Careers
Contact Us

Preparing for the Part 2 Compliance Deadline: What Organizations Need to Know Before February 16, 2026

By: Catherin F. Bertrand MJur., CIPP/US, CIPP/E, CHPC, CHC

I’m Catherin “Catie” Bertrand, a privacy and compliance professional with over 15 years of experience helping healthcare and digital health organizations navigate complex data privacy laws and regulations. My background includes serving as a HIPAA Privacy Officer, consultant, and privacy board member, with deep experience across HIPAA, the Confidentiality of Substance Use Disorder (SUD) Records (commonly referred to as Part 2), U.S. state privacy laws, and GDPR for organizations with European data considerations.

I specialize in building practical, defensible privacy programs-helping organizations translate complex regulations into clear, operational steps, guiding audits, and preparing workforces to apply the rules in real-world settings.

Today, we’re talking about the upcoming Part 2 compliance deadline of February 16, 2026. If your organization is a Part 2 program, a HIPAA covered entity, or a lawful holder of Part 2 records, this conversation is for you.

What’s happening on February 16, 2026, that organizations need to prepare for?

February 16, 2026 marks the enforcement compliance deadline for the updated Part 2 regulations. By February 16, organizations are expected to have their policies, procedures, notices, and training fully implemented-not just drafted.

From an enforcement perspective, regulators expect Part 2 programs, HIPAA covered entities, and lawful holders to be able to demonstrate compliance if reviewed or investigated after that date. This includes updated privacy notices, consent forms, disclosure workflows, and workforce training.

A Part 2 program is an organization that receives federal financial assistance and provides diagnosis, treatment, or referral for substance use disorder services. Lawful holders-sometimes referred to as non-Part 2 programs-do not meet the definition of a Part 2 program but may still receive and hold Part 2-protected SUD records, triggering specific compliance obligations.

What are the top priorities for Part 2 programs?

For Part 2 programs, the compliance lift can be significant. Several HIPAA concepts have now been incorporated into Part 2, including de-identification standards, accounting of disclosures, and the HIPAA Breach Notification Rule in its entirety.

Key priorities include:

  • Updating notices and posting requirements so patients are properly informed at registration or admission
  • Revising consent forms (aligned more closely with HIPAA authorizations) and ensuring required redisclosure language is included
  • Implementing the new ability to obtain consent for future treatment, payment, and healthcare operations disclosures, rather than re-consenting at every encounter
  • Updating policies and procedures to address breach notification, complaint handling, and disclosure tracking
  • Training the workforce so staff understand what healthcare operations mean under Part 2 and how to explain these changes to patients

Additionally, enforcement authority for Part 2 now sits with the Office for Civil Rights (OCR). That’s a meaningful shift. OCR investigations typically begin with requests for policies, procedures, and proof of workforce training-so documentation and operational follow-through are critical.

How about lawful holders or non-Part 2 programs-what’s expected of them?

Lawful holders include organizations such as HIPAA covered entities, vendors, or even law firms that receive Part 2 records but are not themselves Part 2 programs.

Their primary obligations focus on:

  • Identifying and properly labeling Part 2-protected SUD records
  • Ensuring those records are disclosed correctly-especially in response to subpoenas, court orders, or other judicial proceedings, where Part 2 imposes stricter rules than HIPAA
  • Tracking disclosures in a manner consistent with Part 2 requirements

This is where Part 2 often surprises organizations. The regulations can extend into non-healthcare spaces, such as legal services or other support functions, creating compliance obligations many organizations are not expecting.

What immediate steps should organizations take right now?

With the compliance deadline approaching quickly, organizations should focus on three parallel workstreams:

  1. Audit and update documentation Notices of Privacy Practices and posting materials Consent forms and redisclosure statements Policies and procedures related to Part 2, litigation responses, and breach notification
  2. Operational readiness Ensure electronic health records can identify, flag, and track SUD records Review litigation and judicial response workflows Confirm registration and admissions staff understand updated notice requirements
  3. Workforce training Develop role-based training for providers, HIM/medical records staff, registration teams, and leadership Roll training out as early as possible-January is a critical window for most organizations

Even if organizations are just starting now, it is still possible to meet the deadline, but January will be busy. The key is focusing on what must be operational by February 16, not just what must be written.

Why is workforce training emphasized so much?

Interestingly, Part 2 does not explicitly mandate workforce training the way HIPAA does-but enforcement reality makes training essential.

Regulators do not just look for policies on paper. They look for evidence that the workforce understands how to apply those policies in practice. Training ensures that staff know:

  • How to identify Part 2-protected SUD records
  • What disclosures are permitted and which are prohibited
  • How to apply redisclosure language
  • How to respond to patient complaints and potential breaches

Training should be role-specific. What providers need to know differs from what registration staff or HIM teams need to know-and that’s okay. Tailored training reduces risk and helps prevent impermissible disclosures, which can lead to enforcement action.

February 16, 2026 may feel close, and it is. Organizations should be auditing documents, updating processes, and training their workforce now to ensure compliance and reduce enforcement risk.

For organizations that need support navigating these changes, First Health Advisory can help.