MLMIC Dental

< Back to Publications & Resources

Open Bar: New Federal Privacy Rules Start February 16, 2026

Cityscape backdrop with a blue briefcase and gavel in the forefront

Question:  What do healthcare providers need to know about the new Federal Privacy Rules?

Answer: The U.S. Department of Health and Human Services has issued a final rule updating the federal regulations protecting the confidentiality of substance use disorder (SUD) treatment records to better align with HIPAA’s privacy standards. The goal of these changes is to maintain strong privacy protections for patients in SUD treatment while easing coordination of care by more closely harmonizing Part 2 with HIPAA[1]. All affected providers must comply by February 16, 2026.

This update applies to any “Part 2 program,” which generally means any federally assisted individual or organization that holds itself out as providing SUD diagnosis, treatment, or referral services[2]. In a hospital or larger medical facility, this usually only includes the specific unit or staff dedicated to SUD treatment (i.e., inpatient drug/alcohol rehabilitation unit). Other departments and clinicians in the same hospital not involved in SUD are not directly subject to Part 2[3]. In addition, any provider or entity that receives SUD treatment records from a Part 2 program becomes what the rule calls a “lawful holder” of these records. For example, if a primary doctor lawfully obtains a patient’s records from an addiction treatment clinic, that doctor is a lawful holder of SUD records. Lawful holders must keep the received SUD information confidential under Part 2’s rules, even though they may not be full-fledged “Part 2 programs” themselves[4].

To comply with the new Part 2 rule, any provider that offers SUD treatment or receives SUD records from another provider must take a few key steps. First, update HIPAA Notice of Privacy to explain that SUD records are subject to extra protection, including stricter rules around sharing and special rights for patients[5]. Part 2 programs will all need to revise the separate SUD confidentiality notice to reflect updates including a new header and updated description of permissible disclosures with and without consent[6]. Practices should adopt the new consent option that lets patients give broad, one-time permission to share their SUD records for treatment, payment, or healthcare operations[7]. It is also important for practices to update their breach response process since SUD records will now be subject to HIPAA’s breach notification rules.

Additionally, practices will need to review any contracts with vendors that handle SUD information (i.e., billing companies or cloud services) to ensure they’re required to follow the same confidentiality standards. Finally, staff should be trained so they know how to recognize and properly handle SUD records.

Practices and providers who handle SUD records must ensure their notices, consent processes, and staff training are updated to meet the new federal requirements. Compliance is mandatory as of February 16, 2026, and failure to follow the updated rules may result in enforcement action.

MLMIC policyholders can reach out to our healthcare attorneys for questions about the new federal privacy rules or any other healthcare law inquiries by calling (877) 426-9555 Monday-Friday, 8 a.m. to 6 p.m. or by email here.

 Our 24/7 hotline is also available for urgent matters after hours at (877) 426-9555 or by emailing hotline@tmglawny.com.

 Follow us on Facebook, LinkedIn, Instagram or Twitter to stay in the loop about the medical professional liability industry.

 If you are not already a MLMIC insured, learn more about us here.

This document is for general purposes only and should not be construed as medical, dental or legal advice. This document is not comprehensive and does not cover all possible factual circumstances. Because the facts applicable to your situation may vary, or the laws applicable in your jurisdiction may differ, please contact your attorney or other professional advisors for any questions related to legal, medical, dental or professional obligations, the applicable state or federal laws or other professional questions.

  1. https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html ↩︎
  2. 42 CFR §2.11 ↩︎
  3. https://www.samhsa.gov/about/faqs/confidentiality-regulations ↩︎
  4. 42 § CFR 2.11 ↩︎
  5. 45 C.F.R. § 164.520(b)(1)(ii)(E) ↩︎
  6. 42 C.F.R. § 2.22 ↩︎
  7. 42 C.F.R. section 2.31 ↩︎