42 CFR Part 2: What Attorneys Must Know Now
CEO & Founder at LlamaLab
42 CFR Part 2 Enforcement Is Here: What Attorneys Need to Know
The HHS Office for Civil Rights (OCR) began civil enforcement of 42 CFR Part 2 on February 16, 2026, marking the first time the federal government can impose civil money penalties for mishandling substance use disorder (SUD) treatment records. Penalties now mirror HIPAA's tiered structure—ranging from thousands to millions of dollars per violation. For attorneys who request, receive, or store medical records involving addiction treatment, the compliance landscape changed overnight.
The enforcement program implements Section 3221 of the CARES Act, passed by Congress in 2020 to align Part 2 with HIPAA while preserving the stricter protections that SUD records have carried since 1975. OCR now accepts complaints from individuals alleging Part 2 violations, investigates breach notifications, and has the authority to pursue resolution agreements, corrective action plans, and monetary settlements.
Date OCR began civil enforcement of 42 CFR Part 2
Maximum civil money penalty per violation category under HIPAA-aligned tiers
Year Congress passed CARES Act Section 3221 authorizing Part 2 enforcement
What Is 42 CFR Part 2
42 CFR Part 2 is a set of federal regulations that provide heightened privacy protections for records generated by federally assisted programs treating substance use disorders. The rules have existed in some form since the 1970s, originally designed to encourage people to seek addiction treatment without fear that their records would be disclosed to employers, insurers, or law enforcement.
The distinction from HIPAA is significant. While HIPAA permits disclosure of protected health information for treatment, payment, and healthcare operations without patient authorization, Part 2 historically required specific written consent for each disclosure. A provider could share a patient's cardiology records with a referring physician under standard HIPAA rules. The same provider needed a separate, more restrictive consent to share that patient's SUD treatment records—even with another treating doctor.
Until February 16, 2026, violating Part 2 carried only criminal penalties, which were rarely pursued. Civil enforcement did not exist. That gap meant that improper disclosures of SUD records—while technically illegal—carried minimal practical risk for most organizations.
Part 2 vs. HIPAA: The Core Difference
What Changed on February 16
The enforcement shift is the headline, but several operational changes took effect alongside it. Each one has downstream implications for how attorneys request and handle SUD records.
Part 2: Before and After Enforcement
Before Feb 16, 2026
Criminal Penalties Only
Violations could theoretically trigger criminal prosecution, but enforcement was rare
Separate Consent Per Disclosure
Patients had to sign a new consent form for each entity receiving SUD records
No Breach Reporting Requirement
Part 2 programs had no obligation to report breaches to individuals or OCR
No OCR Complaint Mechanism
Individuals had no formal process to file Part 2 complaints with OCR
After Feb 16, 2026
Civil Money Penalties
HIPAA-aligned tiers from thousands to millions per violation, actively enforced by OCR
Single-Consent Rule
Patients can provide one consent covering all future uses for treatment, payment, and operations
Mandatory Breach Reporting
Part 2 programs must report breaches to affected individuals and OCR
OCR Accepts Complaints
Individuals can now file Part 2 complaints directly with OCR for investigation
Single-Consent Rule
The CARES Act alignment introduced a single-consent provision that simplifies the consent process. Patients can now sign one consent form authorizing all future uses and disclosures of their SUD records for treatment, payment, and healthcare operations. The prior model—requiring a separate consent for each recipient—created friction that slowed care coordination and complicated record retrieval.
Breach Reporting
Part 2 programs must now follow HIPAA-style breach notification rules. That means notifying affected individuals, reporting to OCR, and in some cases issuing public notice. Organizations were expected to have breach reporting protocols in place by the February 16 deadline.
Updated Compliance Infrastructure
Covered organizations needed to revise Notices of Privacy Practices, update business associate agreements, modify qualified service organization (QSO) agreements, and implement or update consent workflows—all by the enforcement date. Providers that have not yet completed these changes face compliance exposure on every SUD record they disclose.
When Attorneys Encounter Part 2 Records
Part 2 records surface in litigation more often than many firms expect. Any case where a party has a history of substance use treatment may involve records from a federally assisted SUD program—and those records carry Part 2 protections regardless of the type of case.
Personal injury with DUI history. A plaintiff's treatment records from an addiction counseling program after a DUI are Part 2 records. Requesting them with a standard HIPAA authorization may not be sufficient. The authorization may need Part 2-specific consent language, and the provider may refuse disclosure without it.
Mass tort with addiction history. Opioid litigation, GLP-1 cases involving addiction-adjacent conditions, and pharmaceutical injury claims frequently intersect with SUD treatment records. Firms handling these cases at scale face particular risk if intake processes do not flag Part 2 records early.
Workers' compensation. An employee's participation in an employer-mandated substance abuse program generates Part 2-protected records. Disclosure outside the narrow permitted purposes—even in the context of a workers' comp claim—now carries civil penalty risk.
Family law. Custody disputes involving allegations of substance abuse may require SUD records. Courts can issue orders compelling disclosure, but the Part 2 court-order standard requires specific findings that standard subpoenas do not satisfy.
State laws may impose additional restrictions on top of Part 2. Attorneys operating across jurisdictions should verify that their authorization forms and disclosure practices satisfy both federal and state requirements.
What Firms Should Do Now
Key Points
Essential takeaways from this article
The Bottom Line
The February 16 enforcement date transformed 42 CFR Part 2 from a regulation with theoretical consequences into one with real financial penalties. For attorneys, the change means that SUD records now require the same operational rigor as any HIPAA-sensitive disclosure—and in many cases, more.
The firms most likely to encounter problems are those that treat all medical records the same way at intake. Identifying Part 2 records early, using compliant authorization language, and protecting SUD records after receipt are no longer best practices. They are compliance requirements backed by civil money penalties.
Compliant Medical Record Retrieval
LlamaLab helps plaintiff firms retrieve records—including Part 2-protected SUD records—with built-in compliance checks and provider intelligence that flags special handling requirements before requests go out.
Sources: HHS announcement on Part 2 civil enforcement, HHS 42 CFR Part 2 overview, Foley Hoag: Part 2 Civil Enforcement Is Here, PrivaPlan: OCR Enforcement of SUD Privacy Rules, WCHSB: Federal Enforcement of Part 2 Begins.
This article is for informational purposes only and does not constitute legal or medical advice. Consult with qualified professionals for advice specific to your situation.
Stay Updated with Latest Insights
Get the latest articles about medical record retrieval and legal tech delivered to your inbox.
