2026 Deadline Looms for Compliance with Updated Part 2 Regulations Regarding Patient Data Protections

We previously detailed the U.S. Department of Health and Human Services’ significant modifications to 42 C.F.R. Part 2 (Part 2) in Feb. 2024 applicable to organizations that handle substance use disorder (SUD) treatment records. The updates aimed to align Part 2’s confidentiality requirements with the Health Insurance Portability and Accountability Act (HIPAA) and ensure robust protection for sensitive patient information. While the rules took effect on April 16, 2024, a grace period allows entities until Feb. 16, 2026, to achieve full compliance. As the grace period’s end approaches, it is important for entities subject to Part 2 to prioritize finalizing preparations to ensure compliance.

As a reminder, Part 2 is applicable to records related to the identity, diagnosis, prognosis or treatment of any individual in a federally assisted substance use disorder program. The actions detailed below are critical for SUD treatment programs subject to Part 2 to assure smooth operations under the revised Part 2 regulations. As 2025 concludes, it is worthwhile to confirm that these key tasks were addressed or are scheduled for completion by the end of the grace period:

• Update Your Patient Notice to Align with Part 2 Standards. An entity subject to Part 2 must ensure that its Notice of Privacy Practices (NPP) is revised to satisfy Part 2’s unique rules. This includes clearly outlining patient rights, such as the ability to request restrictions on disclosures for treatment, payment, and healthcare operations (also called “TPO”), and a patient’s right to file complaints directly with the U.S. Secretary of Health and Human Services and the Substance Abuse and Mental Health Services Administration. An organization’s failure to update its NPP could result in noncompliance with Part 2, as the NPP serves as the primary tool for informing patients of their privacy protections.

• Train Employees on the Updated Part 2 Requirements. If your organization has not initiated compliance efforts, employee training should be a near-term objective. The 2024 Part 2 updates introduce changes such as permitting a single patient consent for all future TPO disclosures (until the consent is revoked) and applying HIPAA’s breach notification rule to unsecured Part 2 records. All staff that handles SUD records, from clinicians to administrative personnel, should be educated on the changes. Similarly, personnel should be familiar with the particular scenarios that require specific documentation (e.g., requests for information subject to Part 2 for use in civil, administrative, criminal or legislative proceedings). Early training not only mitigates risks but also fosters a culture of privacy awareness, especially as enforcement now includes civil penalties aligned with HIPAA.

• Revise Affected Policies, Procedures and Forms. Organizations subject to Part 2 would be well served to undertake a thorough review of internal policies, procedures and forms before expiration of the deadline to capture relevant changes. For example, policies should incorporate HIPAA-aligned breach notification protocols, detailing timelines for reporting unsecured breaches, and forms related to patient rights, such as restriction requests, should be updated as needed.

Proactively addressing these operational areas will give health care practitioners confidence in meeting the Feb. 16, 2026, deadline. If your organization needs guidance on understanding the Part 2 changes or implementing necessary updates, our healthcare practice group can assist.