42 CFR Part 2 Final Rule Changes (2024): What’s New and How to Comply

The 2024 final rule modernizes confidentiality protections for Substance Use Disorder Patient Records by aligning key 42 CFR Part 2 requirements with HIPAA and HITECH while preserving Part 2’s heightened safeguards. The rule was published on February 16, 2024, became effective on April 16, 2024, and has a compliance date of February 16, 2026. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))

Below, you’ll find exactly what changed and how to operationalize compliance across consent, public health reporting, legal proceedings, enforcement, breach notification standards, patient rights, and accounting of disclosures. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Patient Consent Requirements

The rule authorizes a single, durable patient consent for treatment, payment, and healthcare operations (often called “TPO” or healthcare operations consent). Once a patient grants this consent, HIPAA-covered entities and their business associates may use and redisclose Part 2 records in accordance with HIPAA—except that records cannot be used in legal proceedings against the patient without patient consent or a qualifying court order. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

• Single consent covers future TPO uses/disclosures; no new authorization is required per encounter. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Each disclosure made with consent must include a copy of the consent or a clear explanation of its scope. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Consent for use/disclosure in civil, criminal, administrative, or legislative proceedings cannot be combined with any other consent. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• SUD counseling notes (analogous to psychotherapy notes) require a separate, specific consent and cannot be disclosed under a broad TPO consent. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Disclosure to Public Health Authorities

Part 2 programs and lawful holders may disclose to public health authorities without patient consent only when sharing de-identified health information that meets HIPAA de-identification standards. Build workflows that generate properly de-identified datasets and document requestor authority before releasing information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Legal Proceedings Restrictions

Part 2’s core protection remains: records and testimony may not be used in civil, criminal, administrative, or legislative proceedings against a patient without the patient’s consent or a court order that meets Part 2’s criteria. The final rule also establishes a targeted safe harbor limiting civil or criminal liability for investigative agencies that exercise reasonable diligence regarding Part 2 applicability and take corrective steps if they later discover they received Part 2 records without the required order. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Operationally, train staff to route subpoenas and discovery requests through legal counsel; verify that any court order satisfies Part 2 before disclosing; and never rely solely on HIPAA standards for litigation-related disclosures. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Enforcement and Penalties

Civil and criminal enforcement for Part 2 now aligns with HIPAA. OCR can investigate complaints, pursue resolution agreements, require corrective action, and impose civil money penalties using the HIPAA Enforcement Rule framework, while criminal penalties track HIPAA’s statutory provisions. OCR’s civil enforcement program begins with the February 16, 2026 compliance date. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Breach Notification Obligations

The HIPAA Breach Notification Rule now applies to breaches of unsecured Part 2 records. Perform the HIPAA four-factor risk assessment and, when a breach is reportable, notify affected individuals without unreasonable delay and no later than 60 days after discovery. For incidents affecting 500 or more individuals in a state or jurisdiction, notify prominent media and the HHS Secretary within the same 60-day window; for fewer than 500 individuals, log and report to HHS within 60 days after the calendar year ends. Coordinate with business associates on delegated notifications, but maintain ultimate responsibility for meeting timelines and content requirements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

• Individuals: written notice (or email if elected) within 60 days, detailing the breach, data types, protective steps, mitigation, and contact information. ([abhw.org](https://abhw.org/wp-content/uploads/2024/03/ABHW-42-CFR-Part-2-Final-Rule-Summary_3.1.24_FINAL.pdf))
• Media: press notice for incidents impacting ≥500 residents of a state/jurisdiction within 60 days. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))
• HHS Secretary: within 60 days for ≥500; annually for fewer than 500. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Patient Rights and Protections

The final rule adds or aligns several patient rights and related program duties with HIPAA while maintaining Part 2’s heightened confidentiality baseline. Patients may request restrictions on certain disclosures— and programs must agree when a patient pays in full and asks to restrict disclosure to a health plan—plus opt out of fundraising communications. Programs must also provide a Part 2-compliant patient notice aligned with HIPAA’s Notice of Privacy Practices. ([abhw.org](https://abhw.org/wp-content/uploads/2024/03/ABHW-42-CFR-Part-2-Final-Rule-Summary_3.1.24_FINAL.pdf))

On systems and data architecture, the rule clarifies that segregation of protected health information (data segmentation) is not required under federal law. Even so, you should still implement role-based access, consent capture, redisclosure controls, and tagging to honor patient-requested restrictions and applicable state laws. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Accounting of Disclosures

The rule establishes a right to obtain an accounting of disclosures for Part 2 records, but HHS tolled the effective and compliance dates for this specific provision (§ 2.25) until it finalizes a corresponding revision to HIPAA’s accounting rule at 45 CFR 164.528. In other words, you must be prepared, but you are not yet obligated to provide an accounting under Part 2 until HHS completes that HIPAA rulemaking. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

• Prepare by documenting disclosures now so you can fulfill requests once the HIPAA revision is finalized; the accounting “look-back” will start on the first day the accounting requirement becomes effective. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
• Update Patient Notice language when HHS issues the HIPAA accounting revision and the Part 2 accounting obligation activates. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))

Conclusion

Treat February 16, 2026 as your operational deadline to finalize single-consent TPO workflows, litigation safeguards, HIPAA-aligned breach procedures, enhanced patient notices, restriction handling, and readiness for future accounting requests—while preserving Part 2’s bar on using SUD records against patients in legal proceedings. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

FAQs

What are the new consent requirements under 42 CFR Part 2?

You may obtain a single patient consent authorizing future uses and disclosures for treatment, payment, and healthcare operations. HIPAA-covered entities and business associates that receive records under this consent may redisclose in line with HIPAA, but records still cannot be used against the patient in legal proceedings without consent or a Part 2–compliant court order. Certain consents—like those for legal proceedings and SUD counseling notes—must be separate and specific. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

How does the final rule affect disclosures to public health authorities?

It permits disclosures without patient consent when sharing de-identified health information that meets HIPAA’s de-identification standard. Build processes to verify authority, apply de-identification, and document releases. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

What enforcement mechanisms apply to Part 2 violations?

Part 2 now uses HIPAA’s civil and criminal enforcement framework. OCR can investigate, require corrective action, enter resolution agreements, and impose civil money penalties. OCR’s civil enforcement program and the rule’s compliance obligations begin February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

How can patients request an accounting of disclosures?

The right exists under the final rule, but the accounting provision’s effective and compliance dates are tolled until HHS updates HIPAA’s accounting rule at 45 CFR 164.528. Once active, patients will submit requests to the Part 2 program per its Patient Notice; until then, programs should maintain disclosure logs to be ready to respond. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))