Are You Ready for the New 42 CFR Part 2 Final Rule, effective February 16, 2026?

If you work anywhere near substance use disorder (SUD) services, you likely know how strict 42 CFR Part 2 has been historically. Much of those restrictions are changing on February16, 2026. 

The new 42 CFR Part 2 final rule, first proposed in 2024, changes that landscape in a big way. It doesn’t weaken privacy—it modernizes it. Think of it as Part 2 finally moving into the same “house” as HIPAA, while keeping some extra locks on the doors that protect people from stigma, criminalization, and discrimination.

This post focuses on what is changing and what health and human service providers should actually do about it.

ONE CONSENT FOR TREATMENT, PAYMENT, AND OPERATIONS (TPO)

Previously, Part 2 data related to substance use diagnoses, treatment and referrals often required highly specific, one‑off consents naming each recipient. That made coordinated care clunky and sometimes impossible. Under the final rule, once a patient signs a valid consent, their Part 2 SUD information can be used and disclosed for treatment, payment, and health care operations (TPO) much more like HIPAA‑protected health information. 

What Providers Should Do

1. Redesign consent forms to explicitly authorize use/disclosure of Part 2 information for TPO; and clearly explain what that means in plain language.
2. Update intake workflows so staff consistently offer and explain this expanded consent and patients understand they can say “yes” to care coordination and still have strong protections against non‑TPO uses (e.g., legal proceedings, discrimination).
3. Align with HIPAA language where possible so consents don’t feel like two competing documents.

Re-disclosure Rules Are Looser for TPO—But Not a Free‑For‑All
Under the old Part 2 approach, re-disclosure of SUD information was tightly restricted: “once Part 2, always Part 2,” often with “do not re-disclose” warnings attached. With the final rule, once a patient has consented to share their Part 2 information for TPO, that information can generally be re-disclosed within the HIPAA framework for those purposes. However, certain uses and disclosures (like legal proceedings or law enforcement) remain specially restricted and require additional protections or authorization.

 What Providers Should Do

1. Update your EHR tagging and segmentation. Specifically, (a) Identify which SUD data is Part 2‑protected. Configure rules so that once consent is on file, the info flows appropriately for TPO—but not beyond.
   
   
2. Revise “do not redisclose” language. Replace older, absolute warnings with language reflecting the new rule: redisclosure may occur for TPO, but not for prohibited uses (e.g., legal proceedings) without proper authorization or court order.
3. Train staff and partners. Clarify what can now be redisclosed under HIPAA‑style TPO. Emphasize that this is not permission to share Part 2 info with employers, law enforcement, or courts without meeting stricter standards.

HIPAA‑Style Patient Rights and Breach Response Now Apply
The CARES Act directed HHS to essentially “plug” Part 2 into the HIPAA/HITECH universe. The final rule does this by:

• Applying HIPAA‑like patient rights to Part 2 data, including:
• Right to access their records.
• Right to request amendments.
• Right to receive an accounting of certain disclosures.
• Applying HIPAA/HITECH breach notification standards to Part 2 breaches.
• Aligning civil and criminal penalties with HIPAA enforcement.

What Providers Should Do

1. Integrate Part 2 into your HIPAA workflows. Treat Part 2 information as subject to the same access, amendment, and accounting processes you already have for PHI.
2. Update your breach response plan. Ensure SUD‑related incidents trigger the same notification timelines and risk assessments as other PHI breaches.
3. Educate leadership and compliance teams. Make sure your board, compliance committee, and executive leadership know that enforcement risk for Part 2 now looks and feels like HIPAA enforcement.

Stronger Protections Against Use in Legal Proceedings
The final rule reinforces and clarifies that Part 2 records generally cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings without the patient’s consent, a specific court order, or meeting narrow exceptions. Part 2 records are not open season for subpoenas, custody battles, or employment disputes. This is critical for building trust: people seeking SUD care need to know their treatment history won’t be weaponized against them.

What Providers Should Do

1. Update policies for subpoenas and court orders. Require legal review for any request involving SUD records. Create clear checklists for staff: “If it’s SUD/Part 2 → stop, escalate to Privacy/Legal.”
2. Train staff on “we don’t just hand this over”. Role‑play scenarios: custody cases, criminal investigations, employer requests. Reinforce that well‑meaning cooperation with a court or agency can still violate Part 2 if not handled correctly.

Anti‑Discrimination and Anti‑Stigma Provisions
The final rule operationalizes the CARES Act’s vision that SUD history should not be a life sentence. It adds or reinforces protections that prohibit

• Using Part 2 records to discriminate in housing, employment, access to services, or benefits.
• Using SUD treatment history to deny people opportunities or punish them in settings like child welfare, criminal justice, or education.

What Providers Should Do

• Review HR, housing, and eligibility policies. Ensure no screening tools or workflows use SUD treatment history as a negative factor.
• Embed this in culture and training. Make it explicit: SUD treatment is a sign of recovery and resilience, not a reason to deny someone care, housing, or work.
• Align messaging to patients. Build trust by proactively telling them their treatment history can’t be used against them in these ways.

Implementation Roadmap for Health & Human Service Providers
Here’s a practical, do‑this‑next list you can hand to your operations and compliance leads:

1. Governance & Gap Assessment
   1. Map your current Part 2 practices against the final rule.
   2. Identify where policies, forms, and workflows are still built around the “old Part 2.”
2. Policy & Procedure Overhaul
   1. Revise: Privacy, information sharing, legal/records requests, breach response, HR nondiscrimination, and data‑sharing agreements.
   2. Add clear sections on TPO‑based sharing with consent, redisclosure rules, use in legal proceedings, anti‑discrimination.
3. Consent, Notices, and Forms
   1. Create updated Part 2/HIPAA‑aligned consent that: authorizes TPO, explains patient rights, clarifies what still can’t be done with their information.
   2. Refresh your Notice of Privacy Practices to reflect Part 2 integration.
4. Technology & Data Segmentation
   1. Work with your EHR/HIE vendors:
   2. Tag SUD/Part 2 data elements.
   3. Support appropriate sharing for TPO once consent is granted.
   4. Block or flag when a use would cross into legal proceedings or non‑permitted contexts.
5. Contracts & Data‑Sharing Agreements
   1. Update Business Associate and Qualified Service Organization (QSO) agreements to (a) reflect the new Part 2/HIPAA alignment, (b) clarify obligations around redisclosure, breach notification, and legal requests.
6. Training & Culture
   1. Build scenario‑based training: “day in the life” of a care coordinator, child welfare worker, probation officer, or housing navigator. Train on: (a) what changed, (b) what’s still absolutely protected, (c) how to talk about this with patients in trauma‑informed, stigma‑free language.