To protect patients seeking addiction treatment, the federal government passed strict regulations limiting the disclosure of substance abuse patient records. Substance abuse treatment programs must not only comply with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) but also Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 CFR Part 2.
In February 2024, the U.S. Department of Health & Human Services (HHS) finalized major changes to Part 2 that significantly align it with HIPAA while maintaining critical protections for substance use disorder patients. Healthcare providers subject to Part 2 must fully comply with these new requirements by February 2026.
Is Your Substance Abuse or Mental Health Facility in Compliance With 42 CFR Part 2?
While nearly every healthcare professional receives HIPAA training, they often move practices and facilities, and you cannot assume their previous practice provided compliance training for 42 CFR Part 2 – especially the significant changes implemented in the 2024 Final Rule.
If you are involved in substance-use disorder treatment, ask yourself the following questions:
- Are you confident that your facility follows the 42 CFR Part 2 Final Rule published in February 2024?
- Have you updated your consent forms to reflect the new single-consent option for treatment, payment, and operations?
- Are you confident that your staff is aware of the stricter standard and the new provisions around SUD counseling notes?
- Have you implemented the new breach notification procedures aligned with HIPAA?
- Do you have policies in place for the new patient rights, including direct complaint filing with HHS?
If the answer to either of these questions is no, you need to take steps to keep your facility and your staff into compliance before the February 2026 deadline.
What Is 42 CFR Part 2?
Title 42 of the Code of Federal Regulations Part 2 (42 CFR Part 2) is a federal law that protects the privacy rights of people seeking treatment for substance abuse disorders. The law is designed to reassure patients that sharing information about past or current drug use will not result in adverse consequences related to criminal proceedings or domestic proceedings, such as those related to child custody, divorce, or employment.
How Do I Know If 42 CFR Part 2 Applies to My Facility or Program?
Part 2 only applies to federally assisted substance use programs, known as “Part 2 programs.”
“Federally assisted”, as defined by § 2.12 (b), generally encompasses any program that receives federal funding, is conducted by the federal government, is considered tax exempt by the IRS, is registered with the DEA to dispense controlled substances for the treatment of substance abuse, or receives Medicaid or Medicare reimbursement.
A “program” is defined as
- An individual/entity other than general medical facility which holds itself out as providing and provides alcohol/drug diagnosis, treatment, or referral for treatment; or
- An identified unit within a general medical facility which holds itself out as providing and provides alcohol/drug diagnosis, treatment, or referral for treatment; or
- Medical personnel or other staff in a general medical care facility whose primary function is the provision of alcohol/drug diagnosis, treatment, or referral for treatment and who are identified as such.
What Are the Requirements for Providers Under 42 CFR Part 2?
Under 42 CFR Part 2, substance use treatment providers may not share a substance abuse disorder patient’s record, nor disclose any information within those records, without express written permission from the patient.
Exceptions: Subject to certain considerations outlined in Part 2, providers can disclose patient information without written consent in:
- Internal communications
- Medical emergencies
- Reports of crimes on the provider's premises or against provider personnel
- Allegations of child abuse or neglect (when required by state law)
- Qualified audits or evaluations
- Research
- Communication with qualified service organizations (that provide services to the provider)
- NEW: De-identified disclosures to public health authorities (when de-identified according to HIPAA Privacy Rule standards)
Critical Restriction: Providers CANNOT share records with law enforcement without patient consent or a special court order that meets Part 2's stringent requirements – even if officers have a general court order or subpoena. Part 2's court order requirements are more demanding than those under HIPAA.
Major Changes in the 2024 Final Rule
The February 2024 Final Rule implements the confidentiality provisions of the Coronavirus Aid, Relief, and Economic Security (CARES) Act (enacted March 27, 2020), which required HHS to align certain aspects of Part 2 with HIPAA.
Key changes include:
1. Single Consent for Treatment, Payment, and Health Care Operations (TPO)
Under the 2024 Final Rule, patient consent can now be given once for all future uses and disclosures for treatment, payment, and healthcare operations. This represents a significant change to better align Part 2 with HIPAA and reduce the administrative burden.
Once this broad consent is obtained, HIPAA-covered entities and business associates that receive records under this consent can redisclose the records in accordance with the HIPAA Privacy Rule, until the patient revokes the consent.
Important Limitations:
- SUD Counseling Notes (similar to HIPAA's psychotherapy notes protection) require separate, specific consent and cannot be disclosed based on broad TPO consent alone
- Uses and disclosures for civil, criminal, administrative, or legislative proceedings must use a separate consent form and cannot be combined with TPO consent
- Each disclosure made with patient consent must include a copy of the consent or a clear explanation of the scope of the consent
Patient consent must always be written and can include explicit information about the records to be shared and list the names of individuals or entities who will receive the information.
2. SUD Counseling Notes Protection
The 2024 Final Rule creates a new definition for SUD counseling notes – a clinician's notes analyzing the conversation in an SUD counseling session that the clinician voluntarily maintains separately from the rest of the patient's SUD treatment and medical record.
These notes receive extra protection similar to HIPAA's psychotherapy notes:
- They require specific patient consent
- They cannot be used or disclosed based on a broad TPO consent
- They must be kept separate from the patient's regular medical record
This provision recognizes the particularly sensitive nature of detailed counseling session notes and provides an additional layer of privacy protection.
3. Aligned Breach Notification Requirements
The Final Rule applies the same requirements as the HIPAA Breach Notification Rule when covered records are breached. This means Part 2 programs must:
- Provide notification of breaches to affected individuals
- Notify the Secretary of the Department of Health and Human Services
- In certain circumstances, notify the media
- If you're a business associate, notify covered entities when a breach occurs at or by your organization
4. Updated Penalties and Enforcement
The 2024 Final Rule aligns Part 2 penalties with HIPAA enforcement by replacing the previous criminal-only penalties (under Title 18 of the United States Code) with both civil and criminal enforcement authorities that also apply to HIPAA violations.
This change allows for graduated penalties based on the level of culpability:
- Penalties now align with HIPAA's tiered structure
- Both civil monetary penalties and criminal penalties may apply
- Enforcement follows the same framework as HIPAA violations
5. New Patient Rights
The February 2024 Final Rule introduced several important new protections and rights for patients:
- Right to File Complaints Directly with HHS. Patients now have the right to file complaints directly with the Secretary of HHS for alleged Part 2 violations. Patients may also concurrently file a complaint with the Part 2 program itself.
- Fundraising Opt-Out Right. Patients have the right to opt out of receiving fundraising communications from Part 2 programs, similar to HIPAA protections.
- Aligned Patient Notice Requirements. Part 2 Patient Notice requirements now align with the requirements of the HIPAA Notice of Privacy Practices, streamlining compliance for dual-covered entities.
6. Safe Harbor for Investigative Agencies
The 2024 Final Rule creates a safe harbor provision that limits civil or criminal liability for investigative agencies that act with reasonable diligence before requesting records.
To qualify for this protection, investigative agencies must:
- Check SAMHSA's online treatment facility locator to determine if a provider is a Part 2 program
- Review the provider's Patient Notice or HIPAA Notice of Privacy Practices
- Take specific remedial steps if they discover they received Part 2 records without first obtaining the requisite court order
This provision clarifies expectations for law enforcement while maintaining robust patient protections.
What Has NOT Changed in Part 2?
Certain core protections remain unchanged since the publication of the February 2024 Final Rule:
- Protection against use in legal proceedings: Patients' SUD treatment records still cannot be used to investigate or prosecute the patient without written patient consent or a court order that meets Part 2's strict requirements
- Audit protections: Records obtained in an audit or evaluation of a Part 2 program cannot be used to investigate or prosecute patients, absent written consent or a qualifying court order
How Does 42 CFR Part 2 Differ From HIPAA?
The Federal CARES Act required HHS to align 42 CFR Part 2 more closely with HIPAA. However, distinct and important differences remain:
- Law enforcement cannot access treatment records covered by 42 CFR Part 2 without a special court order that depends on the satisfaction of higher standards. HIPAA generally allows law enforcement to access medical and treatment records.
- Part 2’s privacy protections follow the records after they are disclosed. A notice prohibiting re-disclosure must accompany the records and the recipient of the disclosed records must also abide by 42 CFR Part 2 (though under the 2024 rule, HIPAA-covered entities receiving records under a TPO consent may redisclose according to HIPAA rules).
- HIPAA applies to most types of patient information, while 42 CFR Part 2 only protects substance use disorder information.
- SUD counseling notes receive heightened protection under Part 2. Psychotherapy notes receive similar heightened protection under HIPAA, but the definitions and requirements differ slightly.
Beware: Just because something is allowed under HIPAA does not mean it is allowed under 42 CFR Part 2. When in conflict, the more restrictive law always prevails.
IMPORTANT: Compliance Deadline
Healthcare providers subject to Part 2 must comply with the new Final Rule requirements by February 2026 (two years after publication in the Federal Register). This includes updating consent forms, patient notices, policies and procedures, and staff training.
How Can I Learn More About Compliance with 42 CFR Part 2?
Hendershot Cowart P.C. helps federally assisted substance abuse treatment facilities, providers treating opioid use disorders or prescribing opioid addiction treatment medications, primary care physicians, family doctors, mental health therapists, psychiatrists, and medical labs comply with 42 CFR Part 2.
Whether you want to ensure your practice is compliant with the updated 42 CFR Part 2 requirements before the February 2026 deadline, need assistance updating consent forms and policies, or require defense against enforcement actions, we strive to exceed your expectations.