Awareness article

42 CFR Part 2 vs. HIPAA: SUD Records Explained

How 42 CFR Part 2 creates stricter protections for substance use disorder treatment records than HIPAA, what disclosures require patient consent, and what clinics offering SUD services must do beyond their HIPAA compliance program.

Short answer

42 CFR Part 2 imposes stricter consent requirements on records related to substance use disorder treatment at federally assisted programs. It operates alongside HIPAA and, in most cases, is more restrictive. The 2024 amendments aligned Part 2 more closely with HIPAA's treatment, payment, and healthcare operations exceptions, but the patient consent requirement for most disclosures remains stricter than HIPAA's authorization standard.

42 CFR Part 2 is the federal regulation that governs the confidentiality of records related to patients receiving substance use disorder (SUD) treatment at federally assisted programs. It exists alongside HIPAA and, in almost every situation where both apply, imposes more restrictive requirements.

A clinic that provides SUD treatment or is part of a federally assisted program offering SUD services needs a Part 2 compliance program that operates in addition to — not instead of — its HIPAA compliance program.

Scope: which programs and records Part 2 covers

Part 2 applies to records of patients diagnosed, treated, or referred for treatment of a substance use disorder at a program that is federally assisted. Federal assistance is defined broadly and includes programs that receive Medicare or Medicaid funding, are conducted by a federal agency such as the VA, or are authorized by a federal DEA registration to dispense controlled substances. Most SUD treatment facilities that bill federal health programs fall within scope.

Part 2 covers any information — whether recorded or not — that would identify a patient as having or having had a substance use disorder, as receiving or having received SUD treatment, or as participating in a Part 2 program. This is broader than a medical record definition. A receptionist who verbally confirms a patient’s enrollment is subject to Part 2 for that oral statement.

HIPAA permits disclosures for treatment, payment, and healthcare operations without individual patient authorization. Part 2 does not. Before the 2024 amendments, a Part 2 program generally had to obtain written patient consent before disclosing records to any external party, including other treating providers.

The 2024 SAMHSA final rule (published February 8, 2024; most provisions effective April 2024 with a phased compliance timeline for program-level changes) created a more workable consent model for treatment purposes. A patient may now sign a general consent that allows the Part 2 program to disclose records to any of the patient’s treating providers for purposes of treatment, payment, and healthcare operations. This removes the requirement for a separate consent for each disclosure to each provider.

However, several requirements remain stricter than HIPAA:

  • Consent must include specific elements that Part 2 mandates in the written document.
  • Recipient providers must be notified that they have received Part 2-protected information.
  • Those recipients generally cannot redisclose the records without the patient’s further consent, with limited exceptions.
  • Disclosure without consent for public health, law enforcement, or research purposes follows narrower Part 2 exceptions rather than the HIPAA exception framework.

Penalties

HIPAA violations result in civil monetary penalties imposed by OCR, with a tiered structure based on culpability. Part 2 violations carry federal criminal penalties under 42 U.S.C. 290dd-2 for knowing and intentional violations. This is a meaningful difference: a clinical staff member who improperly discloses Part 2 records faces potential criminal exposure, not just a regulatory fine against the organization.

What SUD-treating clinics must do beyond their HIPAA program

  1. Identify which programs within the clinic qualify as federally assisted programs under Part 2.
  2. Maintain separate Part 2 consent forms with required elements distinct from a standard HIPAA authorization.
  3. Train staff specifically on Part 2’s disclosure restrictions, including the prohibition on redisclosure.
  4. Implement procedures to flag Part 2 records in the clinic’s EHR or record-keeping system so that staff handling those records are aware of the additional restrictions.
  5. Review the 2024 SAMHSA final rule to understand which treatment-purpose disclosures are now permitted under the general consent model.

Related: HIPAA administrative safeguards and HIPAA audit log requirements for small clinics.

PHIGuard tracks policy compliance, training records, and incident documentation for clinics with complex regulatory obligations. Plans start at $99 per clinic. See HIPAA compliance for more.

Compliance Operations

Audit trails, access controls, policy acknowledgements, evidence handling, and vendor workflows for clinics that need defensible follow-through.

The Anti-Kickback Statute: What Clinic Owners Need to Know

Anti-kickback statute explained for small clinics: what it prohibits, what 'remuneration' covers, safe harbor regulations, and how it differs from the Stark...

California's CMIA: When State Law Is Stricter Than HIPAA

California CMIA vs HIPAA: key differences in scope, enforcement, and liability. California clinics must comply with both — the stricter standard controls.

Sources

FAQ

Questions related to this topic

What is a federally assisted program under 42 CFR Part 2?

A federally assisted program is one that is authorized, licensed, certified, or funded, directly or indirectly, by the federal government. This includes programs that receive Medicaid or Medicare funding, are conducted by a VA or other federal agency, or hold a federal DEA registration to dispense controlled substances. Most substance use disorder treatment providers that bill Medicaid or Medicare are federally assisted programs and therefore subject to Part 2.

Can a Part 2 program share SUD records with other treating providers?

Under the 2024 amendments, a Part 2 program can disclose records to another treating provider for treatment purposes if the patient provides a single written consent allowing disclosure to their treating providers generally — rather than requiring a new consent for each disclosure. However, the receiving provider still cannot redisclose those records without the patient's consent, and must be informed they are receiving Part 2-protected information.

Does HIPAA's minimum necessary standard apply to Part 2 records?

Yes. Part 2 programs that are also HIPAA covered entities must comply with both the HIPAA minimum necessary standard and Part 2's consent requirements. Satisfying Part 2's consent requirement does not eliminate the HIPAA minimum necessary obligation — the clinic must still limit disclosures to what is reasonably necessary to accomplish the purpose.

What are the penalties for violating 42 CFR Part 2?

Violations of 42 CFR Part 2 carry criminal penalties under 42 U.S.C. 290dd-2. These are federal criminal penalties — not civil monetary penalties like HIPAA's enforcement structure. Part 2 violations can also trigger HIPAA enforcement action if the underlying conduct also violates HIPAA.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.