On February 19, 2026, the HHS Office for Civil Rights made a quiet announcement that should have every substance abuse treatment provider in the country paying attention.
A Milan, Illinois addiction treatment center called Top of the World Ranch Treatment Center just agreed to pay $103,000 and submit to two years of federal tracking – all because an employee clicked the wrong email.
That’s not the scary part. The scary part is why this settlement hits differently than most.
What Happened at Top of the World Ranch
In November 2022, someone at Top of the World Ranch fell for a phishing email and handed over their login credentials. A hacker had access to that email account for a matter of hours – but that was enough. When investigators reviewed what was in that inbox, they found the protected health information of 1,980 patients. Names. Social Security numbers. Diagnoses. Treatment records. Insurance information.
The facility reported the breach in March 2023, OCR launched an review, and here’s what they found: Top of the World Ranch had never done a proper risk analysis.
Not “they did a bad one.” Not “it was outdated.” They hadn’t ran one at all.
That single failure – not assessing where their weak spots were, not identifying what needed protecting – turned a phishing incident into a six-figure settlement and a two-year corrective action plan.
This is OCR’s 11th enforcement action under its Risk Analysis Initiative. That effort launched namely to go after covered groups who skip the risk analysis step. OCR has been extremely consistent: they will find you, they will look into, and they will settle. The 2025 enforcement data shows risk analysis failures in 13 out of 20 cases – it’s the most common reason habits get fined.
The 42 CFR Part 2 Angle Changes Everything
Here’s what makes this settlement more than just another HIPAA fine story.
Top of the World Ranch is a substance use disorder (SUD) treatment provider. And on February 13, 2026 – six days before this settlement was announced – OCR officially launched its civil enforcement program for 42 CFR Part 2. Compliance became mandatory on February 16, 2026.
For those who aren’t familiar: 42 CFR Part 2 is a federal rule that has managed the data privacy of substance use disorder patient records since the 1970s. It’s separate from HIPAA. It’s stricter than HIPAA. And until February 2026, it was enforced by the Substance Abuse and Mental Health Services Administration (SAMHSA), not OCR.
That changed. OCR now enforces both.
This matters enormously for behavioral health providers. The agency that aggressively pursues HIPAA breaches – the one with the Risk Analysis Initiative, the one that collected $6.6 million in fines in 2025 alone – now also has jurisdiction over your SUD patient records.
And the penalties? They align with HIPAA. That means fines can run from $145 to $73,011 per breach, with annual caps up to $2,190,294 for the same category of breach under the 2026 inflation-adjusted penalty schedule.
What 42 CFR Part 2 Actually Requires
The February 2026 rule update brought Part 2 closer to HIPAA, which sounds like simplification. In some ways it is. But rule-keeping is still non-trivial.
The biggest practical change: patients can now give a single consent covering all future treatment, payment, and healthcare operations shares. Previously, you needed a new consent for each person sharing. That was genuinely burdensome, so this is a real improvement.
But the protections that make Part 2 strict are still fully in place:
SUD Counseling Notes Require Separate Consent
You cannot bundle a consent for counseling notes with consent for anything else. This is an absolute prohibition, not a best practice.
sharing written records Travels with the Record
When you disclose SUD records, a copy of the patient’s consent (or a clear explanation of its scope) must accompany those records. Every time.
Criminal Justice Protections Are Ironclad
A patient’s SUD records cannot be used to look into or prosecute them without their written consent or a court order. Full stop. This applies even when law enforcement comes knocking.
Notice of Privacy Practices Must Be Updated
Your NPP needs to namely inform patients that the use or sharing of their Part 2 records for treatment, payment, and healthcare operations usually requires their written consent. If you haven’t updated your NPP since February 16, 2026, you’re already out of rule-keeping. This is the kind of written records rule that OCR checks first – similar to the ‘addressable’ doesn’t mean ‘optional’ misunderstanding that trips up so many habits.
Who 42 CFR Part 2 Applies To
If your practice or group qualifies as a “Part 2 Program,” you’re covered. That includes:
- Federally assisted substance abuse treatment programs
- Detox centers and residential treatment facilities
- Outpatient SUD counseling programs
- Methadone clinics and MAT (medication-assisted treatment) providers
- Employee assistance programs that provide SUD counseling
- Any provider that holds itself out as providing SUD diagnosis or treatment
If you’re a hospital, health system, or behavioral health network that also treats SUD patients, you likely have Part 2 duties even if SUD isn’t your primary focus.
4 Things You Need to Do Right Now
The Top of the World Ranch case is instructive because the fix is not complicated. The facility didn’t get fined for something exotic. They got fined for skipping the fundamentals.
1. Do a Risk Analysis – For Real
This isn’t a checkbox exercise. You need to identify every place ePHI lives in your group (including SUD records), map how it moves, identify threats and weak spots, and record your review of the risk level for each. If you’ve never done this, or if it’s been more than 12 months, do it now. The incoming HIPAA Security Rule update will likely require annual risk analyses – but even under current rules, OCR expects them to be current. Need a step-by-step walkthrough? The risk review guide covers what OCR actually looks for.
2. Update Your Notice of Privacy Practices
Your NPP needs to reflect both HIPAA and Part 2 rules. OCR released updated model notices in February 2026. Use them as a starting point. Patients need to understand what consent is required before their SUD records can be shared.
3. Train Your Staff on Phishing – Specifically
Top of the World Ranch’s breach started with one employee clicking one email. Security knowledge training isn’t a one-time event. Your staff should know how to identify phishing attempts, what to do when they suspect one, and who to contact right away if they think they’ve been compromised. The UMMC ransomware case shows the same pattern at a larger scale – human error is consistently the entry point.
4. Lock Down Your Email with MFA
Email is the single most common entry point for healthcare data breaches. Multi-factor login checks on every email account is not optional if you’re handling SUD records. The incoming HIPAA Security Rule update will make MFA mandatory across the board – but for behavioral health providers under Part 2 scrutiny right now, waiting is a risk you can’t afford.
The Bottom Line for SUD Treatment Providers
OCR has made this very clear: they are actively pursuing risk analysis failures. They have a specific effort for it. They’ve now executed 11 settlements under that effort. And as of February 2026, they also own Part 2 enforcement.
If you run a substance abuse treatment program, a behavioral health practice, or any group that touches SUD patient records, you are operating in the most scrutinized rule-keeping setting in HIPAA history. The combination of HIPAA Security Rule enforcement and brand-new Part 2 authority means OCR has more tools and more jurisdiction than ever before.
Top of the World Ranch paid $103,000 and will spend two years under federal tracking for a risk analysis they never did. That’s an avoidable outcome. Don’t make the same mistake.
Related Reading
- $6.6 Million in HIPAA Fines in 2025: Who Got Caught and Why
- How to Run a Risk review That Won’t Get You Fined
- MFA Is About to Be Required for HIPAA
- HIPAA Fines Just Went Up – New Penalty Amounts for 2026
- The New HIPAA Security Rule Is Coming
Need help getting your practice in line with both HIPAA and 42 CFR Part 2? One Guy Consulting offers affordable HIPAA rule-keeping packages starting at affordable. Explore HIPAA rule-keeping services HIPAA for behavioral health