Most behavioral health leaders know 42 CFR Part 2 exists. Far fewer know whether their organization is actually covered by it. And almost none have stress-tested their systems to see if they could survive an OCR audit. That gap is about to become expensive.
Starting February 16, 2026, the Office for Civil Rights (OCR) gains full enforcement authority over Part 2 (HHS, 2024). The agency now wields civil penalties, subpoena power, and corrective action mandates (HHS Office for Civil Rights, 2025). For organizations that assumed Part 2 was someone else’s problem, the clock just started.
The real question isn’t whether you’re compliant. It’s whether you even know if you’re covered.
The Coverage Question Nobody’s Asking
If your organization provides any federally-assisted substance use services (and “federally-assisted” includes Medicare and Medicaid reimbursement), you likely fall under Part 2 (SAMHSA, 2023; SAMHSA, 2024; Illinois Department of Human Services).
That’s broader than most leaders realize. Part 2 applies to any organization that holds itself out as providing, and provides, SUD diagnosis, treatment, or referral for treatment (SAMHSA, 2023). This includes identified units within general medical facilities and personnel whose primary function is SUD-related care (HHS, 2024).
The defining word is “primary function.” That’s where the ambiguity lives, and where regulators will focus.
Consider the integrated care model many organizations have adopted. A behavioral health clinic treating co-occurring disorders. A primary care practice screening for substance use and offering brief interventions. A mobile crisis team that regularly encounters SUD alongside mental health crises. Each scenario raises Part 2 questions that most compliance officers have never systematically answered.
Without clear workflows and technical controls, teams default to one of two extremes: over-disclosing protected information or under-sharing data needed for coordinated care. Both create exposure. One leads to patient harm and loss of trust. The other invites regulatory action.
The weakest link in your compliance chain is typically the person who doesn’t realize they’re handling Part 2 data.
Why This Matters More Than Your Board Thinks
Part 2 enforcement fundamentally reshapes governance risk in behavioral health.
The revised rule aligns Part 2, which protects substance use disorder (SUD) records, with HIPAA (HHS, 2024; SAMHSA, 2024). That sounds like simplification. In practice, it means your organization now faces coordinated federal oversight across two complex privacy frameworks, with penalties that mirror HIPAA’s tiered civil and criminal structure (HHS, 2024).
OCR can impose civil money penalties, negotiate resolution agreements, and compel document production through subpoenas (HHS Office for Civil Rights, 2025). Unlike SAMHSA’s historically educational approach, OCR operates with enforcement muscle honed through years of HIPAA investigations.
Here’s what most executives miss: while HIPAA risk assessments have become standard practice, virtually no behavioral health organizations have conducted comprehensive Part 2 risk mapping. That asymmetry creates blind spots, especially for organizations that never confirmed whether their programs trigger Part 2 coverage in the first place.
The compliance gaps aren’t in policy manuals. They’re in the space between what leadership assumes and what actually happens when a patient checks in, a clinician documents care, or a vendor accesses your systems.
The Strategic Readiness Framework
Compliance is built through disciplined preparation across four integrated domains.
Coverage and Risk Mapping
Start with the foundational question: which services, units, or personnel trigger Part 2 protections? Map where SUD-related data is created, stored, transmitted, and accessed. Document the rationale. This assessment drives every subsequent decision and provides your evidentiary foundation if OCR comes asking.
Programs pursuing CCBHC certification face heightened privacy expectations across federal funding relationships. Part 2 readiness becomes table stakes for competitive procurements and contract negotiations. Organizations with multi-site operations need location-specific coverage determinations—Part 2 may apply differently across your footprint.
Policy and Technology Integration
HIPAA-centric policies won’t suffice. The Final Rule introduces important flexibilities, including a single consent for all future treatment, payment, and operations (TPO) disclosures (HHS, 2024; SAMHSA, 2024), while maintaining critical restrictions on re-disclosure for legal proceedings. Your policies must reflect this hybrid framework precisely. Ambiguity in consent management becomes liability under enforcement.
Your EHR must operationalize Part 2 protections, not merely document them. This means functional consent management, granular access controls, audit logging that tracks Part 2-specific access, and breach notification protocols aligned with HIPAA standards (Illinois Department of Human Services). Break-glass procedures need clear governance. If your IT team hasn’t mapped these capabilities, that’s a Board-level risk.
Workforce Competency and Vendor Oversight
Part 2 literacy must extend beyond compliance staff. Clinicians, administrative personnel, and IT professionals all need role-specific understanding of when Part 2 applies, how consent functions, and when escalation is required (HHS, 2024). Your front desk staff, intake coordinators, and release of information teams are handling federal enforcement exposure every single day—most without realizing it.
Business Associate Agreements were designed for HIPAA, not Part 2’s more stringent framework. Every vendor relationship requires fresh scrutiny: Do they access, transmit, or store Part 2 records? Do they understand their obligations as lawful holders under the updated rule (HHS, 2024)? Can they demonstrate technical and administrative safeguards? Vendor risk is your risk.
Financial and Governance Planning
Budget for legal reviews, policy development, system configuration, training programs, and independent validation. Assign clear ownership for Part 2 compliance at the executive level. The penalty structure now matches HIPAA’s tiered framework (HHS, 2024). The cost of readiness is negligible compared to the cost of violation.
Beyond Compliance: The Competitive Advantage
Organizations that move early on Part 2 readiness build strategic assets while avoiding penalties.
Programs pursuing CCBHC certification, value-based contracts, and federal grants increasingly face heightened privacy expectations. Demonstrating mature Part 2 compliance signals operational sophistication to regulators, payers, and funding agencies. It differentiates your organization in competitive procurements. It provides leverage in contract negotiations.
More fundamentally, it builds trust. Patients entrust you with information that carries profound stigma and tangible risk. When your systems protect that information with precision and care (not merely policy language but actual technical and procedural rigor), that commitment becomes visible.
Early adopters help set the standard rather than chase it.
What Leadership Should Do This Week
The organizations that will struggle in 2026 are the ones still figuring out their exposure in 2025. The organizations that will thrive are the ones moving now.
Start with clarity. Convene your compliance, clinical, IT, and legal leadership. Ask the uncomfortable questions: Are we covered? Where’s our exposure? Who owns this? What would an OCR investigation find? Which of our staff are handling Part 2 data without knowing it?
Then build your readiness plan with precision and pace. Assign ownership. Set milestones. Track progress. Treat this as enterprise risk management, not a compliance project.
The February 16, 2026 compliance deadline is firm. Organizations that use the remaining time strategically will be prepared. Organizations that don’t will be scrambling when OCR arrives.
Regulatory enforcement creates two types of organizations: those caught off-guard, and those who saw it coming and prepared accordingly.
Xpio Health has spent years helping behavioral health organizations navigate precisely these kinds of transitions, where regulatory change meets operational reality, and where the difference between prepared and unprepared shows up in audit findings, patient trust, and board confidence.
If you’d like a clear-eyed assessment of where your organization stands (what’s solid, what’s vulnerable, and what a focused readiness effort would look like), contact us. This is the kind of work we do, and we’re good at it.
#Part2Compliance #OCREnforcement #BehavioralHealth #SubstanceUseDisorder #HIPAACompliance #PeopleFirst #HealthcareCompliance #RegulatoryCompliance #PatientPrivacy #HealthcareRiskManagement #BehavioralHealthCompliance #43CFRPart2 #XpioHealth
References
- Department of Health and Human Services (HHS). Confidentiality of Substance Use Disorder (SUD) Patient Records. Federal Register. 2024. https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records
- HHS Office for Civil Rights. Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations. HIPAA Journal. 2025. https://www.hipaajournal.com/ocr-authorized-administer-enforce-part-2-regulations/
- Substance Abuse and Mental Health Services Administration (SAMHSA). Frequently Asked Questions Applying the Substance Abuse Confidentiality Regulations to Health Information Exchange (HIE). SAMHSA. 2024. https://www.samhsa.gov/sites/default/files/faqs-applying-confidentiality-regulations-to-hie.pdf
- HHS/SAMHSA. Implementation Fact Sheet | Focus:PHI. CoE-PHI. 2024. https://coephi.org/resource/implementation-fact-sheet/
- Illinois Department of Human Services. 42 CFR Part 2 HHS Aligns Part 2 and HIPAA. Illinois Department of Human Services. https://www.dhs.state.il.us/page.aspx?item=163364
- Substance Abuse and Mental Health Services Administration (SAMHSA). FAQs About 42 CFR Part 2. ASAM. 2023. https://www.asam.org/docs/default-source/advocacy/coe-phi-faqs-about-42-cfr-part-2.pdf
