HHS Aligns Part 2 Rules with the HIPAA Privacy Rules – Effects on Self-Insured Plan Sponsors

In a December 2023 blog post, we discussed the HHS proposed revisions to the Part 2 regulations and that finalization of those regulations was imminent.  On February 8, 2024, HHS through the Substance Abuse and Mental Health Services Administration (“SAMHSA”) and the Office for Civil Rights (“OCR”) announced final regulations modifying the confidentiality of substance use disorder patient records regulations at 42 CFR Part 2 (commonly referred to as “Part 2”).  The updated Part 2 rules align certain aspects of Part 2 with the HIPAA privacy rules. 

HIPAA and Part 2 Regulations

Some health plan sponsors may have not heard of the Part 2 regulations.  Part 2 imposes requirements for substance use disorder (“SUD”) treatment records protected by Part 2.  Most of the entities that have or maintain SUD treatment records are also HIPAA covered entities or business associates of HIPAA covered entities.  Thus, both regulatory schemes apply and create dual obligations and compliance challenges for HIPAA covered entities and business associates. 


The Part 2 regulations will come into play typically with employee assistance programs, as well as mental health and substance abuse disorder vendors for a medical plan.  For self-insured health plan sponsors, this typically means that Part 2 regulations will be discussed in an EAP business associate agreement as well as a business associate agreement for a medical plan SUD vendor.  Even though a self-insured health plan sponsor contracts with an EAP or SUD vendor and requires the EAP and SUD vendor to comply with Part 2 and the HIPAA privacy rules (as well as signing a BAA), under the HIPAA privacy rules, self-insured health plans remain responsible for HIPAA privacy compliance.  As a result, self-insured health plan sponsors will need to determine how the revised Part 2 regulations affect their overall privacy compliance strategy.


Revisions to the Part 2 Regulations

The final Part 2 regulations make a number of revisions that align with the HIPAA rules, including the following:  

·       Breach of Unsecured Part 2 Records.  The final Part 2 regulations add HIPAA's breach notification requirements into the Part 2 regulations.  Part 2 programs are now required to comply with the HIPAA breach rule with respect to breaches of unsecured Part 2 records. 

·       Notice of Part 2 Privacy Practices.  The final Part 2 regulations revise the Part 2 patient confidentiality notice requirements.  However, an entity that is subject to both Part 2 and HIPAA would be required to do two separate notices. 

·       Accounting of Disclosures.  Similar to the HIPAA rules, the final Part 2 regulations require that a patient, upon request, receive an accounting of all disclosures made with the patient's consent for the three years prior to the date of the request. 

·       Right to Request Privacy Protection for Part 2 Records.  Similar to the HIPAA rules, the final Part 2 regulations permit a patient to request that the Part 2 program restrict uses and disclosures of the patient's SUD records.  However, a Part 2 program is not required to agree to a restriction unless the request is to restrict disclosure to a health plan where the disclosure is for the purpose of carrying out payment or healthcare operations and is not otherwise required by law and the SUD record pertains solely to a healthcare item or service for which the patient, or a person other than the health plan on behalf of the patient, has paid the Part 2 program in full.  This too follows the HIPAA rules.

The compliance date for all Part 2 regulation revisions is February 16, 2026 – two years after publication in the Federal Register. 


Key Takeaways for Self-Insured Plan Sponsors

Depending on the existing wording of a self-insured plan sponsor’s HIPAA privacy documentation, minor or perhaps major changes may be needed.  Key takeaways are as follows: 

·       Vendor Contracts.  Plan sponsors as well as EAPs and SUD vendors should review their agreements to determine if changes are necessary.

·       Business Associate Agreements.  For vendors that are subject to both Part 2 and HIPAA, plan sponsors should review their business associate agreements to determine if revisions are necessary.

·       HIPAA Policies and Procedures Manual.  As noted above, a self-insured health plan sponsor is technically liable for all compliance with HIPAA even though sponsors delegate most administration to vendors, including EAPs and SUD vendors.  These delegations should be set forth in the vendor contracts, BAAs, as well as the health plan’s policies and procedures manual.  In addition, it may be necessary to address that Part 2 records are maintained solely by the health plan’s vendors. 

·       HIPAA Health Plan Document Provisions.  Under HIPAA, a plan sponsor technically could obtain Part 2 records as part of its plan administration functions for the health plan.  This would then implicate the Part 2 regulations.  Therefore, a health plan sponsor should consider adding language to the health plan document that the health plan sponsor does not maintain or create any records that are subject to Part 2.  This should be sufficient to indicate that Part 2 should not apply to a self-insured sponsor, as it relates to HIPAA plan administration.

·       HIPAA Notice of Privacy Practices.  A self-insured health plan should review its privacy notice to determine if Part 2 records need to be addressed.


Knowledge assets are defined in the study as confidential information critical to the development, performance and marketing of a company’s core business, other than personal information that would trigger notice requirements under law. For example,
The new study shows dramatic increases in threats and awareness of threats to these “crown jewels,” as well as dramatic improvements in addressing those threats by the highest performing organizations. Awareness of the risk to knowledge assets increased as more respondents acknowledged that their