top of page
Search

5 Days Until the 42 CFR Part 2 Deadline: Your Last-Minute SUD Compliance Checklist

  • kaylarojas
  • Feb 18
  • 5 min read

Update: The February 16, 2026 deadline has passed. If your organization hasn't updated your Notice of Privacy Practices (NPP) to comply with the integrated 42 CFR Part 2 and HIPAA rules, you're now operating in violation: and the Office for Civil Rights (OCR) has enforcement authority as of two days ago.

This isn't a drill. OCR can now investigate complaints, require breach reporting for Part 2 records, and impose civil monetary penalties. But if you're reading this in panic mode, take a breath. We've worked with dozens of SUD programs through regulatory transitions, and there's a clear path forward: even if you're behind.

Here's what you need to do right now to minimize exposure and get compliant fast.

Why This Deadline Matters More Than Most

The 42 CFR Part 2 and HIPAA alignment has been years in the making, but February 16, 2026 marked the hard cutoff. Any HIPAA-covered entity that creates, receives, maintains, or transmits substance use disorder records: even if you're not technically a "Part 2 program": was required to revise their NPP by that date.

42 CFR Part 2 compliance deadline planning with calendar and checklist on office desk

Here's what changed:

  • Part 2 records are now subject to some HIPAA flexibilities (like treatment, payment, and operations disclosures)

  • But Part 2's stricter protections still override HIPAA in key areas

  • Your NPP must clearly explain these differences to patients

  • You now report Part 2 breaches to OCR, not just SAMHSA

  • OCR has full enforcement power over Part 2 violations

If your organization receives SUD records from external providers: hospitals, MAT clinics, telehealth platforms: you're covered by this rule even if you don't consider yourself a "Part 2 program." That's caught many behavioral health organizations off guard.

Your Immediate Compliance Checklist

Step 1: Audit Your Current NPP (Do This Today)

Pull your existing Notice of Privacy Practices. Check whether it includes:

  • Part 2-specific language about SUD record protections

  • Explicit disclosure rules for Part 2 vs. HIPAA scenarios

  • Patient rights under both frameworks

  • Legal proceeding restrictions for SUD records

If your NPP reads like a standard HIPAA-only document, you're not compliant. Period.

👉 Action: Assign someone on your compliance team to flag every gap between your current NPP and Part 2 requirements. This becomes your revision roadmap.

Step 2: Prioritize the NPP Revision (This Week)

You can combine your HIPAA Privacy Rule NPP with Part 2 disclosures into a single document: most organizations find this cleaner than maintaining two separate notices. But the combined version must include:

Required Part 2 Elements:

  • Uses and disclosures specific to Part 2 records (treatment coordination, payment, research, etc.)

  • Explanation of when Part 2's stricter limits apply over HIPAA

  • Patient consent requirements for non-TPO disclosures

  • Statement about limits on using SUD records in civil, criminal, administrative, or legislative proceedings

  • Notice that Part 2 records can't be re-disclosed without authorization

Healthcare provider reviewing Notice of Privacy Practices for 42 CFR Part 2 compliance

Don't overcomplicate it. Your NPP should be readable by a layperson: think 8th-grade reading level, plain language, clear headers. If your legal team drafts something that reads like a regulatory textbook, push back.

👉 Action: If you don't have in-house expertise, reach out to KBBG Systems or another compliance consultant who specializes in behavioral health. We've standardized NPP templates for SUD programs across multiple states, and we can accelerate your revision timeline significantly.

Step 3: Distribute the Revised NPP to Patients

Once your updated NPP is finalized, you need to:

  • Post it prominently in your facility (waiting rooms, intake areas)

  • Publish it on your website

  • Provide a copy to every current patient

  • Include it in new patient intake packets going forward

For existing patients: You're required to make a "good faith effort" to provide the updated NPP. That typically means:

  • Mailing it to active patients with a cover letter explaining the update

  • Posting it to your patient portal (if you use one)

  • Handing out copies at the next scheduled appointment

Document your distribution efforts. If OCR investigates, you'll need proof that you attempted reasonable notification.

Step 4: Train Your Staff on Part 2 Disclosure Rules

An updated NPP means nothing if your front desk, billing team, and clinical staff don't understand the new rules. The biggest risk post-deadline? Inadvertent disclosures by well-meaning staff who don't know Part 2 limits.

Key training points:

  • Treatment coordination: You can now share SUD records for TPO purposes without individual consent: but only within your organization or with HIPAA business associates. External disclosures still require patient authorization unless a specific exception applies.

  • Billing and insurance: You can disclose Part 2 records to payors for payment purposes, but you must track what's disclosed and to whom.

  • Legal requests: Part 2 records cannot be used in most criminal or civil proceedings without a court order that meets strict criteria. Law enforcement requests don't automatically override Part 2.

Behavioral health facility waiting room with patient privacy notices posted on bulletin board

👉 Action: Schedule a mandatory 60-minute training for all staff who handle patient information. Use case studies and real scenarios: abstract policy review doesn't stick.

Step 5: Update Your Breach Response Plan

As of February 16, you now report breaches of unsecured Part 2 records to OCR, just like HIPAA breaches. That means:

  • Any unauthorized access, use, or disclosure of Part 2 records triggers the same breach analysis as HIPAA

  • If the breach affects 500+ individuals, you report to OCR within 60 days and notify media

  • Smaller breaches get reported annually

Review your current breach response plan and add Part 2-specific workflows:

  • How do you identify whether a breach involves Part 2 records?

  • Who's responsible for conducting the risk assessment?

  • What's your timeline for notifying OCR vs. SAMHSA?

If you haven't updated your breach response plan since 2024, you're operating with outdated protocols.

Step 6: Document Everything

OCR investigations hinge on documentation. If you're scrambling to get compliant post-deadline, keep records of:

  • When you finalized your revised NPP

  • How and when you distributed it to patients

  • Staff training attendance and materials

  • Any breach risk assessments related to Part 2 records

  • Communications with business associates about Part 2 obligations

This paper trail demonstrates good faith effort to comply, which can mitigate penalties if OCR comes knocking.

What If You're Already Non-Compliant?

Let's be direct: if you missed the February 16 deadline and haven't started remediation, you're at risk. But voluntary disclosure and rapid correction go a long way with OCR.

Consider this approach:

  1. Conduct an internal compliance assessment immediately. Identify every gap.

  2. Prioritize the NPP revision and distribution. Get it done within 30 days max.

  3. Self-report to OCR if you've had any Part 2-related breaches or complaints. Proactive disclosure typically results in lower penalties than reactive enforcement.

  4. Engage a compliance consultant who can help you navigate OCR communication and develop a corrective action plan.

We've helped SUD programs manage post-deadline compliance more times than we can count. OCR isn't interested in shutting down well-meaning organizations: they want to see corrective action and systems that prevent future violations.

SUD compliance training session for healthcare staff on 42 CFR Part 2 regulations

Payor-Specific Considerations

Medicare and Medicaid programs should note that CMS has its own reporting expectations for Part 2 compliance. If you're a Medicare-certified or Medicaid-enrolled provider, your state Medicaid agency may require additional documentation of your NPP updates during your next audit.

Commercial payor contracts may also include clauses about regulatory compliance. Review your contracts to determine whether you need to notify payors of your NPP revision or provide proof of Part 2 compliance.

The Bottom Line

The 42 CFR Part 2 deadline wasn't optional, and OCR enforcement is live. If you're behind, the worst thing you can do is delay further. Every day of non-compliance increases your exposure.

We specialize in helping behavioral health organizations navigate exactly this type of regulatory crunch. Our team has worked with SUD programs in New York, Florida, Pennsylvania, Arizona, and nationwide to streamline compliance, update policies, and implement training protocols: fast.

If you need support getting compliant or preparing for an OCR investigation, reach out to us at KBBG Systems. We'll help you cut through the chaos and build a defensible compliance framework that protects your program and your patients.

You're not in this alone. Let's get you back on track.

 
 
 

Comments

bottom of page