The ADA revised its sample HIPAA Notice of Privacy Practices to address Part 2 records related to substance use disorders. Here’s a review of what matters for dental practices.
Print & Go GuidanceBy Genni Burkhart
Substance use disorder treatment records don’t appear in every patient’s chart, but when they do, federal law sets specific rules for their handling. Beginning February 16, 2026, HIPAA (Health Insurance Portability and Accountability Act)-covered practices must include information in their Notice of Privacy Practices describing how records protected under 42 CFR Part 2 may be used and disclosed. The ADA also updated its sample HIPAA Notice of Privacy Practices to reflect those federal requirements.
At first glance, this may seem like a routine document update. However, it directly affects how sensitive patient information moves through your practice, how your team responds to record requests, and how clearly you communicate privacy protections to patients.
If your office receives records connected to a federally assisted substance use disorder (SUD) treatment program, this update is directly relevant.
Let’s dive in.
What Part 2 Means in a Dental Setting
Part 2 is a federal law and regulation (42 U.S.C. 290dd-2 and 42 CFR part 2) that places heightened confidentiality protections on certain substance use disorder treatment records, especially those connected to federally assisted programs.
Essentially, those protections don’t stop at the treatment facility. When the record enters your practice, the same standards apply.
Although Part 2 primarily governs SUD programs, it also applies to anyone who lawfully receives those records. That means when this information enters a dental practice through a health history, referral, or care coordination, the same confidentiality requirements apply. Once it becomes part of the patient's record, the practice assumes responsibility for handling it correctly.
The reason for these heightened protections is fairly straightforward. Lawmakers understood that concerns about discrimination or legal consequences could prevent individuals from seeking treatment. Part 2 was therefore designed to reduce that fear by strengthening confidentiality safeguards.
Federal updates made parts of Part 2 operate more like HIPAA, but they didn't weaken the underlying confidentiality protections. Substance use disorder treatment records still carry stricter limits.
Where the Distinctions Matter Most
Most dental teams are comfortable navigating HIPAA. However, Part 2 introduces nuances that require additional attention, particularly around consent, legal proceedings, and internal safeguards.
-
Consent is more precise.
Part 2 records often come with consent terms that dictate how they may be used or disclosed. A general consent permits use and disclosure for treatment, payment, and health care operations, consistent with the HIPAA Privacy Rule and as described in your Notice of Privacy Practices. By contrast, a specific consent limits disclosure strictly to what the patient expressly authorizes.
Furthermore, each disclosure made with patient consent must include a copy of that consent or a clear explanation of its scope. In a busy practice, it can be easy to treat all medical information the same. However, when Part 2 information is involved, the scope of consent cannot be assumed. It must be verified.
-
Legal proceedings require added caution.
Part 2 is also more restrictive than HIPAA regarding legal proceedings. In general, Part 2 records and testimony describing the information in those records may not be used or disclosed in civil, criminal, administrative, or legislative proceedings against a patient unless the patient provides specific consent or a court issues a qualifying order that meets Part 2 requirements.
While HIPAA allows certain disclosures in response to legal processes, Part 2 sets a higher standard. As a result, practices should review how subpoenas and other record requests are evaluated, particularly when the chart contains information tied to a Part 2 program.
-
Policies must reflect the added protections.
Beyond consent and legal requirements, practices that maintain Part 2 records require clear, formal policies. Those policies should address unauthorized uses and disclosures and protect against foreseeable security risks.
These protections apply to paper and electronic records. That means secure storage, controlled access, proper destruction, and safeguards for the creation, maintenance, and transmission of electronic information. Records should also be de-identified in accordance with HIPAA standards. While you don’t have to separate Part 2 records, your overall privacy and security process should include the added level of protection required.
Updating the Notice of Privacy Practices
Because of these distinctions, the ADA updated its sample Notice of Privacy Practices to include a section specifically addressing substance use disorder treatment information governed by Part 2.
The revised language explains how records received under a general consent may be used and disclosed for treatment, payment, and health care operations. It also clarifies that records received under a specific consent may only be used and disclosed as "expressly permitted." In addition, it makes clear that Part 2 records generally may not be used or disclosed in legal proceedings against a patient without proper authorization or a qualifying court order.
Practices must ensure that their current Notice of Privacy Practices reflects this language and that the version provided to patients is the updated one. The notice should be provided to new patients at intake, made available upon request, posted in a prominent location in the office, and posted on the practice website if one exists. Electronic distribution remains acceptable when patients have agreed to receive notices electronically.
It's also important to note that the HIPAA Notice of Privacy Practices doesn't need to include reproductive health language, as provisions requiring those modifications were vacated by a federal court decision on June 18, 2025.
Where to Focus
Now that the compliance date has passed, the focus shifts to something practical: Does your current privacy notice reflect the update, and does your team actually know what it means?
Start with the basics. Make sure your Notice of Privacy Practices includes the required Part 2 language and that the version in your reception area matches what’s on your website. Then look at how record requests are handled. If a subpoena (while rare) were to come in, would someone pause to check whether the chart contains Part 2 information? Would they know that general and specific consent are not the same?
This is also a good moment to ask a simple question: If Part 2 information appears in a chart, would your team recognize it? And more importantly, would they know it carries added protections?
Essentially, this HIPAA update is about ensuring your written notice and daily routines align. When everyone understands the difference, the process becomes steady and consistent. Following through completely protects your practice and the patients who trust you with their private health information.
Part 2 is detailed and technical, and this overview covers only federal requirements. If questions come up, especially around subpoenas or other legal requests for records, it makes sense to speak with qualified legal counsel familiar with your jurisdiction.
Author: With over 16 years as a published journalist, editor, and writer, Genni Burkhart's career has spanned politics, healthcare, law, business finance, technology, and news. She resides in Northern Colorado, where she works as the editor-in-chief of the Incisor at DOCS Education.
