On February 17, 2026, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) published an updated System of Records Notice (SORN) in the Federal Register under the Privacy Act of 1974.
While this may sound procedural, it represents a meaningful shift in how complaint investigations, compliance reviews, and breach reports under HIPAA and 42 CFR Part 2 are collected, shared, and potentially disclosed.
For healthcare executives, compliance officers, and digital health leaders, this is not just an administrative update. It changes the external visibility, enforcement alignment, and data-sharing landscape.
Federal Register Posting (SORN):
https://www.federalregister.gov/documents/2026/02/17/2026-03003/privacy-act-of-1974-system-of-records
What Changed?
1. Expanded Routine Uses of OCR Records
OCR’s updated SORN clarifies and expands its authority to share complaint, compliance review, and breach information with:
- Other federal agencies
- Contractors supporting OCR investigations and enforcement
- Entities consistent with authorized oversight and enforcement functions
Think of this like widening the distribution list on an investigation email thread. The scope of who may access certain records—under defined legal authorities—has increased.
Operational takeaway: Organizations should assume that complaint and breach documentation may be reviewed by a broader set of federal actors than previously understood.
2. Public Posting of Certain Part 2 Breaches
Historically, OCR publicly posts HIPAA breaches affecting more than 500 individuals. Under this updated framework, breach information involving 42 CFR Part 2 substance use disorder (SUD) records may also be publicly posted, consistent with FOIA disclosure limitations.
This is significant.
Part 2 has long been treated as a heightened confidentiality regime. Aligning breach transparency practices more closely with HIPAA enforcement signals a maturation of Part 2 oversight into a parallel enforcement model.
Analogy: If HIPAA breaches have lived on a public dashboard, Part 2 breaches are now entering that same arena under defined thresholds.
Operational takeaway: Covered entities, business associates, and Part 2 programs must evaluate incident response processes with the expectation of potential public visibility for large-scale events.
3. Formal Alignment of Part 2 and HIPAA Enforcement
The SORN reflects OCR’s authority to investigate and enforce Part 2 complaints and breaches using structured, OMB-approved complaint and breach reporting forms and portals.
This formalizes what many compliance professionals anticipated:
Part 2 enforcement now operates with procedural symmetry to HIPAA enforcement.
Implication:
If your compliance program treats HIPAA risk management as “enterprise critical” but handles Part 2 as a siloed or niche function, that approach is no longer defensible.
Why This Matters Strategically
1. Increased Regulatory Surface Area
Complaint intake, breach documentation, and internal investigation records may now be shared more broadly within federal systems. Documentation discipline matters.
If it’s written, assume it may be reviewed.
That means:
- Clear risk analysis documentation
- Defined mitigation decisions
- Evidence of timely remediation
- Structured governance oversight
2. Heightened Public Accountability Risk
Large breaches involving SUD data now carry potential reputational exposure in addition to enforcement risk.
This shifts the calculus from:
“Will OCR investigate?”
to:
“Will this event become public-facing?”
That distinction affects executive oversight, board reporting, and crisis communications planning.
3. Convergence of Privacy & Security Programs
The alignment of HIPAA and Part 2 enforcement signals a continued trend:
Regulators are no longer tolerating fragmented privacy governance.
Organizations should ensure:
- Integrated HIPAA + Part 2 risk assessments
- Unified breach determination frameworks
- Updated Notices of Privacy Practices reflecting 2024–2026 changes
- Business Associate Agreements and Qualified Service Organization Agreements that reflect current enforcement authority
Practical Actions for Compliance Leaders
- Reassess Incident Response Playbooks
Confirm your workflow explicitly addresses Part 2 breach analysis and potential OCR posting thresholds. - Review Complaint Intake Policies
Ensure documentation standards assume possible federal review. - Update Contract Language
Confirm BAAs and service agreements reflect current enforcement and data-sharing realities. - Align Executive Reporting
Elevate SUD data risk to the same governance tier as broader HIPAA enterprise risk. - Conduct Targeted Training
Particularly for compliance, privacy, and security teams handling SUD-related workflows.
Pros and Cons of the Shift
Pros
- Greater enforcement clarity
- Alignment between HIPAA and Part 2 reduces ambiguity
- More predictable regulatory process
Cons
- Increased reputational exposure for SUD-related breaches
- Broader sharing of investigation records
- Higher expectations for documentation rigor
The Bigger Picture
This SORN update is part of a broader pattern: regulators are emphasizing execution over intent.
Policies alone are insufficient.
Demonstrable controls, audit trails, and structured governance are the new baseline.
Organizations that treat compliance as a strategic risk discipline—not a documentation exercise—will be positioned to manage this shift effectively.
Final Thoughts
The February 17, 2026 OCR SORN does not create new statutory obligations. However, it materially expands the visibility and sharing environment surrounding complaints and breaches.
In risk management terms:
The likelihood of investigation may not change.
The impact of an incident—especially a large one—just did.
Healthcare organizations that proactively align HIPAA and Part 2 governance, strengthen documentation standards, and prepare for public-facing breach scenarios will navigate this transition with confidence.
If your organization would like an independent review of Part 2 alignment, breach governance maturity, or executive reporting structures, Hale Consulting Solutions can help.