OCR launches Part 2 civil enforcement program, new breach portal features

The HHS Office for Civil Rights announced new civil enforcement mechanisms to protect substance use disorder, or SUD, patient records. Effective Feb. 16, 2026, entities subject to 42 CFR Part 2 rules, commonly known as "Part 2," are required to comply with breach notification requirements or else face penalties aligned with those administered under HIPAA. Entities are now able to file breach reports under Part 2 using a new form on OCR's existing breach portal, and OCR will accept complaints of alleged violations. 

"At President Trump's direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative," HHS Secretary Robert F. Kennedy, Jr., said in the announcement. "Americans seeking treatment for substance use disorder deserve comprehensive care without sacrificing their privacy or legal protections." 

Since 1975, Part 2 regulations have protected the confidentiality of individuals experiencing SUD. Part 2 rules apply to any entity that is federally assisted. This can include SUD treatment programs, general hospitals with designated SUD units, private practices, third-party vendors and others receiving any type of federal grants or funds. 

The rules have undergone several revisions since they were first enacted. Most recently, in 2020, section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act required the HHS secretary to align certain aspects of Part 2 with HIPAA and the HITECH Act. 

HHS published a final rule in February 2024, solidifying this alignment and aiming to increase coordination among providers treating patients for SUDs.  

Among its provisions, the final rule permitted the use and disclosure of Part 2 records based on patient consent given once for all future uses and disclosures for treatment, payment and operations purposes. It also permitted the redisclosure of Part 2 records by HIPAA-covered entities and business associates as defined by the HIPAA Privacy Rule. 

Notably, the final rule said that SUD confidentiality regulations would be subject to the same requirements as the HIPAA Breach Notification Rule. 

Now that the rules are in effect, entities that experience breaches of SUD patient records will be subject to the same level of enforcement as other types of breaches, from resolution agreements to monetary settlements, civil money penalties and corrective actions. In August 2025, Kennedy delegated the authority of Part 2 to OCR, positioning it to issue enforcement actions and conduct compliance reviews once the February 2026 compliance deadline arrived.  

"OCR's civil enforcement program will instill confidence in patients and encourage them to seek SUD treatment from covered SUD providers. At the same time, compliance with the updated Part 2 regulation will improve care coordination and reduce administrative burdens," said OCR Director Paula M. Stannard.  

"OCR is uniquely positioned to enforce patient rights and the regulated community's obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA." 

OCR published a model Part 2 notice of privacy practices to aid entities in compliance efforts. Part 2 programs that are also HIPAA-covered entities are permitted to maintain a combined notice that meets the requirements of the Part 2 patient notice and the HIPAA notice of privacy practices. 

In the past, OCR has expressed to Congress that it needs more funding to support its HIPAA enforcement efforts. Between 2018 and 2022, OCR saw a 17% increase in HIPAA complaints and a 107% increase in large breaches reported. OCR also lost staff during the 2025 HHS layoffs efforts. With the additional Part 2 enforcement responsibilities, OCR will likely have to juggle a higher complaint volume in the coming year.

Jill Hughes has covered healthcare cybersecurity and privacy news since 2021.