The 2024 Final Rule for 42 CFR Part 2, published in the Federal Register on February 16, 2024 and fully enforceable from February 16, 2026, made the most significant changes to the federal substance use disorder confidentiality regulations since their original enactment by aligning several aspects of Part 2 with the HIPAA Privacy Rule, expanding disclosure permissions for treatment and care coordination, applying the HIPAA Breach Notification Rule to Part 2 records, and adding civil monetary penalties alongside the existing criminal penalty structure. The rule was issued jointly by the Substance Abuse and Mental Health Services Administration and the HHS Office for Civil Rights, implementing the confidentiality provisions of Section 3221 of the CARES Act, which had directed SAMHSA to harmonize Part 2 with HIPAA. Organizations subject to Part 2 that built their policies and training programs around the prior version of the regulation must update both to reflect requirements that differ materially from the framework their workforces were trained on.
Expanded Permissions for Treatment, Payment, and Healthcare Operations
Prior to the 2024 Final Rule, disclosures of Part 2 patient records for treatment, payment, and healthcare operations required a specific patient consent for each disclosure, placing the administrative burden on Part 2 programs well above what HIPAA covered entities faced for general medical records. The 2024 Final Rule permits patients to provide a single written consent that authorizes future uses and disclosures for treatment, payment, and healthcare operations, removing the requirement to obtain a separate consent each time a covered purpose arises. This change brings Part 2 closer to the HIPAA standard for these routine disclosures while preserving the requirement that a valid consent document must still be obtained before the first disclosure occurs. Workforce members who previously applied the per-disclosure consent model must understand that a single consent can now authorize an ongoing category of disclosures, and that this consent must still meet Part 2’s formal requirements to be valid.
Breach Notification Requirements Now Apply to Part 2 Records
The 2024 Final Rule extended the HIPAA Breach Notification Rule to breaches that affect Part 2 protected records, creating a notification obligation that did not exist under the prior regulatory framework. Part 2 programs that experience an unauthorized acquisition, access, use, or disclosure of substance use disorder patient records must now assess whether a breach has occurred using the same four-factor risk assessment that HIPAA covered entities apply, notify affected patients, and report the breach to HHS on the same timelines the HIPAA Breach Notification Rule specifies. For programs that are also HIPAA covered entities, this creates a unified breach response obligation that applies to both their general medical records and their Part 2 records. For Part 2 programs that are not HIPAA covered entities, this notification obligation was entirely new and required the development of breach response policies and workforce training that had not previously been necessary.
Civil Monetary Penalties Added to Enforcement Framework
Before the 2024 Final Rule, violations of 42 CFR Part 2 were subject only to criminal penalties under 42 U.S.C. §290dd-2. The 2024 Final Rule added civil monetary penalties to the enforcement framework, applying the HIPAA civil penalty structure to Part 2 violations. HHS OCR received enforcement authority for Part 2 alongside its existing HIPAA enforcement role, creating a unified regulatory authority for both frameworks. This change increases the practical enforcement risk for Part 2 programs, since civil monetary penalties can be assessed at scale for systemic compliance failures without the threshold requirements that criminal prosecution demands. Workforce members and compliance officers at Part 2 programs must understand that non-compliance with consent, disclosure, and redisclosure requirements now carries civil financial exposure that the prior framework did not attach to these violations.
Complaint Rights and Anti-Retaliation Protections
The 2024 Final Rule extended the HIPAA Privacy Rule’s complaint and anti-retaliation provisions to Part 2 programs. Patients now have the right to file a complaint about a Part 2 violation directly with HHS, in addition to any complaint they make to the program itself. Programs may not retaliate against a patient for filing a complaint. Part 2 programs that are also HIPAA covered entities already had policies addressing these rights under HIPAA and needed to confirm their existing procedures extended to Part 2 complaints. Programs subject to Part 2 but not to HIPAA had no prior complaint intake or anti-retaliation requirement and needed to develop new policies, procedures, and staff training to meet this obligation before the February 2026 enforcement date.
Training on the Updated Framework
The HIPAA Journal’s HIPAA and 42 CFR Part 2 Training reflects the regulatory framework as amended by the 2024 Final Rule, covering the updated consent requirements, expanded treatment and healthcare operations permissions, breach notification obligations, civil enforcement mechanisms, and complaint rights that now apply to substance use disorder patient records. Workforce members at Part 2 programs, qualified service organizations, and lawful holders of Part 2 records who completed training before the 2024 amendments took effect received instruction on a version of the regulation that no longer reflects current requirements, and their training must be updated to address the changes that became enforceable in February 2026. The course covers both Part 2 as amended and the HIPAA Privacy Rule obligations that apply in parallel, equipping workforce members to identify which framework governs each situation and how the 2024 changes altered the practical decisions they face when handling substance use disorder patient information.
