Limited offer: Get 80% off your first year. Auto-applied at checkout.See pricing Promotion details unavailable.

Awareness article

42 CFR Part 2 and HIPAA: Substance Use Records in Small Clinics

How 42 CFR Part 2 protects substance use disorder treatment records, how it interacts with HIPAA, and which clinics are subject to it.

Short answer

42 CFR Part 2 is a separate federal regulation that gives substance use disorder treatment records stronger protections than HIPAA. Practices that operate or hold themselves out as SUD treatment programs need to understand both rules and how they interact.

42 CFR Part 2 is one of the most misunderstood rules in health information privacy. It is a separate federal regulation, not part of HIPAA, and it applies to a specific category of records: substance use disorder (SUD) treatment information held by federally assisted SUD treatment programs. For practices that operate an SUD service line, the consequences of getting it wrong are significant. For practices that do not, the question is whether Part 2 applies at all.

What is 42 CFR Part 2?

Part 2 was adopted decades ago to encourage people to seek SUD treatment without fear that their records would be used against them in employment, criminal proceedings, or family disputes. The regulation creates strict confidentiality protections for records of any patient who has applied for, received, or is otherwise identified as receiving SUD diagnosis, treatment, or referral from a covered program.

The rule is administered by the Substance Abuse and Mental Health Services Administration (SAMHSA), and it has been periodically updated, including reforms intended to align it more closely with HIPAA’s consent and disclosure framework.

How Part 2 differs from HIPAA

HIPAA permits a covered entity to use and disclose PHI for treatment, payment, and health care operations without a patient’s authorization. Part 2 has historically taken the opposite default. Most disclosures require a written patient consent that names the recipient, the purpose, and an expiration date or event.

Several other differences matter in day-to-day operations:

  • Part 2 records generally cannot be disclosed in response to a subpoena, search warrant, or law enforcement request without a qualifying court order, with narrow exceptions.
  • Re-disclosure restrictions follow Part 2 information when it leaves the program. The recipient is bound by Part 2’s restrictions, which is why standard “prohibition on re-disclosure” notices accompany Part 2 records.
  • Patient identifying information is protected at the level of the fact that a person has any relationship with an SUD program, not just the clinical detail.

When both HIPAA and Part 2 apply to the same record, the more restrictive standard governs that specific disclosure.

Who is subject to Part 2?

This is the question most small practices need to answer first. Part 2 applies to a “program,” which the regulation defines to include individuals or entities, other than general medical facilities, that hold themselves out as providing and do provide SUD diagnosis, treatment, or referral. It also covers identified units within general medical facilities, and medical personnel within general medical facilities whose primary function is the provision of SUD diagnosis, treatment, or referral.

Practical implications:

  • A general primary care practice that occasionally treats patients with SUD as part of overall care is usually outside Part 2.
  • A primary care practice that runs a clearly identified medication-assisted treatment (MAT) program is more likely to fall under Part 2.
  • A behavioral health group that markets SUD counseling, intensive outpatient programs, or detox services is almost certainly a Part 2 program.

Federal assistance is interpreted broadly and includes programs authorized, certified, licensed, or funded in whole or in part by any federal department or agency. That includes programs authorized to bill Medicare or Medicaid for SUD services and DEA-registered providers prescribing controlled substances for SUD.

Practical implications

If your practice is or may be a Part 2 program, three operational consequences usually need attention first:

  • Consent forms must meet Part 2’s specific content requirements, not just HIPAA’s authorization requirements.
  • EHR configuration needs to segregate Part 2 records or at least flag them so they are not auto-released through standard release of information workflows.
  • Front-desk and billing staff need scripts for situations where a family member, employer, or law enforcement contact asks about a patient. Confirming that someone is a patient at a Part 2 program is itself a disclosure.

Recent regulatory changes

In recent years, regulators have moved Part 2 closer to HIPAA in several respects, including allowing a single patient consent to cover treatment, payment, and health care operations once consent is given, and aligning breach notification expectations. The substance of Part 2’s protections, including the consent requirement and the restrictions on disclosures to law enforcement, remains in place. Because the rules continue to evolve, verify the current text on eCFR and review SAMHSA guidance before designing or revising a Part 2 program’s policies.

Where to go next

For the underlying HIPAA rules that still apply to Part 2 records, see our HIPAA authorization vs. consent guide. The HIPAA basics hub collects the rest of the foundational topics. PHIGuard’s HIPAA compliance platform helps small clinics document the policies, training, and consents that Part 2 programs need to layer on top of HIPAA.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current limited offer details.

HIPAA Basics

Core definitions, rules, and operating concepts small clinics need before they can evaluate vendors or workflows.

What Is a Business Associate Agreement Under HIPAA?

Business associate agreement (BAA) explained: what it is, when HIPAA requires it, required contract elements under 45 CFR §164.504(e), and OCR penalty risk.

Accounting of Disclosures: HIPAA Definition for Small Clinics

Patients have a right to an accounting of PHI disclosures for purposes other than TPO for six years. 45 CFR § 164.528. Learn what must be tracked and reported.

Sources

FAQ

Questions related to this topic

Does Part 2 apply if my primary care clinic occasionally treats patients with substance use disorder?

Not automatically. Part 2 generally applies when a program, or an identified unit within a general medical facility, holds itself out as providing SUD diagnosis, treatment, or referral. A primary care provider who treats SUD as part of general practice is often outside Part 2, but the analysis is fact-specific.

Can a Part 2 program respond to a subpoena for SUD records?

Generally no. Part 2 records cannot be disclosed in response to a subpoena alone. A specific court order that meets Part 2's requirements is needed, in addition to the subpoena, before records can be produced.

Did the recent Part 2 reforms eliminate the consent requirement?

No. Recent reforms aligned several provisions with HIPAA, including a single-consent model for treatment, payment, and operations after consent is given. Patient consent is still central to Part 2.

Operational assurance

Move from policy documents to a working compliance program.

PHIGuard turns these workflows into repeatable tasks, audit evidence, and role-based processes for small clinics.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.