PHIGuard for Addiction Medicine Practices

HIPAA plus 42 CFR Part 2 create a dual compliance burden for SUD practices. PHIGuard helps addiction medicine clinics manage both without enterprise complexity.

Practice summary

Addiction medicine practices carry a compliance burden most clinics do not: HIPAA plus the separate, stricter confidentiality requirements of 42 CFR Part 2. This page covers the specific regulatory landscape for SUD treatment settings and how PHIGuard addresses it.

Running an addiction medicine practice means working under two separate federal confidentiality frameworks at the same time. HIPAA covers the full scope of protected health information. 42 CFR Part 2, administered by SAMHSA, adds stricter consent and disclosure requirements for substance use disorder treatment records. Most compliance tools and checklists are built for HIPAA alone. If you treat patients for opioid use disorder, alcohol dependence, or any other SUD, that is not enough.

The regulatory landscape for addiction medicine

HIPAA sets the baseline privacy and security obligations that apply to nearly every medical practice. You have probably dealt with its requirements for years: Notice of Privacy Practices, workforce training, risk assessments, BAAs with vendors, breach response.

42 CFR Part 2 operates on top of HIPAA, and its disclosure rules are stricter. Under standard HIPAA, you can share PHI with other treating providers without patient authorization. Under 42 CFR Part 2, disclosure of SUD treatment records generally requires written patient consent even for treatment purposes, with narrow exceptions. The consent form must meet specific requirements that differ from a standard HIPAA authorization, and patients can revoke consent at any time.

SAMHSA updated the Part 2 regulations in 2024 to align more closely with HIPAA in certain areas, particularly around permitted disclosures for treatment, payment, and health care operations with patient consent. The core principle remains: SUD records carry heightened confidentiality protections, and your practice needs documented procedures for both frameworks.

Most small addiction medicine practices do not have a dedicated compliance officer. The office manager or a senior clinical staff member handles both frameworks while also managing scheduling, billing, and everything else. That is the reality of how these practices operate.

Where compliance breaks down in SUD settings

Staff training on disclosure rules. Your front desk staff, care coordinators, and billing team must understand what they can and cannot say about whether a patient is even being seen at your practice. Under 42 CFR Part 2, confirming a patient’s treatment status to an outside caller — including a family member — can violate federal law without proper consent on file. A generic HIPAA module does not cover this distinction.

Consent management. Tracking which patients have consent forms on file, what those consents authorize, and when they expire or are revoked is administrative work that grows with your patient volume. An expired or missing consent form discovered during an audit is a problem. So is a staff member who shares information based on an old consent that was later revoked.

BAA gaps with behavioral health and lab partners. Addiction medicine practices often refer patients to behavioral health providers, send specimens to specialty labs, and use telehealth platforms for medication-assisted treatment follow-up. Each of those vendors is a business associate under HIPAA. Getting BAAs executed and keeping them current is easy to let slip, especially with newer or smaller vendors.

Access controls for SUD records. Not every staff member with access to your EHR needs access to SUD treatment records. Principle of least privilege is a HIPAA Security Rule requirement, but in small practices it is often overlooked because everyone shares the same system access. When a breach or disclosure complaint surfaces, auditors ask who had access and when.

Incident response for accidental disclosures. Misdirected faxes, emailed records sent to the wrong address, and verbal disclosures to unauthorized callers all happen. In a standard HIPAA breach, you follow your breach notification procedures. In an SUD setting, an accidental disclosure of Part 2 records carries specific reporting and remediation obligations. Your staff needs to know the difference and who to notify.

How PHIGuard addresses these challenges

PHIGuard is task management and compliance tracking built for clinic operations, not adapted from a generic project tool. Every compliance task has an owner, a due date, and a record of completion.

Workforce training tracking. PHIGuard lets you assign training tasks to individual staff members and track completion. You can build out a training curriculum that covers both HIPAA and 42 CFR Part 2 specifics: what records fall under Part 2, when patient consent is required before disclosure, and what to do if a disclosure request arrives without proper authorization. Completion records are stored and available if an auditor asks.

BAA management. Every vendor relationship that involves PHI needs a signed BAA. PHIGuard tracks the status of each BAA, flags missing agreements, and surfaces upcoming renewals. When you onboard a new telehealth vendor or change lab partnerships, you have a task queue that makes sure the BAA is executed before patient data moves.

Audit trail for every compliance action. Every task completion, document acknowledgment, and policy update in PHIGuard is logged with a timestamp and the user who completed it. If OCR or SAMHSA auditors ask what training your staff received and when, you have a documented record rather than a memory.

Incident response task templates. When a disclosure incident occurs, your team should follow a defined response process, not improvise under pressure. PHIGuard includes incident response task templates that walk your team through containment, documentation, notification determinations, and remediation steps. You can adapt these to reflect the Part 2-specific considerations relevant to SUD records.

Role-based access to compliance tasks. Not every staff member needs visibility into every compliance issue. PHIGuard lets you assign tasks to the right person at the right role level, keeping sensitive compliance matters within the appropriate scope.

PHIGuard does not replace qualified legal counsel or a compliance consultant for 42 CFR Part 2 interpretation. It ensures that the operational work of compliance — the training, the tracking, the documentation, the vendor management — runs consistently and on schedule instead of falling through the cracks.

Pricing and next steps

PHIGuard is priced per clinic, not per user. Your entire staff works in the same plan with no per-seat charges.

  • Essentials at $99/month covers core compliance task management, BAA tracking, and audit logging for smaller practices.
  • Clinic at $249/month adds policy management, incident response templates, and expanded workflow capacity.
  • Group at $499/month is built for multi-location addiction medicine groups running compliance programs across practices.

Every plan includes a BAA with PHIGuard. You should not use a compliance platform that will not sign a BAA with you.

If you want to see how PHIGuard fits your practice before committing, start a free trial or request a walkthrough. There are no implementation fees and no long-term contracts.

Start your free trial or review our HIPAA compliance self-assessment to see where your practice stands today.

Editorial details

Written by: Angel Campa

Reviewed by: PHIGuard Compliance Research

Updated: April 25, 2026

Sources

Free clinic resource

HIPAA Compliance Self-Assessment

Download a practical self-assessment to spot the biggest control and workflow gaps before they become fire drills.

Email only. Practical follow-up tips. Unsubscribe any time.

Browse all resources

FAQ

Questions addiction medicine teams ask before switching

Does 42 CFR Part 2 apply to all addiction medicine practices?

42 CFR Part 2 applies to federally assisted programs that provide substance use disorder treatment, diagnosis, or referral. If your practice receives any federal funding or is lawfully authorized by a federal agency, you are likely covered. Review the SAMHSA FAQ and consult qualified legal counsel to confirm your program's status.

Can we share SUD patient records with a hospital if there's a medical emergency?

42 CFR Part 2 includes a narrow exception for bona fide medical emergencies. The disclosure must be limited to information necessary for the emergency. Document the disclosure in your audit log and review SAMHSA's guidance on the emergency exception for your specific situation.

Do we need a BAA with every vendor who accesses our patient records?

Yes. Under HIPAA, any vendor who handles PHI on your behalf is a business associate and requires a signed BAA before you share data. PHIGuard tracks BAA status for all your vendors and flags agreements that are missing or expired.

What's the difference between a HIPAA authorization and a 42 CFR Part 2 consent form?

They are separate documents with separate requirements. A HIPAA authorization does not satisfy 42 CFR Part 2, and a Part 2 consent form does not satisfy HIPAA authorization requirements for other disclosures. Your practice needs compliant versions of both. PHIGuard's compliance task library includes checklist items for both.

Operational assurance

Ready to put compliance on a proper foundation?

PHIGuard gives your clinic an audit trail, a signed BAA, and a task management system built for covered entities rather than adapted from generic software collaboration tools.

Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.