Landmark Enforcement Program for Substance Use Disorder (SUD) Records
The U.S. Department of Health and Human Services Office for Civil Rights announced a new enforcement program. This program protects the confidentiality of substance use disorder patient records. OCR will enforce statutory and regulatory requirements under federal law.
This program introduces civil enforcement for covered substance use disorder programs for the first time. HHS will enforce safeguards to protect substance use disorder patient records. Patients deserve treatment without sacrificing privacy or legal protections.
The program enforces confidentiality provisions under section 3221 of the CARES Act. The regulation appears at 42 CFR Part 2.
Covered entities must comply with all requirements beginning February 16, 2026.
- OCR may investigate entities that fail to protect substance use disorder patient records.
- Penalties applied will be consistent with HIPAA Privacy, Security, and Breach Notification Rules.
- Resolution agreements may be implemented to resolve violations.
- Civil monetary penalties for noncompliance may be applied.
- Corrective action commitments may also be applied.
- HIPAA Notice of Privacy Practices may need to be updated.
Compliance will improve care coordination among providers and strengthen patient confidence in substance use disorder treatment providers.
Beginning February 16, 2026, OCR will accept complaints alleging confidentiality violations. Entities may access resources at the HHS OCR Part 2 webpage.
This program supports national policy objectives under Executive Order 14379.
The initiative addresses addiction through treatment, recovery, and self-sufficiency.
Section 3221 of the CARES Act aligns substance use disorder privacy standards with HIPAA standards.
It also aligns standards with the HITECH Act. This rule updated confidentiality protections under 42 CFR Part 2. This rule improves coordination among treating providers. Strengthens confidentiality protections through civil enforcement.
It also improves integration of behavioral health information and improved patient health outcomes.
Aris Medical Solutions helps medical practices and business associates understand HIPAA expectations and reduce risk – step by step.
Our HIPAA Keeper™ was designed to help organizations:
- Understand where they stand
- Organize required documentation
- Maintain compliance over time
- Be prepared if questions ever arise
Additionally, you will have a HIPAA security analyst to guide and assist you when you need help.
To find out where you stand with your compliance, schedule a free HIPAA checkup today at Aris Medical Solutions.