'We're Open for Business': OCR Enforcing Part 2 SUD Records; NPP Updates Required

April 15, 2026

‘We’re Open for Business’: OCR Assumes Part 2 Records Enforcement; Is Your NPP Updated?

Theresa Defino Health Care Compliance Association (HCCA) + Follow Contact LinkedIn Facebook X Send Embed

Report on Patient Privacy 26, no. 4 (April, 2026)

Time’s up! Covered entities (CEs) and substance use disorder (SUD) providers who accept federal assistance have had two years to comply with a rule updating privacy policies, as well as implement breach notification requirements related to SUD records under 42 CFR Part 2, typically referred to simply as Part 2.

But in reality, they’ve had six years since Congress passed the CARES Act (hint: the “C” stands for Covid) to get ready. Meanwhile, the HHS Office for Civil Rights (OCR), in the words of Director Paula Stannard, is now “open for business if people believe that there’s been a violation” by Part 2 providers.

The 2020 CARES Act gave HHS the authority to investigate and impose penalties for violations of Part 2 confidentiality safeguards, authority previously held only by the Department of Justice (DOJ) and restricted to criminal violations. Any enforcement actions DOJ took against Part 2 providers haven’t been made public.

Part 2 Gets Own “Wall of Shame”

That’s expected to change, as OCR routinely publicizes HIPAA scofflaws (alleged, in cases of settlements vs. the imposition of fines). And now, Part 2 providers will also have to comply with the Breach Notification Rule, so their reportable breaches (like CEs, those affecting 500 or more individuals) will be posted to OCR’s public website, also known as the HIPAA Wall of Shame. Interestingly, OCR established a separate portal for Part 2 programs; as of RPP ’s deadline, no such breaches had been reported (see https://ocrportal.hhs.gov/ocr/ breach/breachreportpart2.jsf).

HHS issued an updated Part 2 proposed rule on Dec. 2, 2022, followed by a final rule on Feb. 16, 2024. [i] The rule had an effective date of April 16, 2024, and a compliance date of Feb. 16 of this year. On Aug. 25, the HHS secretary specifically delegated OCR authority to administer and enforce Part 2. Stannard previously told RPP that it made the most sense for OCR, of all HHS agencies, to get this authority and that she had requested it. [ii]

The heaviest compliance lift fell to Part 2 providers, who were required to adopt HIPAA-like privacy standards, including a new Patient Notice, similar to the oft-maligned Notice of Privacy Practices (NPP) that CEs have contended with for decades.

But CEs weren’t totally off the hook. By the same date, they were required to update their NPPs to address Part 2 records, though in a fairly minor way. Three days before the compliance date, OCR announced that enforcement would soon begin and issued resources to help Part 2 providers and CEs—after they probably had already made the bulk of required changes. These included a model Patient Notice for Part 2 and revised NPPs for health care providers and health plans.

Desire to Encourage Treatment

Later that week, Stannard discussed Part 2 changes and its enforcement with reporters. As Stannard explained, a Part 2 provider “will now obtain a single prior consent that will be signed by the patient for all future uses and disclosures of that information for treatment, payment and health care operations.”

This streamlined consent “will increase the opportunity for collaboration and coordination of care among our Part 2 providers and other providers that may be treating a patient that has a substance use disorder,” Stannard said.

She added that the rule “allows HIPAA covered entities and business associates that receive records under this consent to release those records in accordance with the HIPAA regulations.”

OCR’s announcement that it was beginning enforcement of the final rule “is an important first step to making sure that there is strong enforcement and protection of the information of patients who are seeking treatment for the substance use disorder, and to encourage [a] pathway [to] treatment,” Stannard said.

Complaint Volume Expected to Increase

RPP asked Stannard how many SUD-related complaints OCR expects to receive.

Stannard noted that OCR had already begun to receive complaints but that it has to abide by timelines; specifically, the agency can’t act on anything that happened prior to Feb. 16, “the date that compliance is required with the new Part 2 provisions.”

Moreover, moving forward, the six-month time frame for OCR to act—the same as it has with alleged HIPAA violations—applies. Specifically, as the complaint portal itself states, “Please note that under our regulations, OCR normally can accept only complaints that are filed within 180 days of when a complainant knew or should have known that the alleged violation occurred.” It does provide the opportunity to submit a complaint older than 180 days, but requires an explanation to be included.

“We are anticipating that, similar to HIPAA, the volume will probably start out slow and grow over time as people become more aware of the ability to file a complaint,” Stannard said. OCR, she added, is hoping “to get the word out that Part 2 has been strengthened” and that “we’re open for business if people believe that there’s been a violation.”

The final rule doesn’t indicate how many complaints OCR expects to receive yearly based on the expanded complaint options for Part 2 patients, but it did state that Part 2 programs themselves may receive 1,864 complaints annually, an estimate “derived under the assumption that one in every thousand patients would file a complaint.”

“The complaint is also assumed to be received by a [Part 2] manager and take 10 minutes to address,” the rule states, at an estimated cost in year one of $32,238.

Questions About OCR’s Capacity

It’s safe to assume it will take OCR investigators many more minutes. Is the agency up to the task, given its recent history of losing (and then regaining) staff? Stannard said it is.

“We have been working within the department to make sure we have ample support for this new responsibility,” Stannard told reporters. “We anticipate that the number of complaints in this first year will be moderate and will grow as people become more aware of the authority. We think we have adequate resources to pursue investigations.”

According to the analysis in the final rule, Part 2 programs and HHS are expected to spend $26.1 million for first-year costs—estimated in 2022 dollars.

First-year costs to HHS for Part 2 enforcement and compliance were estimated at $2.3 million; “federal costs will be approximately $12,038,112 million over 5 years,” the rule states.

The rule also estimated that “it will take [federal] workers 1.5 hours to summarize each breach and that there will be 267 breaches requiring summaries per year, equaling a labor cost of approximately $32,107 per year” related to Part 2 programs whose breaches are posted online.

The largest nongovernmental expenditure was attributed to Part 2 programs’ “training workforce members on the revised requirements ($13.3 million),” followed by “capital expenses ($0.9 million); compliance with breach notification requirements ($1.6 million); updating Patient Notices ($2.6 million); attaching consent forms for disclosures (2.9 million); updating consent forms ($1.7 million) [and] updating the notice to accompany disclosures ($0.7 million).” The rule describes as “nominal” costs for “responding to requests for privacy protection [and] providing accounting of disclosures,” two requirements that are new for Part 2 providers but not HIPAA CEs.

One aspect of compliance that Part 2 plans should be aware of: the final rule added a requirement that the new Patient Notice inform patients of their rights to complain about violations to OCR. “The intent of the enforcement provisions in § 2.4 was to create a process that mirrors that for HIPAA violations, but the Department inadvertently omitted from its proposed changes to this section an express right to complain to the Secretary,” the rule states.

OCR Expects Savings From Consent Changes

According to the analysis, Part 2 providers and HIPAA CEs (and business associates) will experience savings. For example, HHS estimated “first year costs would be partially offset by $13,421,556 of first year cost savings, attributable to reductions in the need for part 2 programs to obtain written patient consent for disclosures for treatment, payment, or health care operations (TPO) ($10.3 million); reductions in the need for covered entities, business associates, and part 2 programs to obtain written patient consent for redisclosures ($2.6 million); and reductions in capital expenses for printing consent forms ($0.5 million).”

Six days after OCR’s SUD enforcement announcement, the agency issued word of its first HIPAA enforcement action of 2026. Although it is with Top of the World Treatment Ranch, a SUD provider, the settlement is unrelated to this initiative and was hammered out in June of last year. [iii]

Referencing that settlement, Stannard clarified that “some substance use treatment providers and Part 2 providers are also HIPAA covered entities,” of which Top of the World is an example.

Conceivably, OCR could pursue privacy/security violations by Part 2 providers under both Part 2 and HIPAA. “Nothing in the CARES Act states that an entity that is subject to both regulatory schemes shall be subject to only one regulation or one regulation’s penalties. Therefore, an entity potentially remains subject to both regulations, including their provisions on penalties for violations,” according to the final rule.

Model NPPs Show Little Change

Although, as noted, it might have been helpful if OCR had released its model notices more than three days before the compliance date, the documents it issued don’t show a lot of changes from historic ones.

OCR’s model NPPs for providers and health plans include two new mentions of Part 2, indicating, perhaps, that they don’t need to make too many changes to their old ones, as follows with bolded references to Part 2 (emphasis added): [iv]

How else can we use or share your health information?

We are allowed or required to share your information in other ways – usually in ways that contribute to the public good, such as public health and research. We have to meet many conditions in the law before we can share your information for these purposes. *And in all cases, if we have substance use disorder patient records about you, subject to 42 CFR part 2, we cannot use or share information in those records in civil, criminal, administrative, or legislative investigations or proceedings against you without (1) your consent or (2) a court order and a subpoena.***

A second reference in both model NPPs states:

To the extent that we have your substance use disorder patient records, subject to 42 CFR part 2, we will not share that information for investigations or legal proceedings against you without (1) your written consent or (2) a court order and a subpoena.

For providers’ NPP, there’s also a third addition related to fundraising, as follows with bolded references to Part 2 (emphasis added):

In the case of fundraising:

We may contact you for fundraising efforts, but you can tell us not to contact you again.

If we have your substance use disorder patient records, subject to 42 CFR part 2, we will give you clear and obvious notice in advance and a choice about whether to receive fundraising communications that use your Part 2 information.

[i] Confidentiality of Substance Use Disorder (SUD) Patient Records, 89 Fed. Reg. 12,472 (Feb. 16, 2024), https://bit.ly/3PR3p6T.

[ii] Theresa Defino, “OCR Director Stannard: Enforcement Widening To Encompass Risk Management, Parents’ Access,” Report on Patient Privacy 26, no. 1 (January 2026): 1.

[iii] Theresa Defino, “Pen Testing, Password Safeguards: CAP Has Seemingly New Requirements” Report on Patient Privacy 26, no. 4 (April 2026): 4.

[iv] U.S. Department of Health and Human Services, “Model Notices of Privacy Practices,” content last reviewed February 20, 2026, https://bit.ly/4sRziuR.

Report on Patient Privacy 26, no. 4 (April, 2026)

Learn more: https://www.hcca-info.org/ publications/newsletters/ report-patient-privacy

Send Print Report

Related Posts

• OCR Director Stannard: Enforcement Widening To Encompass Risk Management, Parents’ Access
• From $5,000 to $800,000: Days Apart, OCR Security Settlements Show Puzzling Math
• Former OCR Director Fontes Rainer Reflects On ‘Imperfect’ RSP Law, Urges Final Security Reg

Latest Posts

• ‘We’re Open for Business’: OCR Assumes Part 2 Records Enforcement; Is Your NPP Updated?
• Research Institutions Facing Renewed Claims of Foreign Influence; Hearing, Website Show Focus See more »

©
Health Care Compliance Association (HCCA)

Written by:

Health Care Compliance Association (HCCA) Contact + Follow Theresa Defino + Follow more less

PUBLISH YOUR CONTENT ON JD SUPRA

• ✔ Increased readership
• ✔ Actionable analytics
• ✔ Ongoing writing guidance Join more than 70,000 authors publishing their insights on JD Supra

Start Publishing »

Published In:

Covered Entities + Follow Data Privacy + Follow Department of Health and Human Services (HHS) + Follow Enforcement Actions + Follow Final Rules + Follow Health Care Providers + Follow Health Insurance Portability and Accountability Act (HIPAA) + Follow HIPAA Breach Notification Rule + Follow HIPAA Privacy Rule + Follow Notice of Privacy Practices + Follow OCR + Follow Patient Privacy Rights + Follow Regulatory Authority + Follow Regulatory Oversight + Follow Regulatory Requirements + Follow Reporting Requirements + Follow Administrative Agency + Follow Health + Follow Privacy + Follow Science, Computers & Technology + Follow more less

Health Care Compliance Association (HCCA) on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide