Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations

Posted by Steve Alder

On August 26, 2025, Robert F. Kennedy Jr., Secretary of the U.S. Department of Health and Human Services (HHS), delegated the authority to administer and enforce the Confidentiality of Substance Use Disorder (SUD) Patient Records” regulations at 42 CFR part 2 (Part 2) to the HHS’ Office for Civil Rights (OCR).

OCR is the primary enforcer of the Health Insurance Portability and Accountability Act (HIPAA), which, among other things, ensures the confidentiality, integrity, and availability of personally identifiable health information collected, stored, maintained, or transmitted by HIPAA-regulated entities. The HIPAA Rules have provisions concerning data security and uses and disclosures of personally identifiable information related to past, present, and future health; however, due to the high level of sensitivity of SUD records, they are afforded greater protection under the Part 2 regulations.

The Part 2 regulations were promulgated in 1975 to ensure that patients receiving treatment for a SUD in a Part 2 Program do not face adverse consequences related to criminal proceedings and domestic proceedings such as child custody, divorce, or employment. The Part 2 regulations restrict uses and disclosures of SUD records, which are kept separate from other health records, such as those regulated by HIPAA. Generally, Part 2 Programs are prohibited from disclosing any information that could identify a person as having or having had a SUD without written consent.

While there are important reasons for greater protections for SUD records, having two sets of regulations for different types of health information creates compliance challenges. The two sets of regulations hamper care coordination, stifle information sharing, and may put patients at risk. For instance, the separation of SUD records from general health records could result in a physician making a treatment decision based on incomplete information, such as prescribing opioids to a patient recovering from opioid addiction.

There have been growing calls for the Part 2 regulations to be more closely aligned with HIPAA to improve care coordination and address some of the current compliance challenges. In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act was enacted, which directed the HHS to engage in further rulemaking to better align the Part 2 regulations with HIPAA. The HHS, through the Substance Abuse and Mental Health Services Administration (SAMHSA) and OCR, issued a Final Rule in 2024 implementing changes to better align the two sets of regulations to improve care coordination, strengthen confidentiality protections through civil enforcement, and align certain requirements of the Part 2 regulations with HIPAA. The compliance deadline for the Final Rule is February 16, 2026.

Two of the changes relate to privacy violations and data breaches. The Final Rule gives individuals the right to file complaints about violations of the Part 2 regulations, and the subject of SUD records must be notified about breaches of their Part 2 records, as is the case for violations of HIPAA and breaches of HIPAA-covered data. RFK Jr. has now delegated the administration and enforcement responsibilities of the Part 2 regulations to OCR. The Director of OCR has the authority to redelegate those responsibilities.

Specifically, per the Secretary’s Statement of Delegation of Authority published in the Federal Register on August 27, 2025, OCR will be able to:

  • Enter into resolution agreements, monetary settlements, and corrective action plans, or impose civil money penalties for failures to comply with the requirements of Part 2 regulations, as amended by the Final Rule
  • Issue subpoenas requiring the attendance and testimony of witnesses and the production of any evidence that relates to any matter under investigation or compliance review for failure to comply with the Part 2 regulations, as amended by the Final Rule
  • Make decisions regarding the interpretation, implementation, and enforcement of the Part 2 regulations, as amended by the Final Rule

The post Office for Civil Rights Authorized to Administer and Enforce the Part 2 Regulations appeared first on The HIPAA Journal.

CISA Seeks Feedback on Updated Software Bill of Materials Guidance

Posted by Steve Alder

One of the biggest security headaches in healthcare is managing third-party risk. Healthcare organizations can implement extensive security measures to protect their internal networks and sensitive data, only for a security flaw in a medical device or third-party software solution to be exploited, circumventing their security protections.

While patches can be applied to address known vulnerabilities, software and firmware may contain third-party components and dependencies. Since there may be little visibility into those components and dependencies, risks are impossible to mitigate effectively.

To improve visibility and help with risk management, all medical devices should be provided with a Software Bill of Materials (SBOM), which is a formal, machine-readable inventory of all software components and dependencies used in a medical device. The Food and Drug Administration (FDA) now requires SBOMs to be provided with premarket submissions of medical devices, to help ensure cybersecurity for the whole lifecycle of the device.

The Cybersecurity and Infrastructure Security Agency (CISA) is pushing for SBOMs to be included with software to improve transparency and supply chain security. CISA has previously published SBOM guidance, which has now been updated to reflect the current state of maturity in software transparency.

“SBOMs provide a detailed inventory of software components, enabling organizations to identify vulnerabilities, assess risk, and make informed decisions about the software they use and deploy,” explained CISA. “As adoption of SBOMs has grown across the public and private sectors, so too has the need for machine-processable formats that support scalable implementation and integration into broader cybersecurity practices.”

While the guidance  – 2025 Minimum Elements for a Software Bill of Materials (SBOM) – is primarily intended for federal agencies, CISA is encouraging other entities to use the guidance to help them understand what they can expect from vendors’ SBOMs. The update includes new SBOM data fields, the name of the tool used to create the SBOM, the software’s cryptographic hash, and several revisions. Public comment is sought on the new draft guidance until October 3, 2025, allowing individuals to share their knowledge for incorporation into the guidance ahead of the release of the final version.

The post CISA Seeks Feedback on Updated Software Bill of Materials Guidance appeared first on The HIPAA Journal.