New rules under 42 CFR Part 2 change how Substance Use Disorder records can be shared and protected. Most organizations must comply with these changes by February 16, 2026.
These updates affect consent forms, EHR workflows, staff training, and vendor agreements. This article explains what has changed, who it applies to, and what steps you should take to prepare.
Final Rule Compliance Deadline: February 16, 2026
Authority: CARES Act §3221; 42 CFR Part 2 Final Rule (Jan. 3, 2024)
I. GOVERNANCE & APPLICABILITY DETERMINATION
☐ Confirm whether the organization meets the definition of a Part 2 Program (§ 2.11)
☐ Confirm whether the organization acts as a Lawful Holder of Part 2 records
☐ Identify all lines of service generating or receiving SUD records
☐ Inventory all systems and data environments containing Part 2 data, including:
- EHR / EMR
- Health Information Exchanges (HIEs)
- Care coordination platforms
- Billing / RCM systems
- Analytics / reporting tools
- Telehealth platforms
- Data warehouses / AI tools
☐ Assign accountable ownership for Part 2 compliance across:
- Compliance / Privacy
- Legal
- Health IT / Security
- Clinical leadership
☐ Document applicability determination in governance records
II. CONSENT MANAGEMENT (STRUCTURAL CHANGE)
A. General TPO Consent (§ 2.31)
☐ Replace legacy single-recipient / single-purpose consent forms
☐ Implement single patient consent authorizing Treatment, Payment, and Health Care Operations (TPO)
☐ Ensure consent permits future uses and disclosures unless expressly revoked
☐ Ensure consent language meets revised requirements:
- Name of patient
- Name or general designation of recipients
- Purpose: TPO
- Statement of right to revoke
- Date / signature
☐ Confirm no expiration date is required unless patient elects one
☐ Validate electronic consent capture and storage workflows
B. Consent Revocation (§ 2.31(d))
☐ Update revocation policy to reflect:
- Prospective effect only
- No impact on prior lawful disclosures
☐ Ensure revocation processes are:
- Documented
- Patient-accessible
- Staff-trained
☐ Confirm EMR functionality supports revocation tracking
III. REDISCLOSURE & USE OF PART 2 DATA
☐ Update policies to permit redisclosure under HIPAA rules after valid TPO disclosure
☐ Remove internal policies that improperly prohibit redisclosure where no longer required
☐ Confirm redisclosure remains prohibited for:
- Use in criminal, civil, or administrative proceedings against the patient
- Law enforcement access not otherwise authorized by Part 2
☐ Update workforce training on lawful redisclosure scope
☐ Validate that minimum necessary standards are applied
IV. SUD COUNSELING NOTES (HEIGHTENED PROTECTION)
☐ Define SUD Counseling Notes distinctly from general psychotherapy or progress notes
☐ Ensure counseling notes:
- Are excluded from TPO disclosures
- Require separate, explicit patient consent
☐ Confirm counseling notes are:
- Segmented logically or technically
- Access-restricted within the EHR
☐ Train clinicians on documentation distinctions
☐ Audit documentation practices periodically
V. NOTICE OF PRIVACY PRACTICES (NPP)
☐ Update NPP to explicitly describe:
- Uses and disclosures under Part 2
- Patient rights under Part 2 and HIPAA
- Redisclosure limitations
- Complaint mechanisms
☐ Ensure NPP alignment with HIPAA-harmonized Part 2 language
☐ Confirm NPP is:
- Posted publicly
- Provided at intake
- Acknowledged by patients
☐ Retain documentation of NPP distribution
VI. PATIENT RIGHTS ALIGNMENT (HIPAA-EQUIVALENT)
☐ Update policies to reflect Part 2 alignment with HIPAA rights, including:
- Right of access
- Right to request amendments
- Right to an accounting of disclosures
☐ Ensure timelines align with HIPAA requirements
☐ Train staff on patient request handling
☐ Confirm EMR workflows support these rights
VII. BREACH NOTIFICATION & SECURITY INCIDENT RESPONSE
☐ Update breach response policies to apply HIPAA Breach Notification Rule to Part 2 records
☐ Ensure risk assessment procedures include:
- Nature of data involved
- Unauthorized person
- Whether data was acquired or viewed
- Mitigation steps
☐ Confirm notification timelines comply with HIPAA standards
☐ Include Part 2 data explicitly in incident response plans
☐ Train workforce on breach identification and escalation
VIII. ENFORCEMENT & PENALTIES
☐ Update compliance policies to reflect OCR enforcement authority over Part 2
☐ Align sanction policies with HIPAA-level civil and criminal penalties
☐ Ensure workforce disciplinary procedures reference Part 2 violations
☐ Document escalation and corrective action procedures
IX. BUSINESS ASSOCIATES & QUALIFIED SERVICE ORGANIZATIONS
☐ Inventory all vendors and partners with Part 2 data access
☐ Review and update:
- Business Associate Agreements (BAAs)
- Qualified Service Organization Agreements (QSOAs)
☐ Ensure agreements include:
- Part 2 confidentiality obligations
- Redisclosure limitations
- Breach notification requirements
☐ Confirm vendors are trained on Part 2 handling
☐ Maintain executed agreement records
X. DATA SEGREGATION & SYSTEM CONFIGURATION
☐ Remove unnecessary data segmentation for general Part 2 records
☐ Maintain segregation only where required (e.g., SUD counseling notes)
☐ Validate system role-based access controls
☐ Ensure audit logging is enabled for Part 2 data access
☐ Confirm interoperability workflows comply with revised rules
XI. WORKFORCE TRAINING & CHANGE MANAGEMENT
☐ Update training curricula to reflect:
- New consent structure
- Redisclosure rules
- Counseling note protections
- Breach response alignment
☐ Train all affected workforce members prior to compliance deadline
☐ Retain training completion records
☐ Incorporate Part 2 into annual compliance training
XII. AUDIT, MONITORING & ATTESTATION
☐ Conduct gap assessment against revised Part 2 requirements
☐ Perform mock audit or tracer review
☐ Document corrective actions and remediation
☐ Prepare executive compliance attestation
☐ Maintain evidence for licensing, accreditation, and OCR review
Comments
0 comments
Article is closed for comments.