You probably haven't touched your intake packet since you set up your practice. Neither had I — not the version sitting in the Vault that I built, the one I tell practitioners to use as their starting point. That changed this weekend.
In February of last year, the federal government changed the rules. Not loudly. Not with a media cycle. Just a quiet Final Rule in the Federal Register that said: starting February 16, 2026, the language in your substance use disclosure forms needs to look different. Then February 16th came and went. And then May came. And here we are.
If your intake forms predate February 2024, they're missing language the federal government started requiring three months ago. Most independent practitioners don't know. Their forms still work — patients still sign them — but the legal status of those signatures has shifted.
I ran the audit on my own templates this weekend. I found gaps. Here's what changed, what I found, and the same audit you can run on yours.
What changed
The regulation is 42 CFR Part 2. It's the federal rule that governs disclosure of substance use disorder records. For decades, Part 2 was more stringent than HIPAA — SUD records required separate, granular consent for every disclosure, with limited exceptions for medical emergencies.
In February 2024, the Department of Health and Human Services published a Final Rule [1] substantially aligning Part 2 with HIPAA's Privacy Rule. The rule's compliance deadline was February 16, 2026.
Three big changes you need to know about.
First, single patient consent now covers all future uses for treatment, payment, and healthcare operations — what HIPAA calls TPO. Before this rule, you needed separate, narrowly-scoped consent for each disclosure. After this rule, one well-drafted consent can cover routine TPO disclosures going forward, just like HIPAA.
Second, Notice of Privacy Practices requirements changed. If your practice touches SUD records — even adjacent, even just because your intake form asks about substance use — your NPP must include specific Part 2 language. Most pre-2024 NPP templates don't have it. The federal government considers this a deficiency starting February 16th.
Third, breach notification for SUD records now follows the HIPAA Breach Notification Rule under 45 CFR Part 164 Subpart D [3]. Before this rule, Part 2 had its own breach pathway with different timelines. Now it's the same as HIPAA. Cleaner — but only if your breach response runbook says so.
Why most practices missed it
The reason this rule slipped past most independent practitioners is that the headline framing was "alignment with HIPAA." That sounds like a simplification. It sounds like good news. Most practitioners read the headline and assumed it meant less work, not more.
It does, eventually, mean less work. The single-consent-covers-TPO change is genuinely simpler than the old multi-consent regime.
But "less work going forward" requires "work right now" to get there. Your existing intake forms are calibrated for the old consent regime. They use the old language. They reference the old disclosure pathways. They're not wrong — they're outdated. And after February 16, 2026, outdated is the same as deficient when OCR or a state AG comes looking.
Here's the gap in plain language: if a patient signed your old intake form last year, and you used that signature to disclose SUD-adjacent information to a referring provider this month, the disclosure may not be covered by valid current-rule consent. Your old form predates the rule. Your patient signed a document that no longer matches the operational reality you're working in.
This is not theoretical. It's the structural problem the Final Rule created — even practitioners acting in good faith with their existing forms now have a consent-validity question they didn't have six months ago.
What I found when I audited my own templates
I want to be transparent about this because it's the actual story.
I built the Vault templates over a year ago. They were HIPAA-current then. They were calibrated for independent practice, with the layered structure I've written about before — patient-facing policies separate from operational runbooks, intake forms separate from billing authorizations, every document doing one job clearly.
This weekend I read them against the 42 CFR Part 2 Final Rule. Five gaps in the NPP. Five gaps in the intake consent. No separate Authorization to Disclose Substance Use Disorder Records document at all. The Vault templates I tell practitioners to use are calibrated for HIPAA. They are not calibrated for the post-2024 Part 2 alignment.
The gaps in my NPP:
- No mention of 42 CFR Part 2 anywhere. A Part 2-compliant NPP needs explicit language about SUD records handling.
- No prohibition-on-redisclosure notice. Part 2's defining feature is that SUD records can't be redisclosed without further authorization. Patients need to know.
- No SAMHSA-pathway complaint route. My NPP correctly references OCR for HIPAA complaints, but Part 2 complaints flow through a separate HHS Secretary route. Both should be listed.
- No "refusal of consent will not lead to denial of treatment" Part 2 protection statement. Part 2 has a specific patient protection HIPAA doesn't have.
- Accounting of disclosures language matches HIPAA scope only. Part 2 has a broader accounting right.
The gaps in my intake consent:
- No Part 2-specific consent for SUD record disclosure. My consent for evaluation and treatment is general — it doesn't include the Part 2 elements.
- No expiration date or termination event for consent. Part 2 requires this. My current form is open-ended.
- No designation of recipients. Part 2 requires naming or generally designating who records may be disclosed to.
- No specific redisclosure prohibition language for when SUD records are actually released to another provider.
- No "purpose of disclosure" statement on the consent.
This is the work I'm doing this weekend. Adding Part 2 language to the NPP. Adding a separate Authorization to Disclose Substance Use Disorder Records form. Adding the missing consent elements. Updating the breach response runbook to flag the Subpart D alignment. Adding an addendum to the annual risk assessment template noting the 2026 change.
By Tuesday morning, the updated documents will be in the Vault. If you already own the Vault, the update arrives in your inbox. If you don't, the updated version is what new buyers download.
What 42 CFR Part 2 actually says now
Whether you're using the Vault templates or your own, the operational pieces for an independent practice come down to the same four documents.
Your Notice of Privacy Practices. Must now include Part 2 language describing how SUD records are handled. The language is specific — generic HIPAA NPPs don't satisfy it. If a patient asks where this language is and it's missing, you have a documented deficiency.
Your intake consent forms. The single-TPO-consent model needs explicit language to be valid. "I consent to the use of my records for treatment, payment, and healthcare operations" is the start, but the federal rule specifies additional elements — including the patient's right to revoke, the duration of consent, and a description of redisclosure handling.
Your breach response runbook. Has to reflect the Subpart D timeline — 60 days for individual notification, 60 days for HHS notification on smaller breaches, immediate notice on breaches of 500 or more records. If your runbook still references the old Part 2-specific timeline, it's pointing your future self at the wrong protocol during the worst week of your year.
Your annual risk assessment. Should flag this as a 2026 compliance change. If your last assessment predates February 2024, it doesn't reflect current regulatory reality.
What to do this week
This weekend, before Tuesday morning's first new patient.
One. Pull your current Notice of Privacy Practices. Look for any mention of substance use disorder records or 42 CFR Part 2. If there's no Part 2 language, your NPP predates February 2024 and needs to be updated. This is the deficiency OCR and state AGs will find first if they audit.
Two. Pull your intake consent forms. Look at the consent language for disclosure of records. If it references "each disclosure" or requires separate consent for each routine TPO use, it's calibrated for the pre-2024 rule. Update it to the single-TPO-consent model with the four required elements — right to revoke, duration, redisclosure handling, and patient identification.
Three. Pull your annual risk assessment. If it predates February 2024, it does not flag this change. Add a brief addendum noting the 42 CFR Part 2 alignment and the document updates you made this weekend. Date it. File it.
Ninety minutes total if you have the templates. Memorial Day weekend gives you the runway. Mine will be updated and in the Vault by Tuesday morning. Yours can be too.
The independent practitioners who get audited in 2026 are not getting audited because they're doing something wrong with their patients. They're getting audited because the federal government changed the rules in February of 2024, gave everyone two years to update their forms, and now the deadline has come and gone. Most practices missed it. I missed it. The audit finds the forms that nobody updated.
By Tuesday morning, mine will be. Yours can be too.
|
The templates I'm updating this weekend.
The Encrypted Chart Vault includes Notice of Privacy Practices templates, patient intake and consent forms, the breach response runbook, and the annual risk assessment template — calibrated for independent practice. The 42 CFR Part 2 update ships by Tuesday morning to all current and new Vault holders. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
|
| With security, |
| Brad |
| Brad Lieberman, JD (retired), MSN, PMHNP-BC |
| Founder, The Encrypted Chart |
| www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder |
| Brad@encryptedchart.com |
- Confidentiality of Substance Use Disorder (SUD) Patient Records, Final Rule, 89 Fed. Reg. 12472 (Feb. 16, 2024). federalregister.gov
- 42 CFR Part 2. ecfr.gov
- 45 CFR § 164 Subpart D (HIPAA Breach Notification Rule). ecfr.gov
