It is official; Part 2 is now included within the Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule and the Department of Health and Human Services (HHS) Office for Civil Rights’ (OCR’s) publicly available breach reporting portal. The portal has been updated to receive reports of Part 2 substance use disorder records, in addition to traditional HIPAA breaches. HHS is now officially receiving reports of, and investigating, breaches of unsecured Part 2 records.
As a reminder, Part 2 refers to a federal law (42 U.S.C. 290dd-2 and 42 CFR Part 2) that protects the confidentiality of patient records regarding the diagnosis, treatment, or referral for substance use disorder. Other health care providers, such as HIPAA covered entities and business associates, may also receive Part 2 records. This means covered entities and business associates may have additional breach reporting obligations if a breach involves both traditional protected health information (PHI) and Part 2 information/records.
The OCR portal now clarifies that a Part 2 breach is “generally, the acquisition, access, use, or disclosure of a Part 2 record in a manner not permitted under 42 CFR part 2 which compromises the security or privacy of the Part 2 record.”
What You Need to Know
- The OCR has updated its data breach notification portal.
- The portal now contains separate links for reporting a HIPAA breach and a Part 2 breach.
- The portal specifies that “a breach of health information that is both PHI and a Part 2 record should be reported separately as a HIPAA breach and a Part 2 breach”, and the Part 2 form for reporting a breach also contains this reminder:
- The portal includes a publicly available section listing reported Part 2 breaches, whether under investigation or archived:
- The OCR provides a downloadable sample Part 2 breach reporting form.
- According to the OCR, Part 2 breaches affecting fewer than 500 individuals may be investigated, depending on resources and enforcement priorities.
- Beginning February 16, 2026, individuals may file Part 2 complaints with the OCR if they believe a person or organization disclosed substance use disorder patient records in violation of Part 2.
It is a new day for covered entities and business associates, especially those who handle or receive information that is governed by Part 2 substance use regulations. If we can assist you with analyzing potential breaches under HIPAA’s Breach Notification Rule—including potential Part 2 information and records—please let us know.
AlstonHealth State Law Hub
Alston & Bird’s Health Care team highlights state legislation and regulatory actions with direct implications for operations, reimbursement, privacy, and enforcement risk. Designed for in-house counsel, the tracker supports legal teams in proactively managing risk and aligning business strategy with a rapidly evolving state regulatory environment.
Learn more on the AlstonHealth State Law Hub.
If you have any questions, or would like additional information, please contact one of the attorneys on our Health Care team.
You can subscribe to future advisories and other Alston & Bird publications by completing our publications subscription form.