Skip to main content

HIPAA and Part 2 Under One Roof: OCR Inherits Expanded Enforcement Role Amid HHS Restructuring

September 2, 2025
Image: [image credit]

Roger Baits, Contributing Editor

In a sweeping realignment of federal regulatory oversight, the U.S. Department of Health and Human Services (HHS) has transferred enforcement authority for 42 CFR Part 2, the regulation protecting the confidentiality of substance use disorder (SUD) treatment records, to the Office for Civil Rights (OCR), the same office responsible for HIPAA compliance. While the move aims to harmonize privacy frameworks and streamline complaint resolution, it places a significantly increased burden on an already under-resourced agency.

The structural change comes as part of a broader departmental overhaul that dissolved or consolidated several legacy agencies into the newly formed Administration for a Healthy America (AHA), including the once-autonomous Substance Abuse and Mental Health Services Administration (SAMHSA), which had historically overseen Part 2 compliance. The implications are both operational and philosophical: the same agency tasked with protecting general protected health information (PHI) now must also interpret and enforce stricter, more nuanced SUD confidentiality rules—amid mounting backlogs and staff attrition.

Streamlining Compliance or Stretching Resources?

The move is the result of mandates laid out in the 2020 CARES Act, which required greater alignment between HIPAA and Part 2. That alignment materialized in the 2024 final rule, jointly developed by SAMHSA and OCR, which made it easier for HIPAA-covered entities to incorporate Part 2-compliant records into broader care coordination workflows.

Among the rule’s key reforms:

  • Revised consent standards allowing for dual HIPAA-Part 2 compliance
  • Breach notification requirements specific to Part 2 records
  • New civil enforcement mechanisms enabling OCR to investigate, subpoena, and penalize violations

These developments address longstanding barriers to care continuity, particularly for patients with co-occurring behavioral and physical health conditions. However, the absorption of Part 2 oversight into OCR also means the agency must now manage a dual-track enforcement model with divergent legal standards and stakeholder expectations.

That’s a tall order for a unit that, according to its former director, once operated with just 120 to 150 federal staff and 90 contractors, and has since lost five regional offices due to budget cuts.

Regulatory Consolidation, Operational Fragmentation

Experts across privacy and compliance sectors are raising concerns about the downstream effects of this consolidation. While the merger of HIPAA and Part 2 enforcement under one roof may reduce policy fragmentation, it risks widening the gap between regulation and execution.

As of August 2025, OCR is managing over 780 open HIPAA breach investigations, according to its own Breach Reporting Tool. Critics, including former senior OCR advisors, argue that layering Part 2 onto this caseload without proportional funding will result in delayed investigations, prolonged patient risk, and growing uncertainty for covered entities.

The concern is not hypothetical. A 2024 OIG report criticized OCR’s stagnant audit program and persistent backlog of unresolved complaints. Despite the financial support provisions of the HITECH Act, which allow OCR to reinvest collected fines into enforcement activities, Congress has repeatedly declined to increase its appropriations.

This places provider organizations, payers, and health IT vendors in an increasingly precarious position. They must now maintain compliance programs for two interwoven but non-identical privacy frameworks, enforced by an agency lacking the human capital to provide timely resolution.

Operational Gray Zones Remain

The alignment of HIPAA and Part 2 was meant to simplify a regulatory landscape that many providers found burdensome and opaque. Yet even after the 2024 rule changes, operational ambiguities persist.

For example, while HIPAA-regulated entities receiving SUD records with patient consent can generally treat them as standard PHI, some language in the rule suggests that this equivalency holds only when consent is granted for treatment, payment, and healthcare operations, not for just one or two of those elements.

This technical distinction carries significant operational weight. If the consent scope determines how a record must be handled downstream, then EHR systems, compliance policies, and even workforce training may need to segment patient data far more granularly than anticipated. That segmentation not only raises costs but also introduces new risks of misclassification and breach.

Additionally, organizations may face a compliance limbo: unclear whether a given SUD record should follow HIPAA, Part 2, or both, especially as OCR’s dual-enforcement role evolves.

Strategic Tradeoffs for Leadership

CIOs, compliance officers, and health system privacy leads should not interpret this policy shift as merely procedural. It reflects a broader federal trend toward centralizing health data governance, reducing institutional silos, and expanding patient access, all of which require stronger enterprise-level agility.

Health systems with decentralized behavioral health operations or those relying on legacy EHR platforms will need to re-evaluate how SUD records are flagged, consented, and audited. Legal teams must revisit internal interpretations of “use and disclosure” under both HIPAA and Part 2. And as OCR’s caseload expands, regulated entities should expect longer timelines for complaint resolution, elevating the risk of operational uncertainty and reputational exposure.

Moreover, the elimination of SAMHSA’s enforcement authority could have unintended consequences for provider trust. While OCR has deeper enforcement tools, SAMHSA offered technical expertise rooted in the clinical realities of addiction treatment. The shift to OCR may narrow that lens unless steps are taken to integrate clinical advisory input into privacy determinations.

A Future of Dual Compliance

The practical reality for healthcare organizations is clear: HIPAA compliance alone is no longer sufficient for organizations that treat, or even receive data from, federally assisted SUD programs. OCR’s expanded authority demands that entities bolster documentation, refine consent protocols, and invest in technology capable of nuanced data segmentation.

Whether OCR will be granted the resources to enforce these obligations remains an open question. But the responsibility has already shifted. The regulatory expectation is in place. For patients, providers, and privacy leaders alike, the stakes now lie not in alignment, but in execution.