In 90 days, one of your intake coordinators will sit across from a patient seeking substance use treatment. The patient will ask a straightforward question: “Who can see my records?” Your coordinator’s answer, and the consent form they present, could determine whether your organization faces federal enforcement action.
Starting February 2026, 42 CFR Part 2 compliance shifts from recommended practice to enforceable federal law (HHS, 2024). The Office for Civil Rights now has authority to investigate, levy penalties, and mandate corrective action plans. This isn’t an IT project or a compliance checkbox. This is a fundamental change to how your frontline staff work every day.
The organizations that adapt quickly won’t just avoid penalties. They’ll build stronger patient trust and cleaner operational workflows. Here’s what needs to change in the next 90 days.
Check-In Protocols Change
If your organization provides federally assisted substance use services (and “federally-assisted” includes Medicare and Medicaid reimbursement), whether directly or embedded within broader behavioral health programs, you’re covered (SAMHSA, 2024). This includes identified units within general medical facilities and any personnel whose primary function involves SUD diagnosis, treatment, or referral.
Your front desk needs new language. At check-in, staff must clearly explain what information is protected under Part 2, when consent is required, and who can access records under what circumstances.
Here’s the operational shift: general HIPAA release forms won’t cut it anymore. The updated Part 2 rules permit a single consent form for all future uses related to treatment, payment, and healthcare operations, which simplifies the patient experience. But separate consent is still required if records might be used in civil, criminal, administrative, or legislative proceedings against the patient.
Your intake clinicians and care coordinators need updated scripts and new forms. Most haven’t been trained on this distinction yet. When a patient asks “Can my records be subpoenaed?”, the answer requires more nuance than your HIPAA training provided.
Consent Capture Requires Precision
With OCR enforcement active, consent management becomes high stakes. Your system must ensure consent specifies what information can be disclosed and limits it to what’s necessary (SAMHSA, 2023). You need to log consent accurately in your EHR and provide patients with copies or clear explanations of what they’ve authorized.
This is where EHR configuration becomes critical. Most legacy systems weren’t built for this level of granularity. You need workflows that automatically flag when consent is needed and actively restrict access when it’s not. If your EHR can’t do this reliably, you have a problem that won’t solve itself.
Data Segmentation Gets More Complex
The 2024 rule clarifies that you don’t need to segregate all Part 2 records when working under a single TPO consent. That’s the good news. The challenging news: a new category called SUD Counseling Notes must be maintained completely separately from the rest of the patient record and requires its own patient consent, similar to how HIPAA treats psychotherapy notes (HHS, 2024).
Even without mandatory segregation for routine Part 2 records, you’re encouraged to implement access controls that accommodate patient requests to limit who sees what.
Practical steps to take now:
- Create specific note types or templates for SUD-related entries
- Ensure SUD Counseling Notes are physically or electronically separated from main patient records
- Train clinical staff to distinguish between routine SUD documentation and counseling notes requiring enhanced protection
The cost of accidental overdisclosure just went up significantly. Documentation clarity is your first line of defense.
Release of Information Workflows Must Be Airtight
Your ROI team needs to treat Part 2 requests as fundamentally different from standard HIPAA requests. Three distinctions matter most:
Redisclosure has limits. Even when you share Part 2 records with another covered entity under a TPO consent, those records still can’t be used in legal proceedings against the patient without meeting stricter requirements.
Subpoenas alone don’t suffice. You need either explicit patient consent or a court order that meets Part 2’s specific criteria. A standard subpoena that would satisfy HIPAA doesn’t meet the bar here. When your ROI staff receive a subpoena for substance use treatment records, they need to know to escalate immediately—not process it as routine.
Breach reporting is now mandatory. Part 2 programs must comply with HIPAA’s Breach Notification Rule.
Every release involving Part 2 data should be reviewed, logged, and escalated when there’s any ambiguity. Your ROI staff need decision trees, not general guidance.
Staff Training Is Your Best Risk Mitigation
Policy changes accomplish nothing without operational readiness. Everyone from front office to clinicians to IT needs to understand what qualifies as Part 2 data, how to handle consent and disclosure, and when to escalate concerns.
The compliance deadline is February 16, 2026. Organizations that treat training as a one-time event will struggle. Organizations that build ongoing fluency will thrive.
Your 90-Day Action Plan
Review intake forms and scripts. Update language to reflect the new single TPO consent option and Part 2’s stricter requirements for legal proceedings. Script the exact language your front desk and intake coordinators should use when patients ask about record access. Test these scripts with actual staff before going live.
Audit your EHR configuration. Convene your IT, compliance, and clinical leadership in one room. Walk through your EHR’s consent management module. Verify that access controls actually work—not just in theory, but in practice. Test whether you can technically segregate SUD Counseling Notes. Document gaps and assign owners for each fix.
Map your ROI process. Find the gaps where staff might miss the distinction between a HIPAA subpoena and a Part 2-compliant court order. These gaps represent your highest risk. Create a one-page decision tree: When does ROI staff release records? When do they escalate? Who do they escalate to? Make sure every member of your ROI team can explain the difference between responding to a subpoena under HIPAA versus Part 2.
Run mock disclosure scenarios. Walk through real cases from check-in to ROI. Use actual patient scenarios your staff encounter. What happens when a parent requests their adult child’s SUD records? What happens when law enforcement presents a subpoena? What happens when a patient consents to TPO but later revokes it? Document where processes break down. Fix them before February.
Build organizational fluency. Create regular opportunities for staff to discuss changes, ask questions, and build confidence in new workflows. Monthly check-ins with front-line staff will surface confusion before it becomes a violation.
Patient Trust Depends on Getting This Right
Part 2 exists because patients seeking substance use treatment deserve protection. When patients trust that their sensitive information is secure, they engage more honestly in treatment (42 CFR Part 2). The regulatory requirements serve a clinical purpose.
Organizations that move decisively now will be positioned for competitive advantage through operational excellence and earned patient confidence. The rules have changed. Your workflows need to change with them.
Need help mapping your current workflows, configuring your EHR for Part 2 compliance, or building a practical training program? We specialize in translating regulatory requirements into operational reality. Contact us to make sure your frontline staff have the tools and confidence they need.
References
- U.S. Department of Health and Human Services (HHS). Confidentiality of Substance Use Disorder (SUD) Patient Records. Federal Register. 2024. https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records
- Substance Abuse and Mental Health Services Administration (SAMHSA). 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records. SAMHSA. 2024. https://www.samhsa.gov/about/laws-regulations/confidentiality-regulations-42-cfr-part-2
- Substance Abuse and Mental Health Services Administration (SAMHSA). Substance Use Confidentiality Regulations. SAMHSA. 2023. https://www.samhsa.gov/about/faqs/confidentiality-regulations
- 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records. Electronic Code of Federal Regulations. https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
