In February 2024, HHS finalized significant revisions to 42 CFR Part 2, the federal regulation governing the confidentiality of SUD treatment records. Part 2 has historically imposed stricter privacy protections than HIPAA, reflecting longstanding concerns about stigma and discrimination associated with SUD treatment.
The final rule modernizes Part 2 by aligning many of its provisions with HIPAA, particularly with respect to disclosures for treatment, payment, and healthcare operations. Importantly, however, Part 2 continues to impose additional restrictions on the use and disclosure of SUD records, including in circumstances where HIPAA would otherwise permit uses or disclosures without patient authorization. At the same time, it preserves heightened protections for SUD-related information and emphasizes transparency through updated patient notices. HHS has confirmed that covered entities must comply with the rule’s notice-related requirements by February 16, 2026.
The Part 2 final rule requires covered entities processing Part 2 records to make targeted updates to their NPP. This obligation is not limited to traditional SUD treatment programs. Covered entities may be subject to the NPP update requirement simply because Part 2 records are shared within integrated care models, care coordination arrangements, digital health platforms, or health plan operations. As a result, organizations that have not historically viewed themselves as “Part 2 entities” may still need to revise their privacy notices.
In general, the NPP must (i) place individuals on notice of the uses and disclosures of Part 2 records, (ii) describe rights and legal duties specific to Part 2 records, (iii) reflect Part 2’s more stringent limits where they differ from HIPAA, and (iv) contain a statement explaining certain limitations on the use of SUD records in civil, criminal, administrative, or legislative proceedings against an individual. In reflecting Part 2’s more stringent limits, covered entities will need to explain that, unlike other protected health information, use or disclosure of Part 2 records for treatment, payment, and health care operations requires the patient’s written consent (subject to the Part 2 rule’s aligned provisions and permitted redisclosures).
While Part 2 programs historically provided a separate Part 2 patient notice under 42 CFR 2.22, HHS commentary accompanying the new rule confirms the Part 2 notice requirements may be combined with an NPP so long as the NPP contains all the information required by 42 CFR 2.22. This is an important drafting and operational point. Covered entities should confirm whether they process Part 2 records and whether they intend to rely on a combined notice approach.
If the permissible uses or disclosures described in the NPP are limited by other laws more restrictive than HIPAA (for example, Part 2), the description of such uses or disclosures must reflect the more stringent law. Similarly, if another law permits or requires disclosures of the information, the description of uses and disclosures in the NPP must include sufficient detail to place the individual on notice of uses and disclosures permitted or required by HIPAA and other applicable law, including Part 2.
Under the new regulations, if a covered entity processing Part 2 records intends to use or disclose such records to fundraise for its own benefit, the covered entity must first provide individuals with a clear and conspicuous opportunity to elect not to receive any fundraising communications.
An NPP update, standing alone, does not itself create a separate legal obligation to amend business associate agreements (BAAs). However, if a business associate (or subcontractor) will process Part 2 records in connection with performing services for the covered entity, the covered entity should update BAAs and applicable vendor terms to contractually bind the business associate to comply with Part 2 requirements applicable to those records. This language may provide, for example:
Business Associate acknowledges and agrees that records subject to 42 CFR Part 2 (“Part 2”) may be used and disclosed only in compliance with Part 2, including limitations on disclosures for law enforcement purposes and requirements for any court-ordered disclosure. Business Associate shall use and disclose such records only as permitted by Part 2 and any applicable patient consent and shall include any required prohibition on redisclosure notice with permitted disclosures.
Updating an NPP is rarely a simple drafting exercise, often requiring coordination across legal, compliance, privacy, IT, and operational teams to ensure notice language aligns with real-world data use and disclosure practices. In some cases, updating the NPP may also necessitate changes to internal policies, consent workflows, training materials, or vendor arrangements.
Regulators continue to focus on transparency and accuracy in privacy disclosures, particularly where sensitive health information is involved. Early planning may help organizations avoid compressed timelines and reduce compliance risk as the deadline approaches.
Covered entities should also anticipate that Part 2 notice updates may affect downstream operational activities, including (i) subpoena response and litigation holds; (ii) fundraising; (iii) consent management and electronic capture; and (iv) vendor onboarding and contracting. These issues are frequently cross-functional and may benefit from early alignment.
As a starting point, covered entities should determine whether they receive or maintain Part 2-protected information in any part of their operations. Organizations should then assess whether their current NPP adequately describes the handling of SUD records under the revised Part 2 framework and identify any targeted updates needed to meet the new requirements.
In parallel, covered entities should inventory vendors and business associates that may handle Part 2 records and determine whether BAAs, service agreements, and subcontractor terms need targeted Part 2 updates to support compliant handling and redisclosure.
The HHS Part 2 final rule represents a significant shift in how SUD records are regulated and communicated to patients. Updating HIPAA NPP by February 16, 2026, is a critical component of compliance and one that may affect a broader range of organizations than expected. Beginning this process now may help ensure smoother implementation and reduce regulatory risk under the revised Part 2 and HIPAA landscape.
Because Part 2 operates as a “more stringent” law in key areas, covered entities should not assume that an existing HIPAA-compliant NPP adequately covers Part 2 requirements. Targeted drafting, operational readiness, and vendor alignment may be necessary.
Any HIPAA covered entity processing SUD records protected under 42 CFR Part 2, even if it is not an SUD treatment program, must update their NPP. Covered entities that receive or maintain Part 2 records should also review their NPP and operational practices to ensure their use and disclosure descriptions reflect Part 2’s more stringent rules.
Any HIPAA covered entity processing SUD records protected under 42 CFR Part 2, even if it is not an SUD treatment program, must update their NPP. Covered entities that receive or maintain Part 2 records should also review their NPP and operational practices to ensure their use and disclosure descriptions reflect Part 2’s more stringent rules.
Covered entities must update their NPP by February 16, 2026.
Covered entities must update their NPP by February 16, 2026.
The rule aligns key aspects of 42 CFR Part 2 with HIPAA and requires covered entities to clearly describe how Part 2-protected records may be used and disclosed and to provide notice of individual rights and covered entity duties regarding Part 2 records, including limitations on use and disclosure for proceedings and other Part 2-specific restrictions.
The rule aligns key aspects of 42 CFR Part 2 with HIPAA and requires covered entities to clearly describe how Part 2-protected records may be used and disclosed and to provide notice of individual rights and covered entity duties regarding Part 2 records, including limitations on use and disclosure for proceedings and other Part 2-specific restrictions.
An updated NPP must accurately describe the use and disclosure of Part 2-protected SUD records and reflect applicable patient rights and disclosure limitations. It must also include a separate statement regarding limits on use or disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings against the individual, unless based on written consent or a qualifying court order.
An updated NPP must accurately describe the use and disclosure of Part 2-protected SUD records and reflect applicable patient rights and disclosure limitations. It must also include a separate statement regarding limits on use or disclosure of Part 2 records in civil, criminal, administrative, or legislative proceedings against the individual, unless based on written consent or a qualifying court order.
Yes. Many HIPAA-compliant notices do not address Part 2’s protections and targeted updates may be required.
Yes. Many HIPAA-compliant notices do not address Part 2’s protections and targeted updates may be required.
BAAs do not need to be updated solely because the NPP is updated. However, if business associates or subcontractors handle Part 2 records, covered entities should update BAAs and related vendor terms to contractually bind those parties to comply with applicable Part 2 requirements for those records.
BAAs do not need to be updated solely because the NPP is updated. However, if business associates or subcontractors handle Part 2 records, covered entities should update BAAs and related vendor terms to contractually bind those parties to comply with applicable Part 2 requirements for those records.
Covered entities should confirm whether Part 2 records are present in their operations and begin reviewing and planning updates to their NPP well before the February 2026 deadline. They should also identify vendors and business associates that handle Part 2 records and assess whether contract updates, consent workflows, training, and subpoena response procedures need adjustment to align with the new Part 2 framework.
Covered entities should confirm whether Part 2 records are present in their operations and begin reviewing and planning updates to their NPP well before the February 2026 deadline. They should also identify vendors and business associates that handle Part 2 records and assess whether contract updates, consent workflows, training, and subpoena response procedures need adjustment to align with the new Part 2 framework.