical ways:

1. Single consent for treatment, payment, and operations. Patients can now sign one consent covering all future TPO uses and disclosures, instead of consenting to each disclosure separately. This is the biggest practical change for most providers.

2. Redisclosure is now permitted under HIPAA rules. A HIPAA-covered entity or business associate that receives Part 2 records under that consent can redisclose them in accordance with HIPAA. For practices that receive referral records from a SUD program, this removes a long-standing friction point. Important caveat: those records still can’t be used against the patient in legal proceedings without a specific consent or court order.

3. Breach Notification Rule now applies to Part 2 records. Same standard, same timelines, same obligations. If you have a breach involving Part 2 records, you follow the HIPAA Breach Notification Rule.

4. Penalties aligned with HIPAA. Civil and criminal enforcement authorities mirror the HIPAA framework.

5. Patient Notice aligned with the HIPAA NPP. Part 2 programs now have a Patient Notice structure that parallels HIPAA’s Notice of Privacy Practices. If your NPP references Part 2 records in any way, this is the section to review.

6. New patient rights. Right to an accounting of disclosures, right to request restrictions, and a new right to opt out of fundraising communications.

7. SUD counseling notes get psychotherapy-note-style protection. A clinician’s analytical notes from an SUD counseling session, kept separately from the rest of the record, now require a specific separate consent — similar to how HIPAA treats psychotherapy notes.

Does this apply to my practice?

If you’re a Part 2 program (a federally-assisted SUD treatment provider), yes, directly and substantially. You should already be compliant.

If you’re a HIPAA-covered entity that receives Part 2 records (referrals from a treatment program, records via an HIE, anything that touches an SUD record), the relevant pieces are:

  • Your NPP language around Part 2 records, if any
  • Your redisclosure practices for records you receive from a Part 2 program
  • Your breach response procedures (now uniform with HIPAA)

If you never see Part 2 records, the practical impact is minimal. But you should still have a defensible answer if a patient or auditor asks how your practice handles them.

Practical next steps

Three things to do this quarter if you haven’t already:

  1. Review your NPP. Confirm it doesn’t conflict with the updated Part 2 framework. If you currently flag Part 2 records under separate redisclosure language, that section may need refreshing.
  2. Brief your front desk and intake staff. The single-consent change is the one most likely to come up in real workflows.
  3. Confirm your breach playbook is unified. No more separate Part 2 breach protocol. One rule, one process.

The big picture: this is a sensible alignment. It removes friction for legitimate care coordination while keeping the strong protections that brought patients into treatment in the first place. We told you a long time ago — you cannot take the human out of healthcare. Part 2 has always been a rule that exists because of how human this work is. The new framework honors that and lets practices do their jobs.

If you want to read the source material:

  • HHS Fact Sheet: hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule
  • The regulation itself: ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
  • HIPAA baseline: 45 CFR Parts 160 and 164

Questions on what this means for your practice? That’s a good conversation to have with your compliance partner or your Snapscale team.

Book an Appointment

Recent Posts

Archives

BBC Global is now snapscale!

BBC Global is now snapscale!
© 2025 snapscale

Twitter/X Linkedin Facebook/Meta Instagram

Services

Resources

About