By early 2026, substance use disorder (SUD) providers, health plans, clinicians, health information exchanges (HIEs), and vendors must meet new federal privacy standards for SUD treatment records or face Health Insurance Portability and Accountability Act (HIPAA)-level enforcement and penalties.
On this episode, Epstein Becker Green attorneys Lisa Pierce Reisz, David Shillcutt, and Laura DePonio join Nichole Sweeney, General Counsel and Chief Privacy Officer at CRISP, to break down the 42 CFR Part 2 final rule: what’s changing, what’s staying the same, and what organizations often miss.
The group explains how the final rule aligns with (but does not replace) HIPAA, why patient consent remains central, and what new operational risks are emerging.
Key Takeaways:
- Adoption of HIPAA Penalties: Part 2 now adopts HIPAA’s enforcement and penalty structure.
- Operational Readiness Challenges: Operational readiness, not technology, is the biggest challenge.
- Expanded Compliance Duties: Payors and HIEs face major shifts in data access and compliance duties.
Tune in to learn about the changes that matter most and the risks you can’t ignore.