Download our complete Part 2 “to do” checklist here: Part 2 Checklist for Compliance (v.2026.01)
Time is up. As of today, February 16, 2026, OCR’s online complaint intake is officially open to 42 CFR Part 2. The pathway is live, the reporting channels are active, and HHS has made it straightforward for patients, families, workforce members, and third parties to file Part 2 complaints through the same web-based infrastructure long used for HIPAA. In this post, I explain why a live complaint portal, combined with Part 2 breach reporting, changes the risk profile immediately and puts Part 2 compliance squarely in OCR’s enforcement pipeline.
Part 2 Privacy Complaint Portal
HHS’s “Filing a Health Information Privacy Complaint” page now states plainly that you can file a complaint with the Office for Civil Rights (OCR) not only for HIPAA issues, but also when: “A substance use disorder (SUD) treatment program violated your confidentiality rights under 42 CFR part 2 (called ‘Part 2’).” That same complaint process guidance also confirms OCR can investigate Part 2 violations not only against a Part 2 program, but also against:
- the program’s Qualified Service Organization (QSO), and
- a Lawful Holder of Part 2 records, including a HIPAA covered entity or its business associate, or another person holding Part 2 records.
See: www.hhs.gov/hipaa/filing-a-complaint/index.html
In other words, this is not just about a standalone SUD treatment facility. It is also about the modern ecosystem where Part 2 data moves through vendors, platforms, health systems, and exchanges. The enforcement scope reflects that reality.
For years, Part 2 was often treated as narrower and less operationally real time than HIPAA enforcement. This portal update is a direct counter signal. OCR has expanded the online Complaint Portal, historically used for HIPAA complaints, to accept Part 2 privacy complaints, and the intake pathway is now active. HHS directs the public to submit HIPAA or Part 2 complaints electronically through the OCR Complaint Portal here: https://ocrportal.hhs.gov/ocr/smartscreen/main.jsf. Inside the portal flow, one of the core pathways is now newly labeled as follows:
“Violation of Privacy or Security of Health Information (HIPAA and Substance Use Disorder Confidentiality).”
That framing matters. It tells the public, regulated entities, and OCR staff that Part 2 is now part of the same front door intake machinery that has historically driven HIPAA investigations.
In addition, last week, in a February 13, 2026 press release, HHS announced a new civil enforcement program for the confidentiality of SUD patient records and made clear that the program begins February 16, 2026. There, HHS Secretary Robert F. Kennedy, Jr. stated:
“At President Trump’s direction, HHS is aggressively enforcing federal safeguards to protect substance use disorder patient records as part of the Great American Recovery Initiative.”
OCR Director Paula M. Stannard also emphasized both posture and capability, including:
“OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”
This is also impactful because complaints submitted through OCR’s portal are not just collected and archived. They are reviewed. If the facts alleged plausibly support a Part 2 violation, OCR can open an investigation and demand an explanation, backed by documentation.
Organizations should expect some version of the familiar OCR letter: “We have received a complaint. Please explain your practices, your legal basis, and your safeguards.” And the first thing you will need to produce is evidence of your Part 2 compliance program. That includes your written policies and procedures, your consent workflows, your training records, and your incident response and breach assessment documentation, among other items. In the HIPAA context, complaints can also become a feeder source for enforcement activity and civil monetary penalties (CMPs) in the right circumstances. While OCR often takes an “education first” approach, that posture tends to depend on whether an organization can show it made a real, good faith effort to comply. Organizations that have done nothing to operationalize Part 2 obligations should not assume they will be treated gently simply because Part 2 feels new to them.
For years, many Part 2 stakeholders have treated Part 2 as a narrower, less operationally real time enforcement environment than HIPAA. Today’s portal change is a direct counter signal. OCR has built Part 2 into its core complaint intake mechanism. And remember, this is not just Part 2 programs. It also includes Qualified Service Organizations performing services for a Part 2 program, as well as most Lawful Holders of Part 2 records, with limited exceptions (for example, individuals who receive records purely in a personal capacity, such as certain family member situations).
Breach Notification
The key change is not just complaints. It is complaints + breach notification. The February 13, 2026 HHS press release is explicit that beginning February 16, 2026, OCR will begin accepting both:
- Complaints alleging violations of the regulation that protects the confidentiality of SUD patient records
AND
- Notification of breaches of SUD patient records
The updated breach reporting instructions page can be found here: www.hhs.gov/hipaa/for-professionals/breach-notification/breach-reporting/index.html
HHS has updated its breach reporting instructions to address Part 2, including a direct statement that “a Part 2 program must notify the Secretary” if it discovers a breach of unsecured Part 2 records, and that a QSO may submit a breach report on behalf of a Part 2 program.
This is a material shift in operational risk.
Breach reporting is a Part 2 program obligation. Starting today, February 16, 2026, if you experience a use or disclosure of Part 2 records that is unauthorized under 42 CFR Part 2, you must evaluate whether it constitutes a reportable breach under the breach notification framework that now applies in the Part 2 context. If reporting is required, it must be reported through the required channels. This is significant because, prior to this effective date, Part 2 programs did not have to treat every unauthorized Part 2 use or disclosure through a breach reporting lens the way HIPAA covered entities do under the HIPAA Breach Notification Rule. That is now changed. Part 2 programs must have a defensible, documented breach assessment process for Part 2 records. For a deeper dive on how Part 2 breaches are not all HIPAA breaches, read my prior blog post here:
www.legalhie.com/beware-new-breach-reporting-obligations-under-42-cfr-part-2-even-when-hipaa-wouldnt-require-it/
This also raises the stakes for enforcement. If a breach is reportable under Part 2 and an organization fails to report it, that failure can itself create additional exposure. At a minimum, it gives OCR a second issue to examine: not only the underlying incident, but also whether the organization followed required breach assessment and notification steps, and whether delays were justified and documented. Reporting can also lead to scrutiny. Which is exactly why it is so important for organizations to review their breach notification policies and procedures now, validate internal decision making process, and practice tabletop exercises that include Part 2 scenarios.
Preparation is the Best Defense
Below is a plain English summary of the key workstreams from our Part 2 “to do” checklist. These are the areas that most often drive real compliance failures.
- Confirm applicability and scope. Identify whether you are a Part 2 program (whole entity, unit, or provider) and whether you are also a Part 2 lawful holder receiving Part 2 records from another Part 2 program. Document the designation and scope.
- Confirm HIPAA status and hybrid entity designations. Do not assume your HIPAA status, especially in integrated settings. Complete a covered entity and “hybrid entity” assessment where applicable.
- Map your Part 2 data. Inventory where Part 2 data is created, stored, and transmitted, then map how it moves downstream (EHR, BH platforms, e-prescribing, billing, HIE, TEFCA, portals, and apps). If you do not know where it flows, you cannot control it.
- Fix consents and disclosure mechanics. Update Part 2 consents (including TPO use cases), confirm segmentation controls when consent is absent, and implement a process to send a copy of the consent or a clear explanation of the consent scope with disclosures.
- Update privacy documentation and patient-facing notices. Update Part 2 privacy policies and your Notice of Privacy Practices for the Final Rule changes and operationalize acknowledgment processes where required.
- Update vendor contracts and governance. Update BAAs and incorporate QSOA language where Part 2 records are involved. Implement tracking so you can prove scope, authority, and ongoing compliance.
- Prepare for accounting and state law overlays. Operationalize accounting of disclosures requirements as applicable and identify any state law standards more stringent than Part 2.
- Strengthen security and incident response for Part 2. Assign responsible roles, complete a security risk analysis, and update security incident and breach response procedures to address Part 2.
- Train, document, and refresh. Train workforce members on updated Part 2 policies and workflows and document training. Run periodic refreshers and security reminders.
- Stand up complaint intake, investigations, and sanctions. Implement a Part 2 complaint process, document investigations and dispositions, and enforce sanctions for workforce violations.
- Ongoing oversight and documentation retention. Activate a compliance committee, re-run risk analysis when circumstances change, remediate gaps, and retain required documentation for at least six years.
Download our complete Part 2 “to do” checklist here: Part 2 Checklist for Compliance (v.2026.01)
What You Should do ASAP
If you are a Part 2 program
Assume OCR will evaluate Part 2 compliance similarly to HIPAA compliance: operational controls, documentation, training, incident response maturity, and governance. Immediate priorities:
• confirm program designation
• map Part 2 flows
• operationalize consent and segmentation
• update policies and NPP
• strengthen breach analysis and reporting workflows
If you are a vendor or a QSO supporting a Part 2 program
Assume your customers will demand stronger contract terms, clearer scope limitations, and better operational proof. Expect questions like:
• How do you segregate or tag Part 2 data?
• How do you prevent secondary use or unauthorized redisclosure?
• How do you support audit logging and disclosure accounting needs?
• What is your Part 2 incident response process?
• How do you support customer breach notification obligations?
If you cannot answer these clearly and consistently, you will be a risk item in your customers’ compliance programs.
If you are a Lawful Holder, including a HIPAA covered entity or business associate receiving Part 2 records
If your organization receives Part 2 records from a Part 2 program, you may inherit Part 2 specific restrictions and duties tied to those records, even if you are otherwise operating under HIPAA. Many organizations in this category have not internalized what Lawful holder means in day-to-day operations.
For example, even if you receive Part 2 records pursuant to the new TPO consent model that allows use and disclosure in many circumstances consistent with HIPAA, you are still operating under a Part 2 consent. That matters because if that consent is later revoked, you must stop using and disclosing the Part 2 information to the extent the revocation applies. Put differently, your ability to treat the information as usable and disclosable is not permanent. It depends on an active, valid consent. If the consent goes away, your use and disclosure permissions can narrow immediately.
In addition, Lawful Holders should not assume HIPAA alone governs how Part 2 data can be handled. Depending on the facts, Part 2 obligations that can still apply include:
❗Redisclosure limits. Part 2 continues to impose redisclosure restrictions, including constraints on using Part 2 records in civil, criminal, administrative, or legislative proceedings against the patient.
❗Consent scope and documentation. Part 2 disclosures made based on consent must remain within the scope of that consent, and organizations may need to be able to demonstrate what the consent permitted at the time of disclosure.
❗Segmentation and access controls. If your environment includes mixed data, you may need technical and workflow controls to ensure Part 2 records are not accessed or routed outside the permitted scope when consent is absent, restricted, or revoked.
❗Downstream recipients and vendors. If your vendors, HIE connections, or interoperability workflows touch Part 2 data, you need contract and operational controls that reflect Part 2 requirements, not just standard HIPAA terms.
❗Patient rights differences. Certain Part 2 patient rights and processes are not handled the same way as default HIPAA assumptions, and they need to be operationalized. For example, unlike HIPAA (which generally excludes TPO disclosures from accounting), Part 2 can require an accounting of TPO disclosures made through an electronic health record, which means you may need disclosure tracking capabilities your HIPAA program never had to build.
Bottom line: if your organization receives Part 2 records as a Lawful Holder, you cannot assume those records can be handled the same way you handle ordinary PHI in every respect. You need controls for the Part 2-specific requirements that follow the records, even inside an otherwise HIPAA-based compliance program.
Final Takeaway
Time is up. Enforcement is here, and reporting channels are live. Today’s portal update is not just about adding Part 2 words to a webpage. It is an operational shift: Part 2 complaints can now be submitted through OCR’s live intake pathway, and breach notifications for SUD patient records are part of the same enforcement environment.
If your organization is still aligning its Part 2 compliance program with the 2024 Final Rule changes, the best protection is preparation: document your status, map your data, fix consent workflows, update policies and agreements, modernize breach response, and implement a real complaint and sanctions process.