42 CFR Part 2 Updated Rules: What Clinics Treating Substance Use Disorders Must Know

If your clinic provides diagnosis, treatment, or referral for substance use disorders, it operates under 42 CFR Part 2 — a federal confidentiality regulation stricter than HIPAA in most respects. The 2024 amendments (Federal Register Vol. 89 No. 26, February 8, 2024) changed how Part 2 programs handle patient consent and breach notification, but the core protections that make Part 2 stricter than HIPAA remain intact. The compliance date is February 16, 2026.

This article covers who Part 2 applies to, what the 2024 amendments changed, what stayed the same, and the practical steps Part 2 programs must take by February 2026.

What Is 42 CFR Part 2?

History and purpose

42 CFR Part 2 was promulgated under 42 U.S.C. § 290dd-2, which directs SAMHSA to protect the confidentiality of records of patients receiving treatment for substance use disorders at federally assisted programs. The regulation was designed to address a specific barrier to SUD treatment: patients avoiding care because they feared their treatment records could be used against them in criminal or civil proceedings. By imposing confidentiality protections stricter than HIPAA, Part 2 was intended to reduce that deterrence.

Who is a Part 2 program

A Part 2 program is any individual or entity that is federally assisted and holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment. Federally assisted means:

• Conducted directly by a federal agency;
• Authorized to conduct business by any federal department or agency;
• Receiving any federal funds in any amount even indirectly (through Medicare, Medicaid, or federal block grants);
• Assisted by the United States to obtain a DEA registration to dispense controlled substances.

Because Medicare and Medicaid qualification counts as federal assistance, most clinics that bill these programs and provide any SUD services are Part 2 programs for those services. A primary care clinic that includes substance use disorder treatment in its services and bills Medicare is a Part 2 program for its SUD services.

What the 2024 Amendments Changed

SAMHSA published the Final Rule amending 42 CFR Part 2 on February 8, 2024, in the Federal Register (Vol. 89 No. 26, pages 8487-8556). The compliance date is February 16, 2026. The amendments make several important changes.

New consent model: disclosures for treatment, payment, and healthcare operations

The old model. Before the 2024 amendments, 42 CFR Part 2 required consent for each individual disclosure of SUD records. A patient needed to consent separately to each provider who would receive records, each insurer who would process claims, and each other entity who would receive SUD information. This was significantly more burdensome than HIPAA, which permits covered entities to use and disclose PHI for treatment, payment, and healthcare operations without authorization.

The new model. Under the 2024 amendments, a patient can sign a consent form that authorizes disclosures to identified entities (or classes of entities, such as “all treating providers” or “health insurers”) for the purposes of treatment, payment, and healthcare operations. This does not fully align Part 2 with HIPAA — the patient still must consent, and the consent must identify specific types of recipients — but it eliminates the requirement for a separate consent for every individual disclosure.

What this means in practice. A Part 2 program can now give patients a consent form at intake that covers future disclosures to:

• Other healthcare providers involved in the patient’s care;
• Health insurers for claims processing;
• The patient’s healthcare operations needs (such as quality improvement, care coordination).

The consent form must still identify: the specific name or general designation of the recipients, what information may be disclosed, the purposes of the disclosure, and the patient’s right to revoke consent. A blank authorization covering “anyone” does not satisfy Part 2, even after the 2024 amendments.

New breach notification requirements

The 2024 amendments add breach notification requirements to Part 2 that mirror HIPAA’s Breach Notification Rule (45 CFR Part 164, Subpart D):

Individual notification. When a Part 2 program discovers a breach of unsecured Part 2 records, it must notify affected individuals in writing within 60 days of discovering the breach. The notice must include a description of what happened, the types of information involved, what the program is doing to investigate and protect against further harm, and contact information.

HHS/SAMHSA notification. Part 2 programs must notify HHS of breaches. For breaches affecting 500 or more individuals in a state, notification must be made immediately (within 60 days of discovery). For smaller breaches, the program must maintain a log and submit the log to HHS annually. This mirrors HIPAA’s breach reporting structure.

Media notification. For breaches affecting 500 or more individuals in a state, Part 2 programs must also notify prominent local media, consistent with HIPAA’s media notification requirement.

The breach notification framework is new to Part 2. Before the 2024 amendments, Part 2 did not have an explicit breach notification requirement — programs relied on HIPAA’s Breach Notification Rule where applicable. Now Part 2 has its own parallel obligation.

Important: The breach notification requirements for Part 2 programs create a dual obligation — programs must notify under both Part 2 and HIPAA (if they are covered entities). The standards are similar but the programs must ensure both sets of requirements are met. See HIPAA breach notification templates for a template that can be adapted to include Part 2 elements.

Clarified patient rights

The 2024 amendments clarify and strengthen patient rights under Part 2, aligning them more closely with HIPAA’s patient rights provisions:

Right of access. Patients have the right to access their own Part 2 records. The access right follows HIPAA’s framework — records must be provided within 30 days of a request, with a 30-day extension available.

Right to request restrictions. Patients may request restrictions on certain uses and disclosures of their Part 2 records. Programs must accommodate reasonable requests.

Accounting of disclosures. Patients have the right to receive an accounting of disclosures of their Part 2 records for purposes other than treatment, payment, and healthcare operations.

What Did NOT Change: Part 2 Remains Stricter Than HIPAA

The 2024 amendments brought Part 2 closer to HIPAA in the consent model and added HIPAA-parallel breach notification requirements. But the core protections that make Part 2 fundamentally different from HIPAA are unchanged.

Prohibition on use in legal proceedings

42 CFR § 2.12(d) prohibits the use of Part 2 records in any civil, criminal, administrative, or legislative proceeding without the patient’s written consent or a court order meeting specific requirements. This prohibition covers:

• Criminal prosecutions;
• Civil lawsuits;
• Employment proceedings;
• Child custody and child welfare proceedings;
• Administrative proceedings.

HIPAA’s Privacy Rule has broad law enforcement exceptions that allow disclosure of PHI for many law enforcement purposes without patient authorization. Part 2 has no equivalent general law enforcement exception. A law enforcement officer investigating a crime cannot obtain Part 2 records without a court order — even for serious crimes where HIPAA would allow disclosure.

This protection is foundational to Part 2’s policy objective: ensuring that seeking SUD treatment does not expose the patient to criminal prosecution based on their own treatment records.

Anti-re-disclosure requirement

Under 42 CFR § 2.32, a recipient of Part 2 records may not re-disclose those records without the patient’s consent or a court order. Every disclosure of Part 2 records must include a notice to the recipient that the information cannot be re-disclosed except as permitted by Part 2.

HIPAA’s re-disclosure rules are less restrictive — a covered entity that receives PHI for treatment purposes may use it for treatment, and business associates may re-disclose within the limits of their BAAs. Part 2’s no-re-disclosure rule is stricter and must be communicated with every disclosure.

Prohibition on use for central registries

Part 2 prohibits disclosures to central registries established for the purpose of identifying patients receiving SUD treatment. This addresses the specific concern that SUD patients could be tracked or identified through database aggregation.

Interplay with HIPAA for Mixed Programs

Many clinics treat patients for both SUD and non-SUD conditions. These mixed programs must maintain two parallel compliance frameworks.

Which records are subject to Part 2?

Part 2 applies to records that would identify a patient as having or having had a substance use disorder or as being referred for SUD treatment. This includes:

• Clinical notes specifically addressing substance use diagnosis or treatment;
• Medication records for medications used primarily in SUD treatment (buprenorphine, naltrexone, methadone);
• Lab results ordered specifically to monitor SUD treatment;
• Referral records for SUD specialty services.

Records of non-SUD treatment at the same facility are generally PHI under HIPAA but are not Part 2 records — unless the record itself would reveal the patient’s SUD status.

EHR configuration

For clinics with integrated EHR systems treating both SUD and non-SUD patients, EHR configuration must ensure that Part 2 records are:

• Segregated from general medical records;
• Not accessible through standard records release workflows;
• Flagged for the enhanced consent process before any disclosure;
• Subject to the no-re-disclosure notice whenever released.

Configure your EHR to enforce Part 2 consent verification before releasing SUD-related records. Confirm with your EHR vendor that the system supports Part 2 compliance as a discrete feature — not all EHR systems do.

BAAs and Part 2 Qualified Service Organizations

Under 42 CFR Part 2, a business receiving Part 2 records to perform services on behalf of a Part 2 program must enter into a Qualified Service Organization (QSO) agreement — not merely a standard HIPAA BAA. The QSO agreement requires the business to acknowledge that it is bound by Part 2 and to implement appropriate safeguards. Review all existing BAAs with vendors who handle SUD records to determine whether they need to be converted to QSO agreements.

See how small clinics track vendor BAAs for the general BAA management framework and note that Part 2 vendors require the additional QSO agreement step.

Compliance Deadlines

Requirement	Compliance Date
New consent model for TPO disclosures	February 16, 2026
Breach notification (individual, HHS, media)	February 16, 2026
Updated patient rights (access, restrictions, accounting)	February 16, 2026
No-re-disclosure notice requirement	February 16, 2026

Programs must update consent forms, patient rights notices, breach notification procedures, and QSO agreements by February 16, 2026.

Action Items for Part 2 Programs

1. Update consent forms. Revise patient consent forms to use the new Part 2 consent model, allowing patients to authorize future disclosures for treatment, payment, and healthcare operations. Confirm that consent forms identify recipient categories, purposes, and the patient’s right to revoke.

2. Implement breach notification procedures for Part 2. Create a breach notification procedure that covers both HIPAA Breach Notification Rule requirements and Part 2’s parallel breach notification obligations. Identify who is responsible for Part 2 breach assessment and notification.

3. Audit EHR configuration for Part 2 segregation. Confirm that your EHR segregates Part 2 records from general medical records and enforces the Part 2 consent workflow before releasing SUD-related records. If the EHR does not support this, consult with your EHR vendor.

4. Convert applicable BAAs to QSO agreements. Identify all vendors who receive Part 2 records (billing companies, EHR vendors, care coordination platforms). Confirm they have QSO agreements in place, not just standard HIPAA BAAs.

5. Train staff on the 2024 amendments. Ensure all staff who handle Part 2 records understand the new consent model, the no-re-disclosure requirement, and the prohibition on use in legal proceedings. Document the training.

6. Document risk analysis including Part 2 risks. Use the HIPAA risk analysis worksheet and add Part 2-specific risk factors: consent adequacy, EHR segregation, QSO agreement coverage, and legal proceeding disclosure safeguards.

PHIGuard supports clinics with compliance documentation, policy management, vendor BAA tracking, and incident response — including for clinics operating under both HIPAA and Part 2. Visit phiguard.app/hipaa or review pricing.