HHS Launches New Portal for Reporting Substance Use Disorder Data Breaches
The U.S. Department of Health and Human Services (HHS) has introduced a new enforcement program and web portal to strengthen protections for substance use disorder (SUD) patient records under 42 CFR Part 2 regulations. The initiative, launched by HHS’ Office for Civil Rights (OCR), went into effect on February 16, aligning Part 2 requirements more closely with HIPAA and the HITECH Act as mandated by the CARES Act of 2020.
The program grants OCR civil enforcement authority, including monetary penalties, resolution agreements, and corrective actions for noncompliance. Covered entities such as federally assisted SUD treatment programs, healthcare providers, and business associates must now report breaches of Part 2 records affecting 500 or more individuals within 60 days of discovery, similar to HIPAA breach reporting rules. Smaller breaches must be reported by March 1 of the following year.
A key change is the new breach reporting portal, which allows the public to submit and view reports of Part 2 record compromises. However, experts note confusion around compliance, including consent language requirements and scenarios where Part 2 records overlap with HIPAA-protected health information (PHI). Some breaches may require separate reports under both regulations, adding complexity.
While the program aims to improve care coordination and reduce administrative burdens, concerns persist about OCR’s capacity to enforce the new mandates alongside existing HIPAA obligations. Critics question whether the agency has sufficient resources to handle the additional workload, particularly given the nuances of Part 2 compliance.
The updated HIPAA breach reporting website now reflects OCR’s expanded authority to investigate both HIPAA and Part 2 breaches, though enforcement priorities will determine which smaller breaches are pursued. The changes mark a significant shift in how SUD patient confidentiality is regulated, with ongoing challenges in implementation.
Source: https://www.govinfosecurity.com/feds-launch-portal-to-report-substance-use-disorder-breaches-a-30769
U.S. Department of Health and Human Services TPRM report: https://www.rankiteo.com/company/hhsgov
"id": "hhs1771281140",
"linkid": "hhsgov",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '500 or more individuals (for '
'large breaches)',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Federally assisted SUD treatment programs',
'type': 'Healthcare Provider'},
{'customers_affected': '500 or more individuals (for '
'large breaches)',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Healthcare providers',
'type': 'Healthcare Provider'},
{'customers_affected': '500 or more individuals (for '
'large breaches)',
'industry': 'Healthcare',
'location': 'United States',
'name': 'Business associates',
'type': 'Service Provider'}],
'customer_advisories': 'Public can submit and view reports of Part 2 record '
'compromises via the new portal.',
'data_breach': {'number_of_records_exposed': '500 or more individuals (for '
'large breaches)',
'personally_identifiable_information': 'Yes (SUD patient '
'records)',
'sensitivity_of_data': 'High (sensitive health information)',
'type_of_data_compromised': 'Substance use disorder (SUD) '
'patient records'},
'date_publicly_disclosed': '2024-02-16',
'description': 'The U.S. Department of Health and Human Services (HHS) has '
'introduced a new enforcement program and web portal to '
'strengthen protections for substance use disorder (SUD) '
'patient records under 42 CFR Part 2 regulations. The '
'initiative grants OCR civil enforcement authority, including '
'monetary penalties, resolution agreements, and corrective '
'actions for noncompliance. Covered entities must now report '
'breaches of Part 2 records affecting 500 or more individuals '
'within 60 days of discovery, with smaller breaches reported '
'annually. The new portal allows public submission and viewing '
'of Part 2 record compromises, but compliance confusion '
'persists around consent language and overlapping HIPAA-PHI '
'scenarios.',
'impact': {'brand_reputation_impact': 'Potential reputational harm for '
'non-compliant entities',
'data_compromised': 'Substance use disorder (SUD) patient records',
'identity_theft_risk': 'Risk of exposure of sensitive SUD patient '
'records',
'legal_liabilities': 'Monetary penalties, resolution agreements, '
'and corrective actions for noncompliance',
'operational_impact': 'Increased administrative burden and '
'compliance complexity for covered entities'},
'investigation_status': 'Ongoing (enforcement priorities will determine which '
'breaches are pursued)',
'lessons_learned': 'Need for clearer guidance on consent language and '
"overlapping HIPAA-PHI scenarios; challenges in OCR's "
'enforcement capacity for Part 2 alongside HIPAA.',
'post_incident_analysis': {'corrective_actions': 'Launch of new enforcement '
'program and breach '
'reporting portal; expanded '
'OCR authority to '
'investigate Part 2 '
'breaches.',
'root_causes': 'Regulatory changes under the CARES '
'Act of 2020 aligning Part 2 with '
'HIPAA/HITECH; need for stronger '
'protections for SUD patient '
'records.'},
'recommendations': 'Covered entities should review and update compliance '
'programs for Part 2, ensure proper consent language, and '
'prepare for potential dual reporting requirements under '
'HIPAA and Part 2.',
'references': [{'source': 'U.S. Department of Health and Human Services '
'(HHS)'},
{'source': 'CARES Act of 2020'},
{'source': 'HIPAA and HITECH Act'}],
'regulatory_compliance': {'fines_imposed': 'Monetary penalties possible',
'legal_actions': 'Resolution agreements and '
'corrective actions',
'regulations_violated': '42 CFR Part 2 (potential '
'noncompliance)',
'regulatory_notifications': 'Breach reports '
'required within 60 '
'days (large breaches) '
'or annually (smaller '
'breaches)'},
'response': {'communication_strategy': 'Public submission and viewing of Part '
'2 record compromises',
'remediation_measures': 'New breach reporting portal and '
'enforcement program'},
'stakeholder_advisories': 'Covered entities must report breaches of Part 2 '
'records affecting 500 or more individuals within '
'60 days; smaller breaches must be reported by '
'March 1 of the following year.',
'title': 'HHS Launches New Portal for Reporting Substance Use Disorder Data '
'Breaches',
'type': 'Regulatory Enforcement Program Launch'}