Introduction and Summary
HHS issued a final rule modernizing 42 CFR Part 2 to implement the CARES Act and more closely align with HIPAA's Privacy, Breach Notification, and Enforcement frameworks. The rule permits a single, prospective consent for Treatment, Payment, and Health Care Operations (TPO), expands HIPAA-consistent redisclosure permissions, amends notice of privacy practices requirements, and adopts HIPAA-style enforcement and breach notification for Part 2 programs. The rule also explicitly brings business associates within the confidentiality requirements set forth under 42 CFR Part 2 by adding "business associates" to the definition of "Qualified Service Organization" (QSO).
The final rule took effect on April 16, 2024. However, HHS established a general compliance deadline of February 16, 2026, providing approximately two years for regulated entities – covered entities, business associates, and Part 2 programs – to operationalize changes across policies, systems, and training. The new accounting of disclosures right under Part 2 is tolled until HHS finalizes the revised HIPAA accounting standard at 45 CFR 164.528. Entities will not need to include this right in their required Notice of Privacy Practices until that future compliance date.
Key Changes
Alignment with HIPAA for TPO, Redisclosure, and Notice
The rule authorizes Part 2 programs to utilize a single consent for all future TPO uses and disclosures, aligning the content of such consent with HIPAA authorization concepts. Covered entities, business associates, and Part 2 programs that receive records under a valid TPO consent may redisclose consistent with HIPAA, except for use or disclosure in civil, criminal, administrative, or legislative proceedings against the patient. The final rule confirms that Part 2 records and testimony relaying their content cannot be used or disclosed in civil, administrative, criminal, or legislative proceedings against the patient, absent the patient's consent or a court order, and that any court order authorizing disclosure must be accompanied by a subpoena or similar legal mandate to compel disclosure.
The rule clarifies that a Part 2 program, covered entity, or business associate receiving records based on a single TPO consent is not required to segregate or segment such records. HHS also revised the "Notice to Accompany Disclosure" to align with the CARES Act and now requires that each disclosure made with written consent include a copy of the consent or a clear explanation of its scope. An abbreviated 80-character notice remains permissible to support electronic exchange environments.
New and Clarified Patient Rights
Part 2 now incorporates HIPAA-aligned patient rights to request restrictions on TPO disclosures and to restrict disclosures to health plans where services are paid in full by the patient. The rule adopts a right to an accounting of disclosures made with consent for up to three years, with the compliance date tolled to match HIPAA's future accounting standard. Separate consent is required for SUD counseling notes, paralleling HIPAA's approach to psychotherapy notes.
The rule permits disclosure of de-identified records for public health purposes consistent with HIPAA's de-identification standard and clarifies guardrails for research, audit, and evaluation, ensuring Part 2 records cannot be used to investigate or prosecute patients.
HIPAA-Modeled Enforcement and Breach Notification
Enforcement of Part 2 will now mirror HIPAA. Previously, Part 2 focused only on criminal enforcement; now, HHS may pursue civil money penalties and related processes under the HIPAA Enforcement Rule. The rule also specifically applies HIPAA/HITECH breach notification requirements to Part 2 programs.
Practical Next Steps
Covered entities that receive Part 2 records, not just Part 2 programs, should revise their Notice of Privacy Practices and data-sharing procedures and agreements to reflect the updated (i) single TPO consent, (ii) attachment of the consent or scope explanation to each consent-based disclosure, (iii) HIPAA-consistent redisclosure permissions, and (iv) updated patient right to request restrictions on disclosure. Entities should implement consent and revocation documentation and monitoring, including mechanisms to identify consent scope and revocations, and confirm that systems and vendor agreements reflect no affirmative requirement to segment records received under a single TPO consent.
What This Means for You
The final rule enables more seamless care coordination by using a single patient consent for TPO and HIPAA-aligned redisclosure pathways, while preserving robust confidentiality by prohibiting the use of SUD records and related testimony against patients in legal proceedings without consent or a qualifying court order. Now is the time, though, for covered entities and business associates that may receive Part 2 records to update their Notice of Privacy Practices, relevant policies, business associate agreements, and training to address the changes discussed above ahead of the February 16, 2026, compliance deadline.
For more information or assistance with these topics, please contact Alisa L. Chestler, Layna Cook Rush, Katherine Denney, or any member of the Baker Donelson Health Law Team.