Regulation Adds Privacy Protections for Patient Records on Substance Use Disorders

Quick Hits

• Federal regulations generally require an entity covered by HIPAA to obtain a person’s express, written permission before disclosing personally identifiable records related to a substance use disorder.
• Health plans, healthcare providers, and treatment centers must revise their notices of privacy practices by February 16, 2026, to reflect this consent requirement.

To comply with the rule, HIPAA-regulated entities must:

• ensure that each disclosure of substance use disorder records is accompanied by a copy of the patient’s consent or a clear explanation of its scope;
• adopt HIPAA’s Breach Notification Rule for breaches of unsecured substance use disorder records; and
• give patients the right to opt out of fundraising communications.

HIPAA-regulated entities also may wish to consider:

• establishing a process for securing a single written consent for future substance use disorder treatment, payment, and healthcare operations disclosures, which the final rule permits;
• training staff to understand the Part 2 requirements and the risks of noncompliance; and
• assessing any agreements with medical providers and treatment centers to maintain appropriate confidentiality.

Background on the Regulation

On February 16, 2024, the U.S. Department of Health and Human Services (HHS) issued a final rule designed to update privacy protections for patient information related to substance use disorders. Substance-use information protections are often referred to as “Part 2” because of their location in the Code of Federal Regulations. The final rule modifies Part 2 to align with HIPAA requirements by modifying restrictions related to the use and disclosure of this information, including in civil, criminal, administrative, and legislative proceedings. The final rule took effect on April 16, 2024.

On April 22, 2024, HHS issued another final rule prohibiting HIPAA-regulated entities from disclosing reproductive healthcare information for certain purposes, and HHS incorporated certain modifications to HIPAA’s privacy rules to address the  Part 2 rules. HIPAA-regulated entities have long been obligated to comply with Part 2 restrictions on use and disclosure of information protected by Part 2 that they received from Part 2 programs.

The final rule modified obligations related to the notices of privacy practices, the communication document for describing how HIPAA-regulated entities comply with HIPAA’s rules. Modifications focus on reliance of consent to use and disclose information, how these are applied, and the constraint on using or disclosing information subject to Part 2 in civil, criminal, administrative, and legislative proceedings without explicit consent or a court order.

On June 18, 2025, the U.S. District Court for the Northern District of Texas nullified the part of the rule related to reproductive healthcare information, but it left the Part 2 changes intact. Thus, health plans, healthcare providers, and treatment centers are still required to amend their notices of privacy practices by February 16, 2026, to comply with this regulation.

Patients have the right to file complaints with HHS and receive a list of disclosures made with their consent.

Substance use disorder, sometimes called addiction, occurs when the repeated, problematic use of alcohol or drugs causes clinically significant impairment in health or life functions, according to the National Institutes of Health. It can involve consuming alcohol, illegal drugs, prescription drugs, or some combination thereof. Treatments for substance use disorders may include psychotherapy, family counseling, twelve-step programs and mutual aid groups, and medications to reduce cravings and withdrawal symptoms.

Next Steps

HIPAA-regulated entities, including employer-sponsored group health plans, may want to prepare now to ensure compliance with the  Part 2 regulation before the deadline.

Noncompliance with Part 2 may result in the HHS Office for Civil Rights imposing civil monetary penalties and issuing subpoenas requiring the attendance and testimony of witnesses and the production of evidence that relates to an investigation or compliance review.

Ogletree Deakins will continue to monitor developments and will provide updates on the Cybersecurity and Privacy, Employee Benefits and Executive Compensation, and Healthcare blogs as new information becomes available.

Jeremy W. Hays is of counsel in Ogletree Deakins’ Dallas office.

Stephen A. Riga is counsel in Ogletree Deakins’ Minneapolis and Indianapolis offices.

This article was co-authored by Leah J. Shepherd, who is a writer in Ogletree Deakins’ Washington, D.C., office.

Follow and Subscribe

LinkedIn | Instagram | Webinars | Podcasts