New Processes Under Federal Rule Intended to Protect Behavioral Health Records

Changes to a federal regulation alter how organizations must handle patient records involving substance use disorders and create a new process for enforcement. 

New changes to a federal rule that protects the privacy of behavioral health records will enhance care coordination among providers and simplify how organizations navigate data releases, according to federal officials.

Earlier this year, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) and the Substance Abuse and Mental Health Services Administration (SAMHSA) finalized modifications to the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR part 2 (Part 2). The Part 2 statute protects the privacy of patient records created by federally assisted programs for the treatment of substance use disorders (SUD).

The modifications aim to strengthen confidentiality protections through civil enforcement and improve patient outcomes by better integrating behavioral health information with other medical records.

“People who misuse drugs often have other health conditions that need to be addressed,” Miriam Delphin-Rittmon, PhD, SAMHSA Assistant Secretary for Mental Health and Substance Use said during an April 16 webinar. “To do this, care must be coordinated among various primary and specialty providers, healthcare systems, testing facilities, and others … The new changes to 42 CFR part 2 will help with care coordination and reduce the respective fears among patients with SUD, as well as their respective healthcare providers. Namely, the closer alignment of 42 CFR part 2 with the more widely known HIPAA (Health Insurance Portability and Accountability Act of 1996) regulation will help to demystify the regulation for providers, healthcare systems, and others who handle patient records.”

Federal leaders described the key changes to Part 2, and what organizations can expect if breaches or violations occur.

A top difference will be the new consent process for uses and disclosures of Part 2 records, said Timothy Noonan, deputy director for health information privacy, data, and cyber security for OCR. The final rule creates a new option for patients to provide a single consent for all future uses and disclosures of Part 2 records for treatment, payment, and healthcare operations.  

“This should be beneficial to Part 2 regulated entities as it will facilitate greater efficiencies for treatment, payment, and healthcare operations, and patients still have the ability to revoke their consent,” Noonan said during the webinar.  

The modifications also alter redisclosures of Part 2 records for certain purposes beyond treatment, payment, and healthcare operations. Redisclosure of Part 2 records is permitted by HIPAA-covered entities and HIPAA business associates if the exchange is in accordance with the HIPAA Privacy Rule, Noonan noted. 

Depending on the patient’s consent, for example, a Part 2 program could disclose Part 2 records to a patient's HIPAA-covered primary physician, and that physician could redisclose the records if the sharing aligns with the HIPAA Privacy Rule.

Changes Create New Breach, Violation Processes

During the webinar, public officials explained how breach notifications and penalties for violations will also change.

Part 2 programs will be required to report breaches to the HHS secretary in the same manner detailed in the Health Information Technology for Economic and Clinical Health (HITECH) Act for breaches of protected health information by HIPAA-covered entities, according to Noonan. In the event of a breach, Part 2 programs will be required to notify the secretary, affected patients, and in some cases, the media. Upon discovery of the breach, a Part 2 program will have no more than 60 days to report the breach to the individuals affected, and whether the breach affected 500 or more individuals to HHS.

The new changes also create a civil enforcement process for violations of the confidentiality provisions under Part 2. Previously, enforcement of the confidentiality provisions of Part 2 was limited to criminal sanctions, Noonan said. Now, in addition to potential criminal penalties, a Part 2 program could also be subject to civil money penalties for violations of the Part 2 confidentiality provisions.

More specifically, the civil money penalty structure used in HIPAA will now be applicable to Part 2 programs.

“Civil enforcement of the Part 2 regulations under the HITECH-tiered civil money penalty structure should create a significant financial deterrent to violations of the Part 2 regulations that doesn't currently exist,” Noonan said.

In addition, Part 2 programs will be required to provide notice to patients about their rights in the use and disclosure of Part 2 records. Patient notice is now aligned with the required elements of the HIPAA notice of privacy practices, but retains the provisions unique to Part 2, Noonan explained.

The HIPAA Privacy Rule requires that notice be provided to individuals about how a covered entity may use and disclose the individual's protected health information, as well as the individual's rights and the covered entity's obligations with respect to the individual's protected health information, he said. Similarly, the final rule requires Part 2 programs to provide notice to patients regarding Part 2 records, including patient's rights and uses and disclosures permitted without the patient's consent.

What Do the Changes Mean for HI Professionals?

For health information (HI) professionals, the changes to 42 CFR Part 2 could significantly impact day-to-day operations, from policy revisions and technology upgrades, to training and compliance monitoring, says Mike Bonnes, DCS, MS, a Poulsbo, WA-based healthcare information security privacy specialist and owner of CyberX Today, a cyber security consulting firm.

The final rule intensifies the need for HI professionals to increase the care of SUD patient records within healthcare settings, Bonnes says.

“First and foremost, they will be tasked with updating or creating new policies and procedures that align with the heightened confidentiality protections the rule mandates,” he says. “42 CFR Part 2 will include refining data access protocols, redesigning consent forms, and revising information disclosure policies to ensure they meet the new standards. The updated policies and procedures will require an additional approach to ensure full compliance while maintaining the practicality of medical and administrative workflows.”

Training and education are critical components of 42 CFR Part 2, he adds. Ensuring all medical and administrative staff are fully informed about the new requirements is crucial, he says. For HI professionals, this could include the development of training materials and sessions that clearly articulate changes in consent and disclosure practices. 

In collaboration with IT departments, Bonnes says HI professionals also will want to ensure that electronic health records (EHRs) and other data management systems are equipped with advanced security features like encryption, and robust access controls tailored to protect SUD records.

Overall, Bonnes believes the final rule will require a thoughtful, informed response from HI professionals. 

“By understanding the rule's implications, preparing for its challenges, and implementing strategic mitigation measures, we can ensure that our organizations comply with the new requirements and advance our overall approach to patient privacy and data security,” he says. “The successful implementation of this rule depends significantly on our proactive engagement in adapting and overseeing our organizations' information management practices.”

The final rule went into effect on April 16. Affected providers and organizations have until Feb. 16, 2026, to come into compliance.

Alicia Gallegos is a freelance healthcare journalist based in the Midwest.