The U.S. Department of Health and Human Services finalized updates to 42 CFR Part 2 aligning Substance Use Disorder (SUD) confidentiality requirements with HIPAA. For SUD programs and adjacent providers (pain management, HHA, DME, assisted living/SNF), this is a fundamental shift: broader consent options, redisclosure controls, HIPAA-style breach notification, and penalties. The compliance deadline—February 16, 2026—will arrive faster than most realize.
What changed
- One consent for TPO. Patients can grant a single, broad consent for Treatment, Payment, and Operations—reducing friction while preserving control.
- Redisclosure rules clarified. Disclosures must carry no-redisclosure notices; downstream recipients must respect Part 2 protections.
- HIPAA breach standards apply. Part 2 programs now follow HIPAA-style breach notification (timelines, content, and documentation).
- Counseling notes require separate consent. SUD counseling notes receive heightened protection.
- Penalties standardized. Enforcement and penalties are harmonized with HIPAA expectations.
What’s at stake
- Regulatory exposure: Failure to meet Part 2 obligations now carries HIPAA-level consequences.
- Insurance readiness: Underwriters are asking for evidence—policies, logs, breach drills, training.
- Patient trust: SUD carries stigma; strong privacy practices protect patients and your mission.
- Operational continuity: A breach or disclosure misstep stalls care, invites investigations, and strains finances.
What to do first (60-day starter plan)
Week 0–2: Policy, consent, and tracking
- Update privacy/consent templates: TPO consent + separate consent for counseling notes.
- Add redisclosure language to all outbound communications.
- Implement a disclosure tracking log (who, when, purpose, authority).
Week 3–6: Safeguards and training
- Enforce role-based access and encryption (at rest and in transit).
- Add application allowlisting (e.g., ThreatLocker) to reduce ransomware and unauthorized access.
- Deliver role-based training (front desk, clinicians, billing, IT, leadership). Track completion.
Week 7–8: Prove readiness
- Run a tabletop exercise that simulates a Part 2 breach, including patient notification and redisclosure checks.
- Capture artifacts: decision logs, notification drafts, recovery evidence, and a board summary.
Avoiding the four common pitfalls
- Treating Part 2 as “just HIPAA.” The rules align—but redisclosure and counseling notes add unique obligations.
- No central disclosure log. Regulators and insurers will expect reliable audit trails.
- Training only once. Annual refresh plus onboarding is the minimum; track it.
- Delaying the tabletop. A live drill reveals gaps quickly and gives your board confidence.
How Huntleigh helps
- Policy & Consent Pack (Part 2 + HIPAA updates)
- Disclosure Tracking tools and templates
- Breach Playbook + Tabletop with insurer-ready artifacts
- Technical safeguards (encryption, access control, allowlisting)
- Training & dashboards for board-level oversight
Don’t wait until 2026. Book a Part 2 Readiness Assessment and get your tailored plan in two weeks.
