Civil enforcement is live. Penalties up to $2.19 million per violation category. Here's what your SUD treatment facility needs to know — and what to do about it.
When an auditor from OCR, DEA, SAMHSA, OSHA, or your state licensing board walks in — they expect to find exactly what they need, exactly where they expect it.
SUD counseling notes aren't segregated. TPO consent forms are missing required elements under the 2024 Final Rule. Legal proceedings consents are combined with treatment consents — which the regulation explicitly prohibits.
Schedule II controlled substance records commingled with Schedule III–V. Biennial inventories missing or undated. DEA Form 222 records not reconciled against receiving logs.
OSHA bloodborne pathogen medical records require 30-year retention. HIPAA administrative records require 6 years. DEA records require 2. Most facilities apply one rule — or none — across every document type.
The 2024 Final Rule rewrote the confidentiality requirements for substance use disorder treatment records. Here's what your facility needs to have in place.
The 2024 amendments added new patient rights: accounting of disclosures, restriction requests, and fundraising opt-outs. If your notice still references the pre-2024 rules, it's non-compliant. Every patient must receive the updated notice at admission.
42 CFR §2.22 — Notice requirementsPart 2 now allows a single written consent for Treatment, Payment, and Health Care Operations — but the form must contain nine specific elements including patient name, recipient designation, purpose, expiration language, right to revoke, and re-disclosure notice. Missing any single element can invalidate the consent.
42 CFR §2.31 — Consent requirements (9 mandatory elements)Consent authorizing disclosure for civil, criminal, administrative, or legislative proceedings against the patient cannot be combined with TPO consent or any other consent type. A combined form renders both consents potentially invalid.
42 CFR §2.31(d) — Separate consent required for legal proceedingsThe 2024 Final Rule introduced "SUD Counseling Notes" — analogous to HIPAA psychotherapy notes. These require their own consent form, which can only be combined with another SUD Counseling Notes consent. This is new as of February 2026.
42 CFR §2.31(b)(2) — SUD Counseling Notes consent (NEW)Patients now have the right to receive an accounting of disclosures for the three years prior to their request. Your facility must systematically track every disclosure: date, recipient, purpose, information disclosed, and the consent that authorized it.
42 CFR §2.24 — Accounting of disclosures right (NEW)Part 2 now adopts the HIPAA Breach Notification Rule in its entirety. A breach of Part 2 records triggers individual notification within 60 days, HHS notification, and media notification for breaches affecting 500+ individuals.
42 CFR §2.16 — Breach notification (adopts 45 CFR 164.400-414)Any entity that handles Part 2 records needs a Qualified Service Organization Agreement with Part 2 provisions — in addition to a standard HIPAA BAA. Your BA inventory must identify which entities touch SUD records and ensure dual coverage.
42 CFR Part 2 — QSOA requirements + HIPAA 45 CFR 164.504(e)OCR enforces 42 CFR Part 2 with the same four-tier penalty structure as HIPAA: $141 to $2,134,831 per violation, with an annual cap of $2,134,831 per violation category. The enforcement program is live now.
This is not a checklist you run through once. These requirements need to be embedded in your facility's operating infrastructure — consent workflows, disclosure tracking, segregation rules, retention schedules, and breach response procedures that run continuously.
Get a 42 CFR Part 2 Readiness AssessmentIf you operate a substance use disorder treatment facility, the compliance landscape shifted under your feet in February 2026.
OCR now enforces Part 2 with full HIPAA-tier penalties — up to $2.19 million per violation category. Facilities operating under pre-2024 rules are in violation today.
OCR collected $9.9 million in HIPAA fines in 2024 — a 37% increase over the prior year. In the first five months of 2025, every single resolution agreement targeted failure to conduct a thorough risk analysis.
A single patient complaint can now trigger dual investigation under both HIPAA and Part 2. DEA can suspend registration independently. SAMHSA can pull federal funding. State boards can revoke your operating license.