Tick Tock: The 42 CFR Part 2 Compliance Clock is Counting Down!

by | Feb 16, 2025 | 42 CFR Part 2, Privacy & Consent, Tools & Resources

One year. That’s all the time left before the February 16, 2026 compliance deadline for the 42 CFR Part 2 Final Rule officially arrives. If you haven’t started preparing yet, now is the perfect time to get things in motion.

For years, enforcement of Part 2 has been more myth than reality, with DOJ action practically nonexistent. But starting in 2026, that all changes. A new HIPAA-like enforcement structure means the introduction of civil monetary penalties (CMPs), making noncompliance a costly risk rather than an overlooked afterthought.

What Should You Be Doing Right Now?

Organizations subject to Part 2 should be actively:

• Updating policies and procedures

• Revising Notices of Privacy Practices

• Overhauling consent forms

One of the most challenging aspects of Part 2 implementation is the new consent structure. While the new consent for treatment, payment, and health care operations (“TPO consent”) introduces opportunities for improved data sharing and alignment with HIPAA, it is also complex and requires careful implementation.

To help navigate these changes, I have included our Legal HIE  Compliance Library checklist of key elements required in Part 2 consents. You can download a copy of our Part 2 Consent Checklist tool here.  I have also summarized the elements for you below. [Note: the downloadable checklist tool has a lot more detail AND legal citations (for us legal nerds who need those ;)]  Happy Part 2 consenting!

Part 2 “Standard Consent” (i.e., required elements for ALL Part 2 consents)

When to Use: A Part 2 Standard Consent must be obtained before any uses or disclosures of Part 2 Records that are not otherwise permitted under a Part 2 exception or de-identified. This includes any disclosure for treatment, payment, or health care operations.

  • Patient’s Name
  • Discloser Name or Description (Who is authorized to make the disclosure)
  • Description of the Information (Specific and meaningful description of data to be disclosed)
  • Recipient Name or Description (Who will receive the disclosed information)
  • Purpose(s) (Why the disclosure is occurring)

• Example: “At the request of the patient”

• If for fundraising, must include a patient opt-out statement

• If for TPO, additional requirements apply (see below)

  • Right to Revoke + Instructions (How a patient can revoke consent)
  • Expiration Date or Event (Must be clearly defined)

Example: “End of the research study” or “none” (but CAUTION if the consent also has to serve as a HIPAA Authorization (when one is required) because “none” is not allowed under HIPAA except in the research context).

  • Signature (Patient or legally authorized representative)
  • Date (Date of signature)

Also, don’t forget about the new Disclosure Notices that are now required. Each disclosure must be accompanied by:

  1. At least this statement: “42 C.F.R. Part 2 prohibits unauthorized use or disclosure of these records.”
  2. A copy of the consent or clear explanation of its scope must accompany disclosures.

NOTE: the required statement and consent copy or explanation are not required to be contained in the Part 2 Standard Consent. However, depending on the implementation approach, including these required notices within the consent form might be the most practical approach.

 

Part 2 TPO Consent

When to Use: When disclosing Part 2 Records for treatment, payment, and/or health care operations.

  • Must include all elements of the Part 2 Standard Consent

Additionally, include the following (as applicable):

  • Purpose may be described as “For treatment, payment, and health care operations.”
  • Recipient may be described as “My treating providers, health plans, third-party payers, and people helping to operate this program.”
  • HIPAA Covered Entity & Business Associate Statement (If the Recipient is (or could be) a HIPAA Covered Entity or Business Associate of a HIPAA Covered Entity, the Part 2 TPO Consent must contain the following statement:

“Your Part 2 Record (or information contained in your Part 2 Record) may be redisclosed in accordance with the permissions contained in the HIPAA regulations, except for uses and disclosures for any civil, criminal, administrative, and legislative proceedings against you.”

  • Required TPO Statements. All Part 2 TPO Consents must contain the following statements:
    • These Part 2 Records may be subject to redisclosure by the Recipient and no longer protected by 42 C.F.R. Part 2.”
    • If you refuse to sign this consent, [insert consequences].”

Sample Language: “You have the right to refuse to sign this consent form. However, if you choose not to sign, we may not be able to bill your health plan, meaning you would be responsible for full payment at the time of service. Additionally, we may not be able to coordinate treatment referrals with other providers, which could affect your continuity of care. If you have paid in full and wish to restrict disclosures to your health plan, you must notify us in writing.”

  • Expiration Date/Event may be described as “end of the treatment.” Additionally, a description of “none” is allowed where the consent is for treatment, payment or health care operations. Note, although HIPAA generally does not permit “none” as a compliant expiration date or event, since HIPAA does not require a signed HIPAA Authorization for TPO disclosures, that restriction does not apply here.  In contrast, although Part 2 requires a signed consent for TPO, it expressly permits listing “none” as the expiration date/event.

Part 2 Intermediary Consent

When to Use: To disclose Part 2 Records to an Intermediary (i.e., an entity that is neither a Part 2 Program nor a HIPAA Covered Entity/Business Associate) under a general designation for further disclosure to treating providers.

What kind of organizations might be an Intermediary?  Here are a few examples HHS provided: (1) A health information exchange (HIE) that facilitates exchange of Part 2 information from a Part 2 Program that is NOT also a HIPAA covered entity (e.g., a private pay or state-run Part 2 Program could qualify here); (2) a research institution that is providing treatment, an accountable care organization, or (3) a care management organization.

  • Must include all elements of the Part 2 Standard Consent

Additionally, include the following (as applicable):

Recipient Name or Description:

  • Intermediary Name (required)
  • Names of all member participants of the Intermediary OR general designation of a participant(s) or class of participants, which must be limited to a participant(s) who has a treating provider relationship with the patient whose information is being used or disclosed.

_________________________

If you found this checklist helpful, we have even more tools, checklists, sample policies, and forms to assist with every aspect of updating your compliance program for the new 42 CFR Part 2 requirements.  See the Table of Contents for our Part 2 Helper.

Don’t wait until the last minute—February 16, 2026 will be here before you know it. Start preparing today and ensure your organization is ready to meet the new standards (and avoid the new penalties).

Need help? We’re just a click away at legalhie.com/membership

 

Print Friendly, PDF & Email
Share this:

If you are not a subscriber to our backend Legal HIE compliance library, download our Table of Contents here to check out all of the tools, checklists, whitepapers, sample policies we make available to our members to help their organizations comply with Information Blocking, HIPAA, 42 CFR Part 2, Data Breaches and more. Ready to subscribe now? Click here to review our subscription options.

Archives