Breaking Point: Ohio's Behavioral Health Workforce Crisis

42 CFR Part 2 Changes Now In Effect – Resources on Enforcement

Changes to 42 C.F.R. Part 2 went into effect February 16th, 2026. These changes modify the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations to create better alignment with HIPAA. Our partners at Vorys, Sater, Seymour and Pease have shared the following information regarding anticipated launch of the HHS Civil Enforcement Program for Part 2 implementation:

In conjunction with the effective date of various updates to 42 CFR Part 2, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched its new enforcement program pertaining to the confidentiality of substance use disorder (SUD) records. Specifically, OCR is implementing various civil enforcement mechanisms as required under the Coronavirus Aid, Relief, and Economic Security (CARES) Act and its implementing regulations under 42 CFR Part 2.

Per its announcement on February 13, 2026, OCR’s enforcement program will:

Investigate compliance with 42 CFR Part 2 including required updates to Notice of Privacy Practices (NPPs) (see Model Notice templates here) and the new breach notification requirements;
Accept complaints of alleged Part 2 confidentiality violations;
Accept breach notification, as specified under the Health Insurance Portability and Accountability Act (HIPAA), for breaches of confidentiality of SUD records; and
Resolve noncompliance findings through various civil enforcement mechanisms including resolution agreements, monetary settlements, corrective actions, or civil monetary penalties.

Given that the changes to 42 CFR Part 2 were intended to align Part 2 with HIPAA, it is anticipated that we may begin to see Part 2 enforcement trends track the HIPAA enforcement activity immediately after the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH). For example, several early enforcement cases involved failure to safeguard ePHI, resulting in settlements ranging from $150,000 to $1.7 million. In another case, a provider agreed to a settlement of $275,000 for the disclosure of PHI without patient consent.

Now that OCR has a new enforcement mechanism in place, to date, OCR has settled around 150 enforcement actions, totaling approximately $150 million in penalties. For questions regarding these changes, please seek guidance from your organization’s legal counsel. The Ohio Council will continue monitoring implementation of the new 42 CFR Part 2 implementation and will keep Ohio Council members informed of any additional pertinent information.