Call Us Today! 877-659-2467

Office for Civil Rights Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records

Posted bySuze Shaffer
HIPAA confidentiality under the new SUD requirements

Landmark Enforcement Program for Substance Use Disorder (SUD) Records

The U.S. Department of Health and Human Services Office for Civil Rights announced a new enforcement program. This program protects the confidentiality of substance use disorder patient records. OCR will enforce statutory and regulatory requirements under federal law.

This program introduces civil enforcement for covered substance use disorder programs for the first time. HHS will enforce safeguards to protect substance use disorder patient records. Patients deserve treatment without sacrificing privacy or legal protections.

The program enforces confidentiality provisions under section 3221 of the CARES Act. The regulation appears at 42 CFR Part 2.
Covered entities must comply with all requirements beginning February 16, 2026.

  • OCR may investigate entities that fail to protect substance use disorder patient records.
  • Penalties applied will be consistent with HIPAA Privacy, Security, and Breach Notification Rules.
  • Resolution agreements may be implemented to resolve violations.
  • Civil monetary penalties for noncompliance may be applied.
  • Corrective action commitments may also be applied.
  • HIPAA Notice of Privacy Practices may need to be updated.

Compliance will improve care coordination among providers and strengthen patient confidence in substance use disorder treatment providers.

Beginning February 16, 2026, OCR will accept complaints alleging confidentiality violations. Entities may access resources at the HHS OCR Part 2 webpage.

This program supports national policy objectives under Executive Order 14379.
The initiative addresses addiction through treatment, recovery, and self-sufficiency.

Section 3221 of the CARES Act aligns substance use disorder privacy standards with HIPAA standards.
It also aligns standards with the HITECH Act. This rule updated confidentiality protections under 42 CFR Part 2. This rule improves coordination among treating providers. Strengthens confidentiality protections through civil enforcement.
It also improves integration of behavioral health information and improved patient health outcomes.

Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk – step by step.

Our HIPAA Keeper was designed to help organizations:

  • Understand where they stand
  • Organize required documentation
  • Maintain compliance over time
  • Be prepared if questions ever arise

Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.

To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.

About Suze Shaffer

Suze Shaffer is the owner and president of Aris Medical Solutions. She specializes in HIPAA compliance, risk management, and cyber security. She believes that by educating her clients in understanding why and what needs to be done to protect their practice they have a better outcome.

Suze has been instrumental in helping clients nationwide with risk management, implementing privacy and security rule policies and procedures, and ultimately protecting patient data. She includes state and federal regulatory requirements to ensure clients are protected in all areas.

She has spoken at numerous conferences and functions. She continues to educate organizations how to minimize the risks of data breaches. HIPAA compliance is not an option, it is mandatory for every organization that comes in contact with protected health information to have reasonable and appropriate security measures in place. Unfortunately, most organizations don’t realize they are not compliant until they suffer a data breach or they are faced with an audit or investigation.

Did you know that the Office for Civil Rights (OCR) is the agency that investigates data breaches? Have you seen the heavy fines that have been imposed for non-compliance?

All 50 states now have their own set of privacy laws and the State's Attorney General may also investigate privacy violations!

View all posts by Suze Shaffer

Share This HIPAA Blog
Dusty HIPAA Binder

HIPAA Binder vs OCR Reality

February 10, 2026
©2026 Aris Medical Solutions – HIPAA Risk Management | HIPAA Compliance Consultants | All Rights Reserved | Terms and Conditions | Privacy Policy
The content and images on this website is owned by Aris Medical Solutions and their owners. Do not copy any content or images without our consent.
Powered by Bandwise LLC