Close Menu
    Tuesday, December 9
    Policy & Law

    New 2026 Rules for SUD and HIPAA Privacy Notices

    adminBy No Comments5 Mins Read
    New 2026 Rules for SUD and HIPAA Privacy Notices

    Key Takeaways:

    • 42 CFR Part 2 (Part 2) Final Rule: The U.S. Department of Health and Human Services (HHS) issued a final rule updating privacy protections for substance use disorder (SUD) records created by an SUD program that is subject to Part 2 (SUD Records), to strengthen patient consent, redisclosure, and enforcement provisions.
    • Broad Applicability: While the rule primarily applies to SUD programs that are subject to Part 2, certain changes apply to all HIPAA Covered Entities, including those that are not Part 2 programs, since many receive SUD Records from Part 2 programs for treatment and care coordination purposes.
    • The Mandate: All HIPAA Covered Entities must update their Notice of Privacy Practices (NPP) by February 16, 2026, to address certain uses and disclosures of Part 2 Records. Additionally, all Part 2 programs (including those that are not HIPAA Covered Entities) must make comprehensive changes to their privacy notices by February 16, 2026, to include additional statements.

    Background:

    In 2024, HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and the Office for Civil Rights (OCR), finalized amendments to 42 C.F.R. Part 2, to better align confidentiality rules for SUD Records with HIPAA. The rule implements Section 3221 of the CARES Act (2020), and HHS intends to simplify compliance and improve care coordination for SUD providers regulated by both Part 2 and HIPAA. Additionally, HHS finalized SUD-related changes to the HIPAA regulations as part of OCR’s final rule, published on April 26, 2024, which was primarily, but not exclusively, related to the privacy of reproductive health information. While a Texas court vacated the changes to the HIPAA regulations related to reproductive health information, the changes related to SUD Records remain in effect. All HIPAA Covered Entities and Part 2 Programs must comply with the applicable changes by February 16, 2026.

    Major Changes:

    All HIPAA Covered Entities, healthcare providers who utilize HIPAA transactions, health plans, and healthcare clearinghouses, must revise their NPPs by February 16, 2026, whether or not such entities provide SUD treatment or are a Part 2 program.

    The NPP revisions must address:

    1. Uses and Disclosures Descriptions: A description of how the HIPAA Covered Entity may use and disclose SUD Records.
    2. Legal Proceedings Prohibition: A description of the prohibition on using or disclosing SUD Records subject to Part 2, or testimony relaying the content of such records, in any civil, criminal, administrative, or legislative proceedings against the patient without specific written consent or a court order.
    3. Fundraising Communications: The right of a patient to opt out prior to receiving a communication if the Covered Entity intends to use of disclose SUD Records subject to Part 2 for fundraising for the benefit of the Covered Entity.

    In addition to the NPP revisions that all HIPAA Covered Entities must make, as above, the notice obligations of a Part 2 Program (as set forth in the Part 2 regulations at 42 C.F.R. § 2.22), either in conjunction with its HIPAA NPP or in a separate notice for Part 2 Programs not covered by HIPAA, were significantly expanded by the Part 2 Final Rule to include:

    1. Required Headings: The final rule includes specific language to be included going forward for the NPP.
    2. Other Uses and Disclosures Descriptions: A statement that a patient may provide a single consent for all future uses or disclosures for treatment, payment, and health care operations purposes (TPO) and the patient’s rights with regards to revoking such consent.
    3. Other Specific Statements: Statements, when relevant, related to the potential re-disclosure of Part 2 Records by recipients of such records pursuant to a general consent to disclose for TPO and use of such records for fundraising purposes. As well as statements related to the Part 2 Program’s duties, contact information, and the effective date of the notice.
    4. Patient Rights: Statements related to a patient’s rights with respect to their Part 2 Records, which include the right to request restrictions, file complaints, and the right to an accounting of disclosures. 

    Other Changes Impact Part 2 Programs

    The Part 2 Final Rule included other changes that are relevant specifically to Part 2 Programs. Such changes include, but are not limited to:

    • Permitting a Part 2 Program to obtain a global consent for the use, disclosure, and redisclosure of SUD Records for TPO purposes, along with requirements related to including such global consent with all disclosures for TPO that are made in reliance on such consent;
    • Extending the HIPAA Breach Notification Rule requirements to a Part 2 Program, whether or not the Part 2 Program is a HIPAA Covered Entity; and
    • Requiring that the Part 2 Program permits a patient to request restrictions on the use and disclosure of their Part 2 Record, including when the patient has signed a global consent for TPO uses and disclosures.

    Enforcement Risks

    Failure to comply with Part 2 and the HIPAA regulations may result in civil monetary penalties or other enforcement actions by HHS OCR, which has authority to issue subpoenas requiring attendance, testimony, and the production of documents related to an investigation or compliance review.

    Organizations should review and update their NPPs, policies and procedures, staff training, and compliance protocols well before the 2026 deadline. Proactive engagement with counsel can help ensure alignment with both HIPAA and Part 2 requirements and mitigate potential enforcement risks.

    Share.

    Related Posts

    Leave A Reply