Select language
Select language
Beginning February 16, 2026, substance use disorder treatment (SUD) providers are required to be in full compliance with the updated 42 CFR Part 2 regulations published on February 16, 2024.
These regulations require SUD providers to notify members of any data breach involving their records. Providers are responsible for communicating the breach to both their members and the Office for Civil Rights. Violations, such as failure to notify members of a breach, could result in civil and criminal penalties in accordance with HIPAA and can be applied to the individual and/or entity. Providers are responsible for covering any costs incurred by a data breach.
Additionally, providers have the option to implement a single consent process, allowing members to provide one consent that covers all future uses and disclosures of SUD records for treatment, payment and healthcare operations.
This change affects SUD providers who receive federal funds and provide SUD treatment services.
This change is being made to align with direction from Health and Human Services (HHS) and the HIPAA Privacy and Security Regulation. Effective February 16, 2024, Health and Human Services published the Final Rule to implement section 3221 of the CARES Act.
For other changes listed in the 42 CFR Part 2 regulations, please review the links below:
Website feedback
Help us improve our website
Having trouble finding what you’re looking for? Want to tell us about your website experience? Take our feedback survey and let us know!
