Starting February 16, 2026, Part 2 programs will be required to report unauthorized disclosures of Part 2 information – specifically, any “acquisition, access, use, or disclosure” that violates 42 CFR Part 2. This is a major change that will significantly impact Part 2 programs. Let me explain why.
Up until now, Part 2 programs did not have an independent obligation to report unauthorized disclosures of Part 2 information in violation of 42 CFR Part 2. For example, if a Part 2 program accidentally shared a patient’s Part 2 information with a third party without obtaining the required signed Part 2 consent, the Part 2 program had no legal duty under Part 2 itself to report that incident to anyone.
If the Part 2 program was also a HIPAA covered entity, its only responsibility was to evaluate whether the disclosure violated the HIPAA Privacy Rule. If it did, then the Part 2 program could be required to report the unauthorized disclosure as a HIPAA breach (subject to a “low probability PHI is compromised” determination). However, unless the disclosure actually violated HIPAA’s Privacy Rule, it would not be reportable – even if it violated Part 2.
Consider the following specific example, which illustrates how HIPAA and Part 2 reporting obligations can diverge:
-
- A Part 2 program, which is also a HIPAA covered entity, discloses a patient’s Part 2 information to a care coordinator through a health information exchange (HIE). The coordinator requested the information to help manage the patient’s care.
- The Part 2 program realizes that it never obtained a signed Part 2 consent broad enough to permit disclosure of the patient’s Part 2 information to the care coordinator. The consents on file only authorize disclosure to specific practitioners treating the patient. The Part 2 program now has to evaluate whether a “breach” has occurred.
- Under HIPAA, PHI may be disclosed for treatment purposes without a signed HIPAA authorization. “Treatment” is a broadly defined term and includes disclosures of PHI to care coordinators for purpose related to a patient’s health care. Therefore, under HIPAA, the disclosure is permitted. NO breach needs to be reported under HIPAA.
- However, Part 2 does NOT allow Part 2 information to be disclosed for treatment purposes without a signed Part 2 consent. For the Part 2 program to be permitted to disclose the patient’s Part 2 information to the care coordinator, a signed Part 2 consent is required. Because the Part 2 program did not collect a Part 2 consent that was broad enough to cover disclosures to care coordinators, the disclosure violated 42 CFR Part 2. Historically, though, there was NO independent obligation under 42 CFR Part to have to report this incident to anyone.
That “free pass” ends on February 16, 2026.
The New Breach Reporting Obligation
The Final Rule that HHS published on February 16, 2024, amending 42 CFR Part 2, introduced a new reporting obligation at 2.16(b):
§ 2.16 Security for records and notification of breaches.
[…]
(b) The provisions of 45 CFR part 160 and subpart D of 45 CFR part 164 shall apply to part 2 programs with respect to breaches of unsecured records in the same manner as those provisions apply to a covered entity with respect to breaches of unsecured protected health information.
This provision now incorporates into Part 2 the HIPAA breach notification framework. Section 290dd-2(k), added by the CARES Act, required HHS to adopt the HIPAA definition of “breach” for Part 2 purposes. Under 45 CFR 164.402, a breach is defined as “the acquisition, access, use, or disclosure of protected health information in a manner not permitted under subpart E which compromises the security or privacy of the protected health information.” HIPAA further explains that a breach is presumed to have occurred whenever PHI is acquired, accessed, used, or disclosed in a way not permitted by the Privacy Rule—unless a risk assessment shows there is a low probability the information was compromised. See 89 Fed. Reg. 12496 (Feb. 16, 2024).
At first glance, the wording of § 2.16(b) might appear confusing. One interpretation could be that HIPAA’s breach reporting obligations now apply directly to all Part 2 programs for unauthorized PHI disclosures. But for Part 2 programs that were already HIPAA covered entities, this adds little—they were already subject to HIPAA breach reporting requirements.
The correct interpretation, as clarified in the preamble to the Final Rule, is that breach reporting under HIPAA has been incorporated into the Part 2 regulatory scheme. That means that Part 2 programs must apply the HIPAA breach standard to unauthorized disclosures of Part 2 records, not just PHI. HHS explicitly explained:
“We believe the discussion above makes clear that the definition should be applied to records under part 2 instead of PHI under HIPAA, and we further clarify that breach includes use and disclosure of part 2 records in a manner that is not permitted by part 2.” (89 Fed Reg at 12496 (Feb 16, 2024)(emphasis added)).
Enforcement
For enforcement purposes, OCR will apply this interpretation to Part 2 programs. On August 25, 2025, the Secretary of HHS officially announced its delegation of full enforcement authority to the Office of Civil Rights (OCR), including the power to impose civil monetary penalties and enter into resolution agreements and corrective action plans. This is consistent with OCR’s existing role as HIPAA’s enforcement agency.
While this delegation is significant, it is unlikely that we will see OCR publish a Part 2 resolution agreement for at least a year or two. OCR investigations take time. With HIPAA cases, years often pass between the start of an investigation and the public release of a resolution agreement.
Nevertheless, even though resolution agreements may take time, Part 2 programs and providers must begin preparing now for their new obligation to self-report breaches of Part 2 information. We can expect OCR to investigate Part 2 breaches, whether self-reported or brought to their attention through third parties.
HIPAA resolution agreements show that many OCR investigations begin with breach reports. The same dynamic will apply under Part 2. Considering skipping Part 2 breach reporting altogether to avoid an OCR investigation? Failing to self-report breaches, once reporting becomes legally required on February 16, 2026, could increase penalty calculations. In other words, not a good strategy.
On the other hand, reporting a Part 2 breach when your organization is not legally required to do so is also unwise. As I have always said, making sure you get the breach assessment right is the best approach. (You can read my earlier article on the HIPAA breach overreporting vs. underreporting issue here: www.legalhie.com/dont-make-the-mistake-of-over-reporting-data-breaches-under-hipaa)
Next Steps for Part 2 Programs
Because Part 2 breach reporting will be legally required starting February 16, 2026, the stakes are high. It is more critical than ever for Part 2 programs to re-evaluate their processes for handling and reporting breaches. At a minimum, organizations should:
- Update Breach Policies and Procedures to reflect the new reporting obligation under Part 2.
- Establish a Process for Breach Evaluation, including risk assessments and documentation protocols.
Our 42 CFR Part 2 Helper™ documents are fully updated to reflect the new Part 2 breach reporting requirements. Subscribe as a member to access these turnkey tools, developed by experienced privacy attorneys, and get ahead of the Part 2 breach reporting curve.
Download a copy of the Table of Contents for our 42 CFR Part 2 Helper to see what is included. You can also download a copy of the Table of Contents for our entire back end Compliance Library. These resources are available only to our paid subscribing members.