The Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) has begun civil enforcement of confidentiality protections for substance use disorder (SUD) patient records, marking the first time such enforcement mechanisms are being implemented.
The action is part of President Donald Trump's Great American Recovery Initiative, established by executive order on Jan. 15, a federal effort aimed at expanding treatment access and ensuring patients can seek help without fear of discrimination. The initiative positions substance use disorder as a chronic, treatable disease and creates a multi‑agency task force to align federal programs, set measurable goals, and partner with states, communities, and the private sector to improve treatment access and support recovery.
The enforcement effort builds on Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which aligns federal privacy standards for SUD records with HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009. These measures strengthen protections for patients, improve coordination among providers and modernize electronic health record use. In February 2024, HHS published a final rule modifying 42 CFR Part 2, the federal regulations that govern SUD treatment records. The rule limits who can access these records without patient consent, enhances civil enforcement, improves care coordination and integrates behavioral health information with other medical records to support better patient outcomes.
SUD records include any information identifying a patient as receiving treatment for substance use disorder, such as medical records, billing or referrals to treatment programs. Employers and health plans that administer benefits, manage wellness programs or process claims for covered SUD services must ensure these records remain confidential, sharing them only as allowed by patient consent or federal law. Common compliance pitfalls include sharing SUD-related billing information with payroll or benefits staff, storing treatment details in general HR files or using claims data for wellness incentives without proper patient consent.
Under the new program, covered entities that fail to protect SUD patient records may face penalties, including monetary settlements or corrective actions, as outlined in HIPAA privacy, security and breach notification rules. OCR began accepting complaints February 16 for alleged violations and is actively notifying entities of SUD record breaches.
To assist providers and regulated entities, OCR has released updated HIPAA Notices of Privacy Practices and a model patient notice explaining how federal law protects the confidentiality of SUD patient records. These resources are available on OCR's Part 2 webpage.
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.