From HIPAA to Part 2: Preparing for OCR’s New Role in Substance Use Disorder Privacy

by | Sep 4, 2025 | Announcements, General Business, HIPAA and Security for Clinicians |

On August 26, 2025, the Office for Civil Rights (OCR) announced a significant update: it is now empowered to administer and enforce the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations (42 CFR Part 2). This delegation of authority from HHS Secretary Robert F. Kennedy, Jr. means that OCR—the same agency that enforces HIPAA—is officially the regulator for Part 2 as well.

This change has important implications for behavioral health providers, private practices, and clinics. Here’s what you need to know.

 

What is Part 2, and How Does it Differ from HIPAA?

HIPAA protects the privacy of all protected health information (PHI), but Part 2 goes further when it comes to records related to substance use disorder treatment. The intent is to prevent stigma, discrimination, and potential misuse of SUD treatment information.

The difference:

  • HIPAA: Applies broadly to all PHI, with established pathways for treatment, payment, and operations (TPO) sharing.
  • Part 2: Historically had much stricter consent and redisclosure rules for SUD records, making coordination of care more challenging.

Who is Subject to Part 2?

Not every provider is automatically subject to Part 2. The rule applies to:

  • Part 2 Programs: Federally assisted individuals or entities that provide SUD diagnosis, treatment, or referral for treatment.

     

  • Specialized Practices/Clinics: Private practices that advertise, market, or license themselves as SUD-focused, or whose core services are primarily substance use treatment.

     

  • Hospital Units/Staff: Distinct SUD units within general facilities, or staff members whose primary role is SUD treatment.

     

  • Lawful Holders: Any provider or entity that receives SUD records from a Part 2 program with patient consent or under an allowed exception.

     

Who is Not Subject to Part 2?

  • General practices or clinicians who only incidentally treat substance use alongside other issues (e.g., trauma, anxiety, depression).

     

  • Providers who don’t advertise or license themselves as SUD programs.

     

  • General hospital staff outside of SUD units.

     

  • Peer support groups like AA/NA unless they are operated as federally assisted programs.

     

  • Non-clinical entities without diagnostic, treatment, or referral functions.

     

⚠️ Reminder: Even if you’re not a Part 2 program, you may still become a lawful holder if you receive SUD treatment records.

What is a Lawful Holder?

A lawful holder is any individual, practice, or organization that receives Part 2-protected records from a Part 2 program — typically with client consent or under a specific permitted exception.

How You Become a Lawful Holder

  • You are sent SUD treatment records from a Part 2 program as part of a care coordination, referral, or collaboration process.

  • You request and receive records for continuity of care or treatment planning.

  • You obtain records for payment or health care operations under a valid consent.

What This Means Under the Final Rule

  • Redisclosure Rules Aligned with HIPAA: Once you have valid client consent, you can redisclose those records in the same way you would other PHI under HIPAA’s Privacy Rule.

  • Notice of Redisclosure Required: Clients must be notified when their Part 2 records are redisclosed and that they are now protected under HIPAA instead of Part 2.

  • Compliance Responsibilities: Lawful holders must update policies, breach response procedures, and staff training to account for the new redisclosure rules.

For the majority of the Person Centered Tech (PCT) community, being a lawful holder is the most likely status. Most practices do not specialize in SUD treatment, but many will receive records that fall under Part 2. Understanding and applying the lawful holder rules is therefore a critical step in compliance.

What Changed in the 2024 Final Rule?

The 2024 Final Rule aligned Part 2 more closely with HIPAA while still keeping strong confidentiality protections. Key changes include:

  • One-Time Broad Consent: Clients can give a single written consent for their SUD records to be used/disclosed for TPO.

     

  • Redisclosure Under HIPAA: Once consent is given, HIPAA-covered entities and business associates may redisclose records in line with HIPAA’s Privacy Rule.

     

  • Notice of Redisclosure: Patients must be informed that redisclosed records are protected by HIPAA, not Part 2.

     

  • Legal Protections: Records remain barred from use in legal proceedings without patient consent or a court order.

     

  • Breach Notification: Part 2 programs must follow HIPAA’s breach notification requirements.

     

  • Civil Enforcement: OCR can now impose penalties, settlements, and corrective action plans for violations.

     

Compliance Deadline: Providers must comply by February 16, 2026.

 

What OCR Enforcement Means for Providers

With OCR now in charge:

  • Enforcement is real: Penalties and investigations are on the table for violations.

     

  • Compliance prep is urgent: Don’t wait until 2026—start updating now.

     

  • Operational updates: Providers should review and update consent forms, privacy notices, breach response plans, and staff training.

     

Reduced barriers: For lawful holders especially, the new redisclosure rules make it easier to manage SUD records consistently alongside HIPAA.

Key Takeaways for Practices

  1. Assess Your Status: Are you a Part 2 program, a lawful holder, or neither? Use the decision-tree checklist to clarify.

  2. Update Your Compliance Program: Consent forms, policies, breach plans, and training all need review.

  3. Know the Deadline: February 16, 2026, is the enforcement date.

  4. See the Opportunity: These changes simplify compliance and improve care coordination—while keeping client trust at the center.

The alignment of Part 2 with HIPAA and the delegation of enforcement to OCR mark a turning point. Instead of being a source of anxiety and barriers, these changes make confidentiality rules more manageable for providers — while still giving clients strong protections and clear complaint rights.

For most practices, the bottom line is: understand whether you’re a Part 2 program or a lawful holder, and update your compliance program accordingly.

Don’t miss our Part 2 Decision Tree Checklist for an easy way to determine your status and next steps.


v2.10.0

Continuing Education National Approvals

Person Centered Tech Incorporated has been approved by NBCC as an Approved Continuing Education Provider, ACEP No. 6582. Programs that do not qualify for NBCC credit are clearly identified. Person Centered Tech Incorporated is solely responsible for all aspects of the programs.

Person Centered Tech Incorporated is approved by the American Psychological Association to sponsor continuing education for psychologists. Person Centered Tech Incorporated maintains responsibility for this program and its content.

Continuing Education State Approvals

  • Person Centered Tech is an approved provider continuing education provider with the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health Counseling. CE Broker Provider #50-23706.
  • Ohio Counselor, Social Worker, and Marriage and Family Therapist Board accepts continuing education credits from providers approved by the Florida Board of Clinical Social Work, Marriage and Family Therapy and Mental Health.
  • Person-Centered Tech Incorporated is recognized by the New York State Education Department's State Board for Social Work as an approved provider of continuing education for licensed social workers #SW-0540 and the State Board for Mental Health Practitioners as an approved provider of continuing education for licensed marriage and family therapists #MFT-0092, licensed mental health counselors #MHC-0210 and licensed psychoanalysts #P-0050 and the State Board for Psychology as an approved provider of continuing education for licensed psychologists #PSY-0068.

Policies and Terms

Training Resources

About Us

Email: [email protected]

Customer Service Hours: M-F 9AM-3PM PST

Address:
Person Centered Tech Incorporated
PO Box 42494
Portland, OR 97242

Where's our phone number?

Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss

jQuery( document ).ready(function() { if (typeof Boxzilla !== 'undefined' && Boxzilla !== null) { Boxzilla.on('box.show', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.show', }); }); Boxzilla.on('box.dismiss', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.dismiss', }); }); Boxzilla.on('box.hide', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.hide', }); }); Boxzilla.on('ready', function(box) { window[ gtm4wp_datalayer_name ].push({ 'event': 'Boxzilla.ready', }); }); } });