42 CFR Part 2 Final Rule: What Changed for SUD Programs on February 16, 2026

Background: Why 42 CFR Part 2 Existed Separately from HIPAA

42 CFR Part 2 was originally enacted in the 1970s to protect patients seeking treatment for substance use disorders from the stigma and legal consequences of having their treatment records disclosed. At the time, individuals entering federally assisted SUD programs faced real risk that their records could be subpoenaed for criminal prosecution, used to deny employment, or disclosed to insurance companies that would refuse coverage. The regulation created a consent framework far more restrictive than general medical records: every disclosure required patient-specific, program-specific written consent naming the exact recipient and purpose.

When HIPAA was enacted in 1996 and its Privacy Rule took effect in 2003, it created a general framework for health information privacy that allowed covered entities to use and disclose protected health information for treatment, payment, and health care operations without individual patient authorization. Part 2 was explicitly excluded from HIPAA alignment. SUD records remained under their own, stricter regime. This created a two-track system where a patient's therapy notes for depression could be shared under HIPAA for billing purposes, but that same patient's SUD counseling notes in the same facility required separate written consent before the billing department could include a SUD diagnosis on a claim.

For decades, the behavioral health industry, patient advocates, and policymakers debated whether Part 2's heightened protections helped or harmed patients. The consent burden made it difficult to coordinate care across providers, created billing delays when consent forms were missing or expired, and led to fragmented medical records where SUD treatment history was invisible to emergency departments, primary care physicians, and other providers making clinical decisions.

The CARES Act of 2020 directed HHS to align Part 2 with HIPAA while preserving the criminal proceeding protections. The proposed rule was published in November 2023, and the final rule was published in the Federal Register on February 16, 2024 (89 FR 12472), with an effective date of February 16, 2026, giving programs a two-year implementation window that has now closed.

What Changed: The Five Major Shifts

1. Single Consent for Treatment, Payment, and Health Care Operations

This is the change with the most immediate operational impact. Under the old Part 2 framework, a patient entering an SUD program had to sign consent forms for every entity that would receive their records: the referring physician, the lab running drug screens, the pharmacy dispensing MAT medications, the insurance company processing claims, the utilization review company conducting concurrent reviews, and any other provider involved in care coordination. Each consent had to name the specific recipient, the purpose, the types of information to be disclosed, and the expiration date.

Under the new rule, patients can sign a single written consent authorizing the Part 2 program to disclose their records for TPO, the same three categories that HIPAA uses. This one consent covers the entire care and billing network. The program no longer needs to obtain separate consents for each payer, each referring provider, or each care coordination partner, as long as the disclosure falls within TPO.

Critical details for implementation:

• Consent is still required: The rule does not eliminate consent. It simplifies it. Patients must still provide written consent before Part 2 records can be disclosed for TPO. The difference is that one consent now covers all TPO disclosures rather than requiring a separate form for each recipient.
• Non-TPO disclosures still require specific consent: Disclosures that fall outside TPO, such as disclosures to employers, for research purposes, or to family members, still require separate written consent with specific recipient and purpose identification.
• Existing consents remain valid: Programs do not need to re-obtain consent from current patients who have already signed program-specific consent forms. Those consents remain valid for the purposes they authorize. However, programs should transition new patients to the single TPO consent form going forward.
• Right to revoke: Patients retain the right to revoke consent at any time. Revocation must be in writing and applies prospectively, not retroactively. Programs must have a clear revocation process and must be able to halt disclosures promptly when consent is revoked.

2. HIPAA Breach Notification Requirements Now Apply

Before the final rule, Part 2 had no formal breach notification requirement. If a program improperly disclosed SUD records, the patient might never know. The new rule changes this by extending the HIPAA Breach Notification Rule (45 CFR Parts 160 and 164, Subpart D) to Part 2 records.

This means SUD programs must now:

• Conduct breach risk assessments: When an impermissible disclosure of Part 2 records occurs, the program must assess whether the disclosure constitutes a breach under HIPAA standards (i.e., whether there is a low probability that the information was compromised).
• Notify affected individuals within 60 days: If a breach is confirmed, the program must notify each affected individual by first-class mail or email (if the individual has agreed to electronic notice) within 60 calendar days of discovering the breach.
• Notify HHS: Breaches affecting 500 or more individuals require immediate notification to HHS and to prominent media outlets in the affected state or jurisdiction. Breaches affecting fewer than 500 individuals must be reported to HHS within 60 days of the end of the calendar year in which the breach was discovered.
• Maintain a breach log: Programs must maintain a log of all breaches affecting fewer than 500 individuals and submit it to HHS annually.

For many standalone SUD programs, particularly those that were not previously HIPAA-covered entities (because they did not conduct electronic transactions), this is entirely new infrastructure. These programs must now build breach detection processes, investigation procedures, notification letter templates, and HHS reporting workflows where none previously existed.

3. OCR Enforcement Authority

Under the old regime, Part 2 enforcement was handled by SAMHSA and the Department of Justice. Enforcement actions were rare. SAMHSA had limited investigative resources, and the enforcement mechanisms were primarily criminal referrals, which created a high bar for action.

The final rule transfers enforcement authority to OCR, which already enforces HIPAA. This is significant for three reasons:

• Complaint-driven investigations: OCR accepts and investigates individual complaints. Any patient, employee, or third party can file a complaint alleging a Part 2 violation, and OCR will investigate. This is a much lower bar than criminal referral.
• Civil monetary penalties: OCR can impose tiered civil monetary penalties consistent with the HIPAA penalty structure. For 2026, penalties range from $141 per violation for unknowing violations (capped at approximately $35,581 per year for identical violations) up to $2,134,831 per violation category per year for willful neglect not corrected within 30 days.
• Resolution agreements: OCR can enter into resolution agreements (settlements) that require programs to implement corrective action plans, submit to monitoring, and pay settlement amounts. HIPAA resolution agreements have ranged from tens of thousands to millions of dollars.

4. Simplified Redisclosure Notice

The old Part 2 redisclosure notice was a lengthy prohibition statement that had to accompany every disclosure and inform the recipient that they could not further disclose the information without separate patient consent. The language was specific and prescriptive, and failure to include the exact notice language was itself a Part 2 violation.

The final rule replaces this with a simplified notice that states the records are protected by federal law and that the recipient cannot use or disclose them in proceedings against the patient. The new notice is shorter, can be standardized across all communications, and can be embedded in electronic transmissions (including claim attachments and health information exchange messages) as a standard footer or header.

The key operational point: the redisclosure notice is still required. Programs that stop including it because they heard Part 2 was "aligned with HIPAA" will be in violation. The notice is simplified, not eliminated.

5. Anti-Discrimination Protections

The final rule adds an explicit prohibition against discrimination based on Part 2 records. Health plans, providers, and other entities that receive Part 2 records through the TPO consent cannot use that information to deny treatment, refuse to provide services, or impose different terms or conditions on the patient. This codifies protections that were implicit in the old Part 2 framework but were not explicitly stated.

For health plans, this means that receiving a patient's SUD treatment history through the TPO consent cannot be used to deny coverage, impose higher premiums, or limit benefits. For providers, it means that a patient's SUD history cannot be used as a basis for refusing to provide care.

What Did Not Change

Several core Part 2 protections remain unchanged, and these distinctions are important because they represent the ways in which Part 2 continues to provide stronger protections than HIPAA:

• Criminal proceeding prohibition: Part 2 records cannot be used to investigate or prosecute a patient in criminal, civil, or administrative proceedings. This is the foundational protection that has existed since the 1970s and is not affected by HIPAA alignment. HIPAA provides no equivalent protection.
• Consent requirement: Unlike HIPAA, which permits TPO disclosures without individual authorization, Part 2 still requires written consent for TPO disclosures. The consent is simplified (one form instead of many), but it is still required. A Part 2 program cannot disclose records for billing without a signed consent on file.
• Federally assisted program scope: Part 2 continues to apply to federally assisted programs, which includes any program that receives federal funding, is registered as an opioid treatment program, or is assisted by the federal government in any way. The scope of covered programs has not changed.
• Medical emergency exception: Part 2 continues to permit disclosure without consent in bona fide medical emergencies where the patient is unable to consent. The emergency must pose an immediate threat to health, and the disclosure must be limited to what is necessary for treatment.

What Your Billing Team Needs to Do

The Part 2 changes have direct operational implications for revenue cycle workflows. These are the specific action items for RCM teams:

1. Update consent forms immediately. Replace program-specific, recipient-specific consent forms with the new single TPO consent form. The new form must clearly state that the patient is authorizing disclosure of Part 2 records for treatment, payment, and health care operations. Work with legal counsel to draft the new form and ensure it meets both Part 2 and any state-specific requirements. Deploy the new form at all intake points.
2. Verify consent status before claim submission. Build a pre-claim verification step that checks whether the patient has a signed TPO consent on file before releasing claims containing SUD diagnosis codes or SUD-related procedure codes. Claims submitted without a valid consent are now subject to OCR enforcement and civil monetary penalties, not just payer denials.
3. Update redisclosure notice on all outbound communications. Ensure the new simplified redisclosure notice text is embedded in claim attachments, clinical record transmissions, health information exchange messages, and any other electronic or paper disclosures of Part 2 records. Work with your clearinghouse to verify that the notice is included in electronic claim transactions where SUD-related information is present.
4. Train billing staff on the new consent model. Billing staff who were accustomed to checking for recipient-specific consents need to understand the new TPO consent framework. Training should cover which disclosures are covered by the TPO consent, which disclosures still require specific consent, how to verify consent status in the EHR, and what to do when consent has been revoked.
5. Update Business Associate Agreements (BAAs). Review and update BAAs with clearinghouses, billing services, practice management vendors, and any other business associates that handle Part 2 records. BAAs must now explicitly include Part 2 obligations, including the breach notification requirements and the prohibition on using Part 2 records in proceedings against patients.
6. Designate a breach response team and build a response plan. If your organization does not already have a HIPAA breach response plan, you need one now. If you do, it needs to be updated to explicitly include Part 2 records. The response plan should identify who conducts breach risk assessments, who authorizes notifications, what the notification letter templates say, and how HHS reporting is handled.
7. Audit current consent inventory. For existing patients, audit consent forms currently on file. Determine whether existing consents are sufficient to cover ongoing TPO disclosures or whether new TPO consents should be obtained at the next encounter. While existing consents remain technically valid, transitioning all patients to the new form reduces compliance risk and simplifies consent management.

Revenue and Financial Impact

The financial impact of the Part 2 final rule is mixed. The single TPO consent eliminates one of the most common causes of billing delays in SUD treatment: missing or expired consent forms.

On the positive side:

• Fewer claim denials from missing consents: The single TPO consent eliminates the scenario where a claim is denied because the program had consent for the payer but not for the specific utilization review company the payer uses. One consent covers the entire TPO chain.
• Faster claims submission: Billing teams no longer need to verify that a consent exists for each specific recipient in the billing chain. This reduces the pre-claim verification workload and accelerates the claim-to-submission timeline.
• Improved care coordination revenue: Behavioral health integration and collaborative care models (such as CoCM billing under CPT 99492-99494) require information sharing between the SUD program, psychiatric consultant, and primary care provider. The single TPO consent makes these billing models more practical for SUD programs.

On the cost side:

• Breach notification infrastructure: Programs that did not previously have HIPAA breach notification processes will incur costs to build them. Estimated implementation costs for a standalone SUD program range from $15,000 to $50,000 for policy development, staff training, template creation, and technical implementation.
• EHR configuration updates: Programs may incur costs for EHR configuration changes to support granular consent tracking, updated audit trails, and breach notification workflows. Vendor costs vary; some EHR vendors have included Part 2 compliance features at no additional charge, while others are pricing them as add-on modules.
• Penalty exposure: The shift to OCR enforcement introduces financial penalty exposure that did not practically exist before. Programs that delay compliance are now at risk of civil monetary penalties, not just theoretical criminal referral.

EHR and Technology Implications

Your EHR system is the operational backbone for Part 2 compliance. The following capabilities are now essential, not optional, for any EHR serving SUD programs. For a comprehensive technical implementation guide, see our 42 CFR Part 2 Compliance Guide for EHR Systems.

• Granular consent management: The EHR must track the patient's TPO consent status, the date of consent, and any revocations. It should prevent claim submission for patients without an active TPO consent. For non-TPO disclosures, the system must support specific-purpose consent forms with named recipients, purposes, and expiration dates. EHR platforms like AZZLY Rize include built-in Part 2 consent tracking that maps consent status to the billing workflow, preventing claims from being released when consent is missing or expired.
• Audit trail for Part 2 records: The EHR must maintain a comprehensive audit trail of every access to and disclosure of Part 2 records, including who accessed the record, when, and for what purpose. This audit trail is critical for breach investigations and for responding to OCR complaints. The trail must be tamper-evident and retained for at least six years.
• Breach detection and notification workflow: The EHR should support breach incident logging, risk assessment documentation, affected individual identification, notification letter generation, and HHS reporting. Some EHR platforms integrate breach management into their compliance module; others require a separate tool.
• Record segmentation: For patients who have not consented to TPO disclosure, or who have revoked consent, the EHR must be able to segment SUD records so they are not visible to users or systems that do not have a permissible basis for access. This is technically challenging but required.
• Redisclosure notice automation: The EHR should automatically append the simplified redisclosure notice to all electronic disclosures of Part 2 records, including outbound clinical documents, claims attachments, and health information exchange transactions.
• Business associate tracking: The EHR vendor itself is a business associate handling Part 2 records. Programs should verify that their EHR vendor's BAA has been updated to reflect Part 2 obligations and that the vendor's security practices meet HIPAA standards for Part 2 data.

State-Level Considerations

The final rule establishes a federal floor, but several states have enacted or are considering additional protections for SUD records that exceed the federal requirements. Programs must comply with whichever standard is more protective of the patient.

• California: The California Confidentiality of Medical Information Act (CMIA) imposes additional consent requirements that may exceed the new Part 2 TPO consent in some circumstances. California SUD programs should review whether the federal TPO consent satisfies CMIA requirements or whether a state-specific supplement is needed.
• New York: New York Mental Hygiene Law Section 33.13 provides additional protections for SUD records that require careful analysis against the new Part 2 framework.
• Connecticut: Connecticut has historically maintained heightened confidentiality protections for SUD and mental health records. Programs operating in Connecticut should verify compliance with both Part 2 and state confidentiality statutes.
• Multi-state programs: Organizations operating SUD programs across multiple states must analyze state-by-state requirements and implement consent forms and workflows that satisfy the most restrictive applicable standard in each state.

Frequently Asked Questions

What is the single consent for TPO under the new 42 CFR Part 2 rule?

Under the final rule effective February 16, 2026, patients in SUD treatment programs can sign a single consent form that authorizes disclosure of their Part 2 records for treatment, payment, and health care operations. Previously, Part 2 required separate, program-specific consent for each entity that would receive the records. The new single consent mirrors HIPAA consent standards and eliminates the need for patients to sign dozens of individual consent forms. Programs must still obtain written consent, but one consent now covers all TPO disclosures.

Do SUD programs now have to follow HIPAA breach notification rules?

Yes. Effective February 16, 2026, Part 2 programs must comply with the HIPAA Breach Notification Rule. Breaches affecting 500 or more individuals require notification to HHS, affected individuals, and prominent media outlets within 60 days. Breaches affecting fewer than 500 individuals require individual notification within 60 days and annual reporting to HHS. Programs that were not previously HIPAA-covered entities may need to build breach notification infrastructure from scratch.

Can SUD treatment records still be used against patients in criminal proceedings?

No. The prohibition on using Part 2 records in criminal, civil, or administrative proceedings against the patient remains fully intact. This is a critical distinction from HIPAA, which does not provide this protection. Even though Part 2 is now aligned with HIPAA for consent and breach notification, the criminal proceeding protections continue unchanged. Courts cannot subpoena Part 2 records to use against a patient.

What does the new redisclosure notice requirement look like?

The final rule simplifies the redisclosure notice. The new notice states that the records are protected by federal law and that the recipient is prohibited from using or disclosing the information in proceedings against the patient without specific consent or a court order. The notice must still accompany all disclosures, but it is shorter and can be standardized across all Part 2 communications. Programs should not stop including the notice; it is simplified, not eliminated.

How does OCR enforcement of Part 2 work now?

As of February 16, 2026, the HHS Office for Civil Rights has enforcement authority over Part 2 violations. OCR accepts complaints from any individual, investigates allegations, and can impose civil monetary penalties ranging from $141 per violation for unknowing violations up to approximately $2.13 million per violation category per year for willful neglect not corrected. OCR can also enter into resolution agreements requiring corrective action plans and monitoring. This represents a dramatic increase in enforcement capacity compared to the previous SAMHSA-led regime.

What EHR changes do SUD programs need to make before the compliance deadline?

SUD programs need their EHR systems to support granular consent tracking (recording the single TPO consent and any specific-purpose consents), comprehensive audit trails for Part 2 records, breach detection and notification workflows, updated redisclosure notice templates, and record segmentation for patients without active consent. Programs should also verify that their EHR vendor's business associate agreements include Part 2 obligations. For detailed EHR configuration guidance, see our 42 CFR Part 2 Compliance Guide for EHR Systems.

Editorial Standards

Last reviewed: February 26, 2026

Methodology

• Final rule text (89 FR 12472) reviewed in full and compared against pre-existing 42 CFR Part 2 regulatory text
• SAMHSA Part 2 technical assistance resources and FAQ documents reviewed for implementation guidance
• HHS OCR enforcement guidance and penalty adjustment notices reviewed for current penalty amounts
• State confidentiality statutes cross-referenced for multi-state compliance considerations

Primary Sources

• Federal Register: 42 CFR Part 2 Final Rule (89 FR 12472)
• SAMHSA: 42 CFR Part 2 Resources
• HHS OCR: HIPAA Enforcement
• HHS OCR: Breach Notification Rule
• CARES Act Section 3221 (Public Law 116-136)