Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations

Posted by Steve Alder

On August 26, 2025, Robert F. Kennedy Jr., Secretary of the U.S. Department of Health and Human Services (HHS), delegated the authority to administer and enforce the Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (Part 2) to the HHS’ Office for Civil Rights (OCR).

OCR is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA), which, among other things, ensures the confidentiality, integrity, and availability of personally identifiable health information collected, stored, maintained, or transmitted by HIPAA-regulated entities. The HIPAA Rules have provisions concerning data security and uses and disclosures of personally identifiable information related to past, present, and future health; however, due to the high level of sensitivity of SUD records, they are afforded greater protection under the Part 2 regulations.

The Part 2 regulations were promulgated in 1975 to ensure that patients receiving treatment for a SUD in a Part 2 Program do not face adverse consequences related to criminal proceedings and domestic proceedings such as child custody, divorce, or employment. The Part 2 regulations restrict uses and disclosures of SUD records, which are kept separate from other health records, such as those regulated by HIPAA. Generally, Part 2 Programs are prohibited from disclosing any information that could identify a person as having or having had a SUD without written consent.

While there are important reasons for greater protections for SUD records, having two sets of regulations for different types of health information creates compliance challenges. The two sets of regulations hamper care coordination, stifle information sharing, and may put patients at risk. For instance, the separation of SUD records from general health records could result in a physician making a treatment decision based on incomplete information, such as prescribing opioids to a patient recovering from opioid addiction.

There have been growing calls for the Part 2 regulations to be more closely aligned with HIPAA to improve care coordination and address some of the current compliance challenges. In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was enacted, which directed the HHS to engage in further rulemaking to better align the Part 2 regulations with HIPAA. The HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR, issued a Final Rule in 2024 implementing changes to better align the two sets of regulations to improve care coordination, strengthen confidentiality protections through civil enforcement, and align certain requirements of the Part 2 regulations with HIPAA. The compliance deadline for the Final Rule is February 16, 2026.

Two of the changes relate to privacy violations and data breaches. The Final Rule gives individuals the right to file complaints about violations of the Part 2 regulations, and the subject of SUD records must be notified about breaches of their Part 2 records, as is the case for violations of HIPAA and breaches of HIPAA-covered data. RFK Jr. has now delegated the administration and enforcement responsibilities of the Part 2 regulations to OCR. The Director of OCR has the authority to redelegate those responsibilities.

Specifically, per the Secretary’s Statement of Delegation of Authority published in the Federal Register on August 27, 2025, OCR will be able to:

  • Enter into resolution agreements, monetary settlements, and corrective action plans, or impose civil money penalties for failures to comply with the requirements of Part 2 regulations, as amended by the Final Rule
  • Issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with the Part 2 regulations, as amended by the Final Rule
  • Make decisions regarding the interpretation, implementation, and enforcement of the Part 2 regulations, as amended by the Final Rule

The post Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations appeared first on The HIPAA Journal.

CISA Seeks Feedback on Updated Software Bill of Materials Guidance

Posted by Steve Alder

One of the biggest security headaches in healthcare is managing third-party risk. Healthcare organizations can implement extensive security measures to protect their internal networks and sensitive data, only for a security flaw in a medical device or third-party software solution to be exploited, circumventing their security protections.

While patches can be applied to address known vulnerabilities, software and firmware may contain third-party components and dependencies. Since there may be little visibility into those components and dependencies, risks are impossible to mitigate effectively.

To improve visibility and help with risk management, all medical devices should be provided with a Software Bill of Materials (SBOM), which is a formal, machine-readable inventory of all software components and dependencies used in a medical device. The Food and Drug Administration (FDA) now requires SBOMs to be provided with premarket submissions of medical devices, to help ensure cybersecurity for the whole lifecycle of the device.

The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for SBOMs to be included with software to improve transparency and supply chain security. CISA has previously published SBOM guidance, which has now been updated to reflect the current state of maturity in software transparency.

“SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions about the software they use and deploy,” explained CISA. “As adoption of SBOMs has grown across the public and private sectors, so too has the need for machine-processable formats that support scalable implementation and integration into broader cybersecurity practices.”

While the guidance  – 2025 Minimum Elements for a Software Bill of Materials (SBOM) – is primarily intended for federal agencies, CISA is encouraging other entities to use the guidance to help them understand what they can expect from vendors’ SBOMs. The update includes new SBOM data fields, the name of the tool used to create the SBOM, the software’s cryptographic hash, and several revisions. Public comment is sought on the new draft guidance until October 3, 2025, allowing individuals to share their knowledge for incorporation into the guidance ahead of the release of the final version.

The post CISA Seeks Feedback on Updated Software Bill of Materials Guidance appeared first on The HIPAA Journal.

Legacy Treatment Services Data Breach Affects 42,000 Individuals

Posted by Steve Alder

Data breaches have recently been confirmed by Legacy Treatment Services/Community Treatment Solutions in New Jersey, Washington Gastroenterology, Woodlawn Hospital in Indiana, and Children’s Home & Aid (Brightpoint) in Illinois.

Legacy Treatment Services

Legacy Treatment Services, a New Jersey provider of behavioral health and addiction treatment services, has notified the Maine Attorney General about an October 2024 cybersecurity incident involving the personal and protected health information of 41,826 individuals. Some of the affected individuals had received services from Community Treatment Solutions (CTS) in Moorestown, New Jersey.

The incident was identified on or around October 11, 2024, when connectivity to its network was disrupted. The forensic investigation confirmed unauthorized access to its network between October 6, 2024, and October 11, 2024. A file review was initiated, and on July 18, 2025, confirmation was received that employee and patient data were accessed and acquired in the incident.

The data involved varied from individual to individual and included first and last names along with one or more of the following: addresses, phone numbers, email addresses, Social Security numbers, birth dates, driver’s license numbers/state ID numbers, passport numbers, financial account numbers, routing numbers, bank names, credit/debit card numbers/CVV/expiration dates/PIN or security codes, login information, diagnoses, clinical information, treatment/procedure Information, treatment types/locations, treatment cost information, doctors’ names, medical record numbers, patient account numbers, health insurance information, prescription information, and/or biometric information.

While no evidence has been found to indicate any misuse of that information, the affected individuals have been offered complimentary credit monitoring and identity theft protection services.

Washington Gastroenterology

Washington Gastroenterology has recently started notifying patients about a cybersecurity incident detected on or around March 10, 2025. The exact nature of the incident was not disclosed in its substitute breach notice, only that certain data was accessed by an unknown third party. The affected data was reviewed, and it was confirmed that the breach was limited to a legacy system, which contained names, Social Security numbers, and medical information. No current networks or affiliate systems were involved.

Individual notification letters started to be mailed to the affected individuals on May 23, 2025; however, it later emerged that further individuals were affected, and notification letters are now being mailed to those individuals. Complimentary credit monitoring and identity theft protection services are being offered to the affected individuals. The data breach has been reported to regulators, but the incident is not currently shown on the OCR data breach portal or the Washington Attorney General website, so it is currently unclear how many individuals have been affected.

Woodlawn Hospital

Woodlawn Hospital in Rochester, Indiana, has identified unauthorized access to its computer network. The intrusion was identified on June 30, 2025, and the forensic investigation confirmed unauthorized access between June 25, 2025, and June 30, 2025. During that time, files containing patient data were copied from its network.

The files are currently being reviewed, but it has been confirmed that they contain names, addresses, dates of birth, Social Security numbers, driver’s license numbers/state identification numbers, medical information, and health insurance information. Notification letters will be mailed to the affected individuals when the file review is concluded. The incident is not yet shown on the HHS’ Office for Civil Rights website, so it is currently unclear how many individuals have been affected.

Children’s Home & Aid (Brightpoint)

Children’s Home & Aid, doing business as Brightpoint in Illinois, has identified unauthorized access to an employee’s email account. The security incident was detected on or around February 27, 2025, and the forensic investigation confirmed unauthorized access to the account between January 12, 2025, and February 27, 2025. Following a programmatic and manual review of the account, it was determined on June 16, 2025, that the account contained the personal and protected health information of 1,051 individuals.

The data involved varied from individual to individual and may have included names, Social Security numbers, driver’s license numbers/ government-issued identification numbers, financial account information, health insurance information, and/or medical information.  Brightpoint has reviewed its security policies and procedures and has taken steps to reduce the risk of similar incidents in the future.

The post Legacy Treatment Services Data Breach Affects 42,000 Individuals appeared first on The HIPAA Journal.

Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach

Posted by Steve Alder

Healthcare Services Group, Inc. (HSG), a Bensalem, PA-based provider of environmental, dining, and nutritional support services to healthcare facilities, has recently notified the Maine Attorney General about a major data breach involving unauthorized access to systems containing the personal and protected health information of 624,496 individuals, including 3,871 Maine residents.

HCSG provides its services to more than 3,000 healthcare facilities in 48 U.S. states and employs more than 45,000 individuals. HSG first disclosed the security incident on October 16, 2024, in a FORM 8-K filing with the U.S. Securities and Exchange Commission (SEC), explaining that a cybersecurity incident was identified on October 9, 2024, when unauthorized activity was identified within some of its systems.

HSG initiated its cybersecurity incident response process, and an investigation was launched to determine the cause of the activity, with assistance provided by third-party cybersecurity specialists. At the time, the full nature of the incident was unknown, although it was not expected to have a material impact on its financial condition or the results of operations. The breach report indicates initial access to its network occurred on September 27, 2024, twelve days before the intrusion was detected. HSG has been reviewing the exposed files and determined on June 3, 2025, that personal and protected health information was potentially stolen.

Notification letters started to be mailed to the affected individuals on August 25, 2025, and complimentary credit monitoring and identity theft protection services have been offered to the affected individuals, in Maine at least. While the Maine Attorney General has published a copy of the breach notification letter, a website error means it is not currently viewable, and there is currently no substitute breach notice on the HSG website, so the types of information exposed in the incident and the nature of the cyberattack are currently unknown.

This post will be updated when further information becomes available.

The post Healthcare Services Group Confirms 624,500 Individuals Affected by Data Breach appeared first on The HIPAA Journal.