Stricter Than HIPAA: Is Your Substance Abuse Or Mental Health Program In Compliance With 42 CFR Part 2?

Medical folders on shelf

To protect patients seeking addiction treatment, the federal government passed strict regulations limiting the disclosure of substance abuse patient records. Substance abuse treatment programs must not only comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) but also Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR Part 2.

Is Your Substance Abuse Or Mental Health Facility In Compliance With 42 CFR Part 2?

While nearly every healthcare professional receives HIPAA training, they often move practices and facilities, and you cannot assume their previous practice provided compliance training for 42 CFR Part 2.

If you are involved in substance-use disorder treatment, ask yourself the following questions:

  • Are you confident that your facility is in compliance with 42 CFR Part 2?
  • Are you confident that your staff is aware of the stricter standard?

If the answer to either of these questions is no, you need to take steps to keep your facility and your staff compliant today.

What Is 42 CFR Part 2?

Title 42 of the Code of Federal Regulations Part 2 (42 CFR Part 2) is a federal law that protects the privacy rights of people seeking treatment for substance abuse disorders. The law is designed to reassure patients that sharing information about past or current drug use will not result in adverse consequences related to criminal proceedings or domestic proceedings, such as those related to child custody, divorce, or employment.

How Do I Know If 42 CFR Part 2 Applies To Me?

Part 2 only applies to federally assisted substance use programs, known as “Part 2 programs.”

  • “Federally assisted”, as defined by § 2.12 (b), generally encompasses any program that receives federal funding, is conducted by the federal government, is considered tax exempt by the IRS, is registered with the DEA to dispense controlled substances for the treatment of substance abuse, or receives Medicaid or Medicare reimbursement.
  • A “program” is defined as
    • An individual/entity other than general medical facility which holds itself out as providing and provides alcohol/drug diagnosis, treatment, or referral for treatment; or
    • An identified unit within a general medical facility which holds itself out as providing and provides alcohol/drug diagnosis, treatment, or referral for treatment; or
    • Medical personnel or other staff in a general medical care facility whose primary function is the provision of alcohol/drug diagnosis, treatment, or referral for treatment and who are identified as such.

What Are the Requirements for Providers Under 42 CFR Part 2?

Under 42 CFR Part 2, substance use treatment providers may not share a substance abuse disorder patient’s record, nor disclose any information within those records, without express written permission from the patient.

Patient consent must always be written and can include explicit information about the records to be shared and list the names of individuals or entities who will receive the information.

Patient consent can also be given once for all future uses and disclosures. HIPAA-covered entities and business associates that receive records under this consent can redisclose the records in accordance with the HIPAA Privacy Rule, until the patient revokes the consent. 

Of course, some exceptions apply. Subject to certain considerations outlined in Part 2, providers can disclose patent information without written consent in:

  • Internal communications
  • Medical emergencies
  • Reports of crimes on the provider’s premises or against provider personnel
  • Allegations of child abuse or neglect (when required by state law)
  • Qualified audits or evaluations
  • Research
  • Communication with qualified service organizations (that provide services to the provider)

Keep in mind that providers CANNOT share records with law enforcement without patient consent or a special court order – even if officers have a general court order, a subpoena, or a general court order.

Privacy Breaches Under 42 CFR Part 2

42 CFR Part 2 applies the same requirements as the HIPAA Breach Notification Rule when covered records are breached. The HIPAA Breach Notification Rule requires HIPAA-covered entities and their business associates to provide notification following a breach of unsecured protected health information.

According to the Rule, “covered entities must provide notification of the breach to affected individuals, the Secretary [of Department of Health and Human Services], and, in certain circumstances, to the media. In addition, business associates must notify covered entities if a breach occurs at or by the business associate."

How Does 42 CFR Part 2 Differ From HIPAA?

The Federal Coronavirus Aid, Relief, and Economic Security (CARES) Act signed March 27, 2020, required the Department of Health and Human Services (HHS) to align 42 CFR Part 2 more closely with HIPAA. These changes were finalized in February 2023.

However, distinct and important differences remain:

  • Law enforcement cannot access treatment records covered by 42 CFR Part 2 without a special court order that depends on the satisfaction of higher standards. HIPAA generally allows law enforcement to access medical and treatment records.
  • Part 2’s privacy protections follow the records after they are disclosed. A notice prohibiting re-disclosure must accompany the records and the recipient of the disclosed records must also abide by 42 CFR Part 2.
  • HIPAA applies to most types of patient information, while 42 CFR Part 2 only protects substance use disorder information.

Beware: Just because something is allowed under HIPAA does not mean it is allowed under 42 CFR Part 2. When in conflict, the more restrictive law always prevails.

What Are The Penalties For Violating 42 CFR Part 2?

Violating 42 CFR Part 2 has historically resulted in exposure to criminal fines under Title 18 of the United States Code. Pursuant to the CARES Act, penalties for violations of Part 2 now align with penalties for violations of HIPAA.

Fines are outlined in Title 18 of the U.S. Code.

How Can I Learn More About Compliance with 42 CFR Part 2?

Hendershot Cowart P.C. helps federally assisted substance abuse treatment facilities, providers treating opioid use disorders or prescribing opioid addiction treatment medications, primary care physicians, family doctors, mental health therapists, psychiatrists, and medical labs comply with 42 CFR Part 2. 

We have more than 100 years of combined experience helping healthcare providers with regulatory compliance. Our health and medical law practice is highly respected, and we have a strong record of results. We aim to be the go-to law firm for our healthcare clients, building relationships that serve a practice from entity formation and governance to compliance and litigation or investigation counsel.

Whether you want to double-check that your practice is compliant with 42 CFR Part 2 or fight fines under federal law, we strive to exceed your expectations.

Share on LinkedIn
Related Posts
  • How Will the FTC Ban on Non-Competes Impact the Healthcare Industry? Read More
  • Do Cosmetic Injections Involve The Practice Of Medicine? Read More
  • Billing Mistakes For Medicare Annual Wellness Visits Cost Providers Read More

We Are On Your Side

Contact Us To Schedule Your Consultation

Trey headshot
  • Please enter your first name.
  • Please enter your last name.
  • Please enter your phone number.
    This isn't a valid phone number.
  • Please enter your email address.
    This isn't a valid email address.
  • Please enter a message.