By Joe Wynn, CEO

5 must-knows about the federal enforcement that quietly began this month.

Beginning February 16, 2026, the HHS Office for Civil Rights (OCR) will actively enforce confidentiality protections for substance use disorder (SUD) patient records under 42 CFR Part 2. 

For the first time, these protections carry HIPAA-level enforcement mechanisms, including investigations, breach reporting requirements, corrective action plans, and civil monetary penalties. 

This shift does not create entirely new privacy obligations. Instead, it activates enforcement authority that existed in law but had not yet been applied with the consistency, visibility, or regulatory focus of HIPAA enforcement. As a result, organizations that previously viewed this as a regulatory nuance must now treat it as an active enforcement risk. 

Here are the 5 things healthcare and health tech leaders need to know. 

1. This is not a new law. It is newly enforced. 

The legal foundation for this change was established several years ago, but enforcement is only now becoming operational. 

  • Congress established the legal authority for this change in Section 3221 of the CARES Act in 2020, which amended federal law to align substance use disorder privacy protections with HIPAA and authorize civil enforcement. 
  • HHS finalized the implementing rule in 2024 and allowed time for preparation 
  • Executive Order 14379, signed January 29, 2026, elevated addiction recovery to a coordinated national priority and reinforced federal oversight across healthcare and technology organizations handling substance use disorder data. 
  • Executive orders do not create new statutory obligations, but they direct federal agencies to prioritize enforcement, allocate resources, and demonstrate measurable progress, which often results in increased regulatory scrutiny and enforcement activity. 
  • Active civil enforcement begins February 16, 2026 

Organizations have had time to prepare. That preparation window is now closing, and enforcement expectations are becoming operational. 

This delay reflects the normal federal rulemaking process. After Congress passed the law in 2020, HHS issued proposed and final regulations, gave the industry time to update policies and controls, and only then activated enforcement. The result is a transition from regulatory alignment on paper to active enforcement in practice. 

2. Substance use disorder data was already protected, but enforcement has changed. 

Many leaders assume this data was already fully covered under HIPAA. That is partially true, but incomplete. 

  • SUD data has long been protected under HIPAA 
  • It is also protected under a stricter federal regulation called 42 CFR Part 2 
  • Historically, enforcement was less visible and less consistently applied 
  • The CARES Act aligned Part 2 enforcement with HIPAA 
  • OCR can now investigate violations, impose civil monetary penalties, and require corrective actions 

This alignment gives regulators clearer authority and increases the likelihood that enforcement actions will occur. 

3. Many organizations are exposed without realizing it. 

This exposure extends beyond addiction treatment providers themselves. Many healthcare and technology organizations store, process, or transmit this data as part of normal operations. 

Organizations most at risk include: 

  • Substance use disorder treatment providers and behavioral health clinics 
  • Hospitals and health systems 
  • Telehealth and behavioral health platforms 
  • SaaS companies providing EHR, patient engagement, or clinical workflow tools 
  • Technology vendors supporting behavioral health providers 

If your systems store, process, or transmit addiction treatment data, your regulatory exposure increases beginning February 16, 2026. 

4. The primary risk is not intent. It is lack of security maturity. 

Enforcement actions rarely hinge on whether an organization intended to violate the law. Instead, they focus on whether appropriate safeguards were in place. 

Regulators expect organizations to demonstrate that risks are understood and actively managed. 

Common areas of regulatory focus include: 

  • Access controls and least privilege enforcement 
  • Audit logging and monitoring 
  • Incident response readiness 
  • Risk assessments and risk management processes 
  • Governance and accountability 

Organizations that cannot demonstrate these capabilities face significantly greater enforcement risk. 

5. Mature security programs reduce both risk and uncertainty. 

HIPAA establishes legally required safeguards to protect electronic protected health information (ePHI). Mature security management programs provide the operational structure necessary to implement and sustain those safeguards. Organizations must implement required administrative, technical, and physical safeguards to protect the confidentiality, integrity, and availability of ePHI. 

Security management frameworks such as ISO 27001 and independent control attestations such as SOC 2 can help organizations implement structured governance, risk management, access control, monitoring, incident response, and other administrative, technical, and physical safeguards required to achieve and sustain compliance with HIPAA. 

These structured security programs help organizations: 

  • Identify and reduce security risk 
  • Implement appropriate access controls and monitoring 
  • Establish repeatable incident response processes 
  • Maintain documented risk management processes 
  • Demonstrate operational discipline during regulatory investigations 
  • Organizations with mature, well-defined information security management systems are significantly better positioned to respond to OCR investigations, breach events, and regulatory scrutiny.

What enforcement will look like 

OCR enforcement actions consistently originate from breach reports, patient complaints, and investigations into whether organizations can demonstrate that required safeguards were properly implemented and maintained. 

This enforcement model has been established through more than a decade of HIPAA enforcement and now applies directly to substance use disorder record protections under 42 CFR Part 2. The investigative authority, regulatory mechanisms, and enforcement tools are already in place and actively used. 

OCR has explicitly opened complaint and breach reporting channels for substance use disorder record violations. Patients, employees, partners, and others can file complaints directly with OCR, and organizations must report qualifying breaches. 

Complaints and breach reports have historically served as primary triggers for OCR investigations, meaning enforcement is driven directly by real-world incidents, patient concerns, and reported security failures. 

Organizations that can demonstrate mature safeguards, documented risk management, and operational security discipline are positioned to respond effectively. Organizations that cannot demonstrate these safeguards face significantly greater regulatory exposure.  

What healthcare and health tech leaders must do now to reduce enforcement risk 

Healthcare and health tech organizations that store, process, or transmit regulated patient data must be able to demonstrate that required safeguards are implemented, documented, and operating effectively. Federal enforcement is now active, and regulators evaluate whether safeguards exist in practice, not just in policy. 

Waiting until an investigation, audit, customer review, or breach occurs exposes the organization to unnecessary regulatory, operational, and reputational risk. Organizations should evaluate their security posture now and identify gaps before those gaps are exposed through enforcement, audit, or incident response. 

Seiso has published a practical compliance checklist that helps organizations identify applicable regulatory requirements, assess security program maturity, and highlight areas that may require remediation or further evaluation. 

Download the checklist here: https://www.seisollc.com/download-compliance-checklist?hsCtaAttrib=189069758021 

Use the checklist to evaluate your security program structure and identify areas that require further review or remediation. Organizations that perform this assessment proactively gain clarity on their security program's maturity and are better positioned to prioritize remediation before regulatory scrutiny occurs. 

Demonstrating safeguards requires more than documented policies. Organizations must ensure that safeguards are implemented and maintained, and that their effectiveness can be demonstrated through documentation and operational evidence. 

You can learn more about how Seiso helps healthcare and health tech organizations design, implement, and maintain mature security and compliance programs here: https://www.seisollc.com/case-studies

My perspective 

In my work with healthcare and health tech organizations, I consistently see that enforcement actions rarely stem from a single failure. They are typically the result of gaps that were never fully evaluated, documented, or addressed. The organizations that navigate regulatory scrutiny most effectively are those that treat security maturity as an operational priority rather than a compliance exercise. 

References