42 CFR Part 2, HIPAA

Many Covered Entities Must Update HIPAA NPPs to Address Part 2 Records

Posted on by Tracy Guarnieri

Due to 2024 changes to HIPAA, covered entities that receive or maintain substance use disorder (SUD) records from programs subject to 42 CFR Part 2 (Part 2 Programs) must update their Notice of Privacy Practices (NPP) to clearly explain how these records are handled.  This requirement applies even if the covered entity does not provide SUD services and is not itself a Part 2 program.

If the covered entity is also a Part 2 Program, it has much more extensive requirements for its patient notice, which are detailed in 2024 changes to 42 CFR Part 2 (Part 2 Final Rule).  Those changes seek to align more closely with the HIPAA NPP requirements.

The compliance date for both regulatory changes is February 16, 2026.

Required NPP Changes for Covered Entities that are Not Part 2 Programs

At a minimum, a covered entity’s updated NPP must clearly describe the following:

  1. Permitted uses and disclosures of SUD treatment records. The NPP must explain how the covered entity may use and disclose Part 2 Records it receives, consistent with 42 CFR Part 2 and HIPAA.
  2. Restrictions on legal proceedings. The NPP must describe the prohibition on using or disclosing Part 2 Records, or testimony describing their contents, in civil, criminal, administrative, or legislative proceedings against a patient, unless: (i) the patient provides specific written consent, or (ii) a court order meeting 42 CFR Part 2’s requirements authorizes the disclosure.
  3. Fundraising opt-out rights. If the covered entity engages in fundraising, the NPP must inform patients of their clear and conspicuous right to opt out of use for fundraising purposes.

These requirements apply even if Part 2 Records constitute only a small portion of the covered entity’s overall data.

Part 2 Programs: Updated Patient Notice Requirements

The Part 2 Final Rule makes notable changes to its required patient confidentiality notice to align its requirements more closely with the HIPAA NPP.  It provides the required language for the header and elements of the notice.  While the new requirements are like those in HIPAA, they are not identical due to some of the substantive differences between 42 CFR Part 2 and HIPAA.  Providers that are both Part 2 programs and HIPAA covered entities may satisfy both rules with one notice, but that notice must meet the requirements of both.

Questions?  Join Our Next HIPAA Helpline!

During our Next HIPAA Helpline on January 21, 2026, we will address changes to the NPP.  Register here.