HHS Civil Enforcement Program for Part 2 Has Arrived

On February 16, 2026, in conjunction with the effective date of various updates to 42 CFR Part 2, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) launched its new enforcement program pertaining to the confidentiality of substance use disorder (SUD) records.  Specifically, OCR is implementing various civil enforcement mechanisms as required under the Coronavirus Aid, Relief, and Economic Security (CARES) Act and its implementing regulations under 42 CFR Part 2.

Per its announcement on February 13, 2026, OCR’s enforcement program will:

1. Investigate compliance with 42 CFR Part 2 including required updates to Notice of Privacy Practices (NPPs) (see Model Notice templates here) and the new breach notification requirements;
2. Accept complaints of alleged Part 2 confidentiality violations;
3. Accept breach notification, as specified under the Health Insurance Portability and Accountability Act (HIPAA), for breaches of confidentiality of SUD records; and
4. Resolve noncompliance findings through various civil enforcement mechanisms including resolution agreements, monetary settlements, corrective actions, or civil monetary penalties.

Given that the changes to 42 CFR Part 2 were intended to align Part 2 with HIPAA, we would not be surprised to see Part 2 enforcement trends track the HIPAA enforcement activity immediately after the introduction of the Health Information Technology for Economic and Clinical Health Act (HITECH).  For example, several early enforcement cases involved the failure to safeguard ePHI, resulting in settlements ranging from $150,000 to $1.7 million.  In another case, a provider agreed to a settlement of $275,000 for the disclosure of PHI without patient consent.  To date, OCR has settled around 150 enforcement actions, totaling approximately $150 million in penalties.  Now that OCR has a new enforcement mechanism, we fully expect it to begin investigating any suspected violations.