No Items in Cart 
On February 13th, 2026, the U.S. Department of Health and Human Services’ (HHS’s) Office for Civil Rights (OCR) announced a new program involving substance use disorder information. Specifically, the program implements and enforces statutory and regulatory requirements that protect the confidentiality of substance use disorder patient records. In conjunction with the latest announcement, under the Health Insurance Portability and Accountability Act (HIPAA), covered entities must develop and distribute a Notice of Privacy Practices that provides a clear, user-friendly explanation of individuals' rights. Specifically, these rights are governed by the HIPAA Privacy Rule and pertain to personal health information and the privacy practices of health plans and health care providers. Last week, the OCR reminded all health plans and most health care providers to update their Notices of Privacy Practices (NPPs). These updates include information on substance use disorder patient record confidentiality. HHS now wants employers to know that an enforcement program is in place to ensure patient record confidentiality.
What Is the HIPAA Privacy Rule?
HIPAA is a federal law that establishes national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. In turn, the HHS issued the HIPAA Privacy Rule to implement HIPAA requirements. Standards under the HIPAA Privacy Rule address the use and disclosure of protected health information (PHI) by covered entities. Additionally, it protects an individual’s rights to understand and control how covered entities use their health information.
Overview of the Enforcement Program
In general, the new program implements the substance use disorder confidentiality provisions of an already established bill. Specifically, that regulation is section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act. It also addresses the CARES Act implementing regulation at 42 CFR part 2 (Part 2).
Beginning February 16th, 2026, entities and persons subject to the regulation protecting the confidentiality of substance use disorder patient records must comply with all applicable requirements. Chiefly, the penalties for noncompliance align with those under HIPAA’s Privacy, Security, and Breach Notification Rules.
Thereafter, any OCR investigations conducted under the new program may be resolved through a range of civil enforcement mechanisms. These include the OCR:
- entering into resolution agreements,
- securing monetary settlements,
- obtaining commitments for corrective action, or
- imposing civil money penalties for the failure to comply.
Also starting on February 16, the OCR began accepting:
- Complaints alleging violations of the regulation that protects the confidentiality of substance use disorder patient records.
- Notification of breaches of substance use disorder patient records.
Employer Takeaways
In conclusion, employers should also recognize that the HIPAA Privacy Rule protects an employee’s substance use disorder information from unlawful disclosure related to employment. Possible instances may include when offering reasonable accommodations or when interviewing and hiring. In addition to complying with the latest patient confidentiality rule, as mentioned, employers must update their Notices of Privacy Practices if they haven’t done so by February 16. To assist employers in creating a compliant NPP, the HHS released model templates to follow. In light of the latest civil enforcement measures, the templates provide patients with notice of how federal law now protects the confidentiality of substance use disorder patient records.
