Table of Contents
Ready to See Results?
From strategy through execution, Atlantic Health Strategies integrates compliance, operations, and growth into durable, measurable results. Let’s put our expertise to work for your organization.
The 60-Day Clock Starts at Discovery, Not at Cleanup
A behavioral health provider that discovers a PHI breach has 60 calendar days from the date of discovery to notify affected individuals, and, if the breach affects 500 or more people, to also notify HHS and prominent media in the affected state. That is not aspirational. It is the outer limit written into 45 CFR 164.404, which requires notification without unreasonable delay and no later than 60 calendar days after discovery.
The volume behind that rule is not theoretical. OCR’s 2024 Report to Congress documented 663 large breaches occurring in calendar year 2024, exposing the protected health information of 242,908,056 individuals, plus another 74,299 smaller breaches. Behavioral health operators sit inside that statistic, now with the added weight of 42 CFR Part 2.
On February 13, 2026, OCR announced a civil enforcement program for the confidentiality of SUD patient records, effective February 16, 2026. The operators who survive the OCR follow-up a year later are the ones who treated hour one like a regulator was already watching. Because, effectively, one is. OCR investigates every breach affecting 500 or more individuals, and its portal now has separate submission paths for PHI and Part 2 records.
Hour One Through Day Three: Facts First, Notifications Later
The first questions are not about notification. They are about facts. What systems were accessed. Whether PHI was viewed, exported, or modified. How far the compromise reached.
AHS opens every engagement the same way: evidence preservation, log review, network activity analysis, and isolation of compromised endpoints. Guesswork at this stage is what blows up the OCR submission later.
While forensics runs, a second team maps the data elements affected. Names. Addresses. Clinical notes. SUD records. Diagnoses. Treatment details. Financial information. That mapping determines the reporting path. OCR’s portal has one submission path for PHI and, since February 16, 2026, a separate path for unsecured SUD records under Part 2, which means a single incident can generate two federal reports.
This is the failure point for operators without dedicated support. Their leaders try to manage IT remediation, patient notifications, OCR reporting, insurer communication, and legal review at the same time, with limited documentation and unclear sequencing. AHS coordinators stage the work so attorneys receive precise timelines, access details, and confirmation of exposed elements in a format they can actually use to advise the board.
The timing pressure is not abstract. IBM’s 2025 Cost of a Data Breach Report put the average healthcare incident at $7.42 million, with a mean 279 days to identify and contain, the most expensive industry for the 14th year running.
Part 2 Changed the Math for SUD Programs in February 2026
Behavioral health operators who treat substance use disorders should understand what changed this year. In 2024, HHS published a final rule updating 42 CFR part 2 as required by the CARES Act; the rule has been effective since April 16, 2024, and compliance was required by February 16, 2026. On August 25, 2025, the HHS Secretary delegated to the Director of OCR the authority to administer and enforce Part 2. Enforcement previously lived with SAMHSA and DOJ and was almost never used in practice. That regime is over.
Beginning February 16, 2026, OCR began accepting complaints alleging Part 2 violations and notifications of breaches of SUD patient records, and the HIPAA enforcement framework, including civil monetary penalties, resolution agreements, and corrective action plans, now applies to Part 2 violations.
The penalty exposure now mirrors HIPAA. Financial penalties moved from $500 for a first offense and $5,000 for subsequent offenses to the current HIPAA range, which in 2025 runs from $141 to $2.1 million per violation category per year, with criminal penalties also possible.
For a residential SUD program in Florida or an opioid treatment program in Ohio, this means the breach response plan has to explicitly address Part 2 records. Every AHS client we have walked through Part 2 readiness in the last twelve months has needed three things rebuilt: EHR audit logging, breach risk-assessment template, and notification letter templates. Old HIPAA-only playbooks miss the Part 2 reporting path entirely.
OCR Director Paula M. Stannard framed the point directly in the enforcement announcement: “OCR is uniquely positioned to enforce patient rights and the regulated community’s obligations given our extensive experience administering compliance and enforcement programs for health information privacy, security, and breach notification under HIPAA.”
What Counsel and OCR Actually Want to See
Once the facts are clear, the work shifts to containment, remediation, and operational recovery. AHS coordinates the standard remediation set: securing compromised accounts and devices, resetting authentication, repairing vulnerabilities, restoring clean backups, activating encrypted internal communication channels, and verifying system integrity before returning to normal operations.
Notification documents are the next pressure point. Many covered entities notify HHS, state attorneys general, and affected patients but skip the media notice. Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are required to provide notice to prominent media outlets serving that state, and the media notice is itself a Breach Notification Rule requirement.
The penalties for getting the rest wrong are not abstract. In January 2025, Solara Medical Supplies paid $3,000,000 to OCR to resolve alleged violations of the HIPAA Security Rule and Breach Notification Rule tied to a 2019 phishing incident that exposed the ePHI of 114,007 individuals. OCR’s own findings in that case are the checklist behind every enforcement action: Solara failed to conduct a compliant risk analysis, failed to implement security measures sufficient to reduce the risks, and failed to provide timely breach notification to individuals, HHS, and the media.
Months after the immediate work ends, the regulatory follow-up arrives: audits, corrective action plans, documentation requests, and inquiries about security practices before the breach. AHS prepares clients for that second wave by building integrated corrective action plans that pair technical fixes with policy updates, workforce training, and governance reinforcement.
Preparation Is the Only Real Defense
The strongest breach response starts long before the breach. In its 2024 Report to Congress, OCR specifically cited incomplete risk analyses, excessive user privileges enabling lateral movement, and weak authentication, including default passwords and single-factor remote access, as the most consistently identified failures across breach investigations. Those are the same items OCR keeps writing into resolution agreements.
For behavioral health operators specifically, AHS recommends five concrete pre-breach actions:
- A documented breach response plan that explicitly addresses Part 2 records
- An annual risk analysis, dated and signed
- Tabletop exercises with IT and clinical leadership
- Business associate agreement audits with every EHR and billing vendor
- Workforce training tracked at the individual level
HHS requires entities to retain breach documentation for at least six years. None of this is about avoiding scrutiny. Operators need to be able to show, on the day an OCR investigator or a Florida AHCA surveyor or an Ohio Department of Mental Health and Addiction Services reviewer asks, that they understood the risk, mitigated it, and acted within the timelines the regulation requires.
That is the work AHS does as the operational anchor when a breach happens, and the planning work AHS does before it does.
Frequently asked questions
How quickly does a behavioral health provider have to report a PHI breach to OCR?
For breaches affecting 500 or more individuals, providers must notify affected individuals, HHS OCR, and prominent media in the affected state without unreasonable delay and no later than 60 calendar days from the date of discovery, per 45 CFR 164.404. For breaches affecting fewer than 500 individuals, providers log the incident and submit to OCR no later than 60 days after the end of the calendar year in which the breach was discovered. The clock starts on the discovery date, not the date the investigation concludes.
Do SUD records require a separate breach report under 42 CFR Part 2?
Yes. Beginning February 16, 2026, OCR began accepting breach notifications involving SUD patient records under Part 2 alongside its existing PHI breach reporting. A single incident at a Part 2 program that exposes both PHI and SUD records can generate two federal reports, and civil monetary penalty exposure now mirrors the HIPAA tiered schedule, which in 2025 runs from $141 to roughly $2.1 million per violation category per year.
What are OCR’s most common findings in breach-related enforcement actions?
OCR’s 2024 Report to Congress identified incomplete risk analyses, excessive user privileges enabling lateral movement, and weak authentication practices such as default passwords and single-factor remote access as the most consistently identified failures across breach investigations. The Solara Medical Supplies settlement in January 2025, in which Solara paid $3,000,000 to OCR after a phishing incident exposed the ePHI of 114,007 individuals, cited the same pattern: failure to conduct a compliant risk analysis, failure to implement sufficient security measures, and failure to provide timely breach notification to individuals, HHS, and the media.
How much does a healthcare data breach actually cost?
IBM’s 2025 Cost of a Data Breach Report puts the average healthcare incident at $7.42 million, the highest of any industry for the 14th consecutive year, with a mean 279 days to identify and contain, roughly five weeks longer than the global average. For behavioral health operators, the cost stack also includes OCR civil monetary penalties, state attorney general fines, class action exposure, and business associate remediation obligations.
References
- 45 CFR 164.404. Notification to Individuals (eCFR)
- HHS OCR, Annual Report to Congress on Breaches of Unsecured Protected Health Information, Calendar Year 2024
- HHS Press Release: Office for Civil Rights Announces Civil Enforcement Program for Confidentiality of Substance Use Disorder Patient Records (February 13, 2026)
- HHS OCR, Solara Medical Supplies, LLC Resolution Agreement and Corrective Action Plan
- IBM, Cost of a Data Breach Report 2025
- HIPAA Journal: February 16, 2026 Compliance Deadline for Part 2 Final Rule
- HHS OCR Breach Reporting Portal