HIPAA 42 CFR Part 2 – New Updates about the Confidentiality of Substance Use Disorder (SUD) Patient Records

HIPAA 42 CFR Part 2 – New Updates about the Confidentiality of Substance Use Disorder (SUD) Patient Records:   What You Need to Know

42 CFR Part 2 Final Rule:  What You Need to Know

On February 8, 2024, both the U.S. Department of Health & Human Services (HHS) with the Substance Abuse and Mental Health Services Administration (SAMHSA) along with the Office for Civil Rights announced a final rule in the Code of Federal Regulations changing the HIPAA confidentiality of medical and mental health records for Substance Use Disorder (SUD) records regulations.

The implementation date of February 16, 2026, has come and gone with a compliance deadline creating immediate enforcement exposure.

This new law is now at 42 CFR part 2.  With this final rule now firmly in place, the HHS is implementing the confidentiality provisions originating with section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which was enacted March 27, 2020, and which require the Department to align certain aspects of Part 2 with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Rules and other applicable federal law in the Health Information Technology for Economic and Clinical Health Act (HITECH).

The Part 2 statute (42 U.S.C. 290dd-2) protects the following:  “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance of any program or activity relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”

These defined confidentiality protections now help address concerns that discrimination and fear of criminal prosecution deter people from entering treatment for SUD.

The updates, changes, and modifications in this final rule reflect the proposals published in the December 2, 2022, Notice of Proposed Rulemaking (NPRM) and public comments received from many interested parties.

These included substance use disorder and other advocacy groups; trade and professional associations; behavioral and other health providers; health information technology vendors and health information exchanges; state, local, tribal and territorial governments; health plans; academic institutions, including academic health centers; and unaffiliated or anonymous individuals.

Following the usual and customary 60-day comment period, HHS analyzed and carefully considered all comments submitted from the public on the NPRM and made appropriate modifications before finalizing this updated law. This is an intermediate webinar.

The areas covered in this session include these learning objectives:

• Basics of HIPAA privacy and security.
• What makes mental health and substance use disorder records different from other medical records.
• A review of the federal administrative regulations process – all about notice and comment rulemaking.
• Examination of updates to this new federal law.
• Explain what changed under the 2024 Part 2 Final Rule and why the February 16, 2026 compliance deadline now creates immediate enforcement exposure.
• Clarify how OCR’s new Civil Enforcement Program affects Part 2 programs, covered entities, business associates, health plans, behavioral health providers, and organizations handling SUD records.
• Break down practical requirements for SUD record consent, redisclosure, breach notification, patient complaints, and Notice of Privacy Practices updates.
• Identify common operational risk areas involving EHR workflows, HIE data sharing, vendor access, staff training, documentation gaps, and improper disclosures.
• Provide an audit-ready compliance roadmap to help attendees update policies, consent forms, breach response procedures, vendor controls, workforce training, and enforcement documentation.
• Patient consent and other uses and disclosures.
• Penalties and breach notifications.
• Patient notice and safe harbor provisions.
• Best practices for obtaining this protected information.
• Basic tips and techniques to defend yourself from liability.

HIPAA medical records confidentiality and confidentiality of substance use disorder; mental health records confidentiality.

This webinar examines the new Code of Federal Regulations governing HIPAA privacy for Substance Use Disorder records in mental health.

This new federal law is only a few months old, but has had a huge impact on the rights of patients and persons availing themselves of mental health treatment for substance use disorder.

Erase the uncertainty and doubt about what the new law does – and doesn’t – do to protect patient confidentiality.

• HIPAA privacy officers
• Medical records workers
• Health care attorneys.