We Don’t Treat Addiction, Why Are We Talking About Part 2?

We Don’t Treat Addiction, Why Are We Talking About Part 2?

If this question has crossed your mind, you are certainly not alone. In light of Friday’s announcement regarding a new enforcement initiative from the OCR, Office for Civil Rights Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records | HHS.gov coupled with the February 16^th Part 2 compliance deadline, it’s a really good question to be asking!

To begin, Part 2 refers to Substance Use Disorder (SUD) Programs or, historically known as AODA (Alcohol and Other Drug Abuse) Programs – meaning health care providers whose primary focus is the treatment of drug and alcohol addiction. It may seem, at first glance, that organizations not providing SUD services (Non‑Part 2 Providers) are unaffected. However, this is where the confusion often begins and is rooted in how the regulations are actually written. While all the Part 2 regulations apply to certified Part 2 Programs, some of the regulations do apply to Non-Part 2 Providers.

This article explains what Non‑Part 2 Providers need to know.

1. Are you a Part 2 Program?

Most Part 2 requirements only apply to organizations that meet very specific criteria involving programs that are federally funded to provide SUD Services. If you are unsure whether you are a Part 2 Program – you likely are not. (If you are genuinely not sure, feel free to give me a call and I’ll help sort it out!) For purposes of this explanation, we will assume you are not a Part 2 Program.

2. Do you receive Part 2 Records?

Even if you are not a Part 2 Provider, as a health care organization you likely may receive medical records originating from a Part 2 Program at some point. The intent of the regulations is to ensure that Part 2 Records maintain their confidentiality protections even after they leave the originating program.

For this reason, certain requirements apply to any provider who receives Part 2 Records, or what the regulations refer to as Lawful Holders. The term is cumbersome, but the concept is simple: if you receive Part 2 Records at any point, you must comply with certain sections of the Part 2 regulations that apply to Lawful Holders. Therefore, if follows, for explanations sake, that if you could guarantee that for your organization never received Part 2 Records, you would not have to comply with any portion of these regulations. In reality, that is rarely possible, so therefore, most all of us are Lawful Holders.

3. As a Lawful Holder, what parts of the regulations apply?

Once a Lawful Holder that is also a HIPAA Covered Entity (CE) (the majority of us fall in this category) receives Part 2 Records, the HIPAA Rule governs these records, with a few exceptions. Therefore, you must integrate the management of Part 2 Records into your existing HIPAA operations.

4. As a HIPAA CE, what am I supposed to do?

First, recognize when you receive Part 2 Records.

One of the critical aspects of compliance is understanding that a Part 2 Program is responsible for providing a very specific written consent—commonly called a Part 2 Consent or a TPO Consent—along with a required Notification Statement before they can disclose these records. This Part 2 Consent and Notification must accompany the records permanently. Non‑Part 2 Providers are not responsible for obtaining the consent but once you receive a Part 2 Record, you must ensure it remains linked to the records and that the records are correctly identified and protected within your system.

(HIPAA COW has a sample Part 2 or TPO Consent and Notification available on their website for your reference.)

Second, revise relevant HIPAA policies and procedures.

Because Part 2 Records are now governed by the HIPAA Privacy regulations and because of the unique protections afforded to Part 2 Records and patients, a few, but not all, HIPAA policies and procedures (p&p) must be updated. For example, one of the unique protections Part 2 Records have is that they cannot be disclosed to law enforcement in the same way other PHI can be, and, crucially, your p&ps must reflect this. For a list of p&ps and a brief description of required revisions click the link. https://wildconsultinginc.net/wp-content/uploads/2026/02/Part-2-for-Non-Part-2-Providers-Policy-and-Procedure-Revisions.pdf

Third, update your Notice of Privacy Practices (NPP)

Any changes to how PHI is used or disclosed, i.e., HIPAA p&p changes, must be reflected in your Notice of Privacy Practices (NPP). In Friday’s enforcement announcement, OCR also provided an updated NPP template for HIPAA Covered Entities that are not Part 2 Providers.

 Fourth, update workforce training

Operations and policy changes require updated training for all workforce members affected by the changes or who may encounter Part 2 Records. Carefully consider who must receive updated education – not just HIM staff but most likely Case Management, providers and other clinical staff, Quality, Risk Management, and others whose roles involve handling or disclosing PHI.

The good news is that most of what needs to be done already fits into your existing HIPAA framework – we just now have a few more twists. And remember, you don’t have to navigate it alone—when in doubt, take a deep breath, pour another cup of coffee, and reach out to us for help at kirsten@wildconsultininc.net  or www.wildconsultinginc.net   You’ve got this!