If you're billing CareSource Medicaid for addiction treatment services, you already know the drill: utilization review requests, claims documentation, care coordination calls. But here's where most providers get burned: CareSource PHI sharing policies for addiction treatment don't just follow standard HIPAA rules. The moment you're treating substance use disorder, 42 CFR Part 2 kicks in with stricter protections that override nearly everything you learned about routine healthcare disclosures.
I've watched compliance-savvy programs get hit with audit findings because they assumed their standard HIPAA authorization covered SUD record sharing with CareSource. It doesn't. And I've seen providers delay payments for weeks because they didn't have the right written consent in place before responding to UR requests. This isn't theoretical risk. It's operational reality for anyone running PHP, IOP, residential, or outpatient addiction programs across Ohio, Georgia, Indiana, Kentucky, and Michigan.
Let's break down exactly how CareSource's PHI disclosure requirements intersect with federal SUD protections, what you must have documented before sharing any client information, and how to build authorization workflows that keep you compliant without killing your cash flow.
Why CareSource PHI Sharing Policies Require More Than Standard HIPAA Compliance
Most behavioral health providers understand HIPAA's treatment, payment, and healthcare operations (TPO) exceptions. Under standard HIPAA rules, you can share protected health information with payers for billing and utilization review without patient authorization. That's how medical healthcare works.
But CareSource HIPAA compliance for behavioral health gets complicated the second substance use disorder treatment enters the picture. Federal law under 42 CFR Part 2 imposes stricter confidentiality protections on SUD records than HIPAA requires. These regulations apply to any program that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment. If that describes your program, Part 2 governs your disclosures, period.
Here's the critical distinction: Part 2 does not recognize HIPAA's TPO exceptions for routine payer disclosures. You cannot share SUD records with CareSource for claims processing, utilization review, or care coordination without specific written patient consent that meets Part 2's requirements. SAMHSA's guidance makes this clear: the stricter law controls, and Part 2 is stricter than HIPAA when it comes to addiction treatment records.
This creates real operational friction. CareSource needs clinical documentation to approve continued stays, authorize services, and process claims. But you can't just fax over progress notes and treatment plans like you would for medical surgical care. Every disclosure requires authorization that specifically names CareSource, describes what information you're sharing, and explains the purpose.
What Written Authorizations CareSource Requires Before You Share Client Information
The 2024 updates to 42 CFR Part 2 streamlined some authorization requirements, but they didn't eliminate the need for written consent. If you're disclosing SUD records to CareSource for utilization review, claims, or care coordination, you need a compliant authorization on file before you share anything.
Here's what that authorization must include under current Part 2 requirements:
- The specific name of the program or person authorized to make the disclosure (your facility)
- The name or title of the individual or organization that will receive the disclosure (CareSource, by name)
- The patient's name
- The purpose or need for the disclosure (utilization review, claims processing, care coordination)
- How much and what kind of information will be disclosed
- A statement that the consent is subject to revocation at any time
- The date, event, or condition upon which the consent expires if not revoked earlier
- The signature of the patient and date signed
- If signed by someone other than the patient, their relationship and authority to act
Most providers stumble on specificity. You can't use a blanket authorization that says "my insurance company." You need to name CareSource explicitly. You can't say "for treatment purposes." You need to specify utilization review, claims processing, and care coordination if that's what you're doing. And you can't leave the expiration open-ended. The authorization needs a clear end date or event.
The good news from the 2024 updates: you can now use a single authorization that covers multiple disclosures to the same entity for the same purpose over time. You don't need a new consent every time CareSource requests a progress update during an authorization period. But that authorization must still meet all nine elements, and it must be in place before the first disclosure.
How the 2024 42 CFR Part 2 Updates Changed Disclosure Rules for CareSource Billing
The February 2024 final rule updating 42 CFR Part 2 brought the most significant changes to SUD record confidentiality in decades. If you're billing CareSource Medicaid plans, three updates directly impact your disclosure workflows.
First, the new rule allows single authorizations to cover multiple future disclosures to the same recipient for the same purpose. Previously, some providers interpreted Part 2 as requiring separate consent for each disclosure event. The 2024 updates clarified that one properly executed authorization can cover ongoing disclosures to CareSource throughout a treatment episode, as long as the authorization specifies this and includes an appropriate expiration.
Second, the rule aligned Part 2 more closely with HIPAA's breach notification requirements and enforcement mechanisms. This doesn't weaken Part 2's protections, but it does create more consistent compliance frameworks for programs already managing HIPAA obligations. For CareSource billing, this means your breach response protocols need to account for both regulatory schemes.
Third, and most operationally significant, the updates clarified that Part 2 applies to SUD records regardless of payer type. Some providers mistakenly believed Medicaid claims had different rules. They don't. Whether you're billing CareSource Medicaid, Medicare Advantage, or commercial plans, Part 2 governs SUD record disclosures the same way.
What didn't change: the fundamental prohibition on disclosing SUD records without consent. The 2024 updates streamlined processes, but they didn't create new TPO exceptions. You still need written authorization before sharing client information with CareSource, even for routine billing and UR.
CareSource Information Sharing Requirements During Utilization Review
Utilization review creates the highest-risk disclosure scenario for addiction treatment providers. CareSource needs clinical information to make medical necessity determinations. You need authorization approvals to keep revenue flowing. The pressure to respond quickly is intense. And that's exactly when providers make mistakes that create audit exposure.
Here's what you need to know about CareSource Medicaid PHI disclosure requirements during UR: you cannot submit clinical documentation in response to a utilization review request without a compliant Part 2 authorization on file. This includes progress notes, treatment plans, discharge summaries, assessment tools, drug screen results, and any other record that identifies the patient as having or being treated for a substance use disorder.
CMS guidance on SUD confidentiality reinforces that utilization review does not fall under HIPAA's TPO exceptions when Part 2 applies. The fact that CareSource is the payer and needs the information to authorize services doesn't override the consent requirement.
What can you disclose without consent? Practically nothing that's useful for UR. You can confirm that a patient is enrolled in your program and provide administrative information like admission and discharge dates, but you cannot discuss diagnosis, treatment modalities, progress, or clinical status without authorization.
This creates real operational challenges. CareSource UR timelines don't pause while you chase down missing authorizations. If you can't respond to a concurrent review request within their timeframe because you lack consent, you risk denial and payment recoupment. This is why authorization workflows must happen at intake, not when the first UR request arrives.
One common mistake: assuming that because CareSource approved initial authorization, you can freely share information throughout the episode. Initial authorization and ongoing UR are separate disclosure events that both require consent. If your intake authorization only covered initial claims submission, you need broader language that explicitly includes utilization review and care coordination.
Building HIPAA and 42 CFR Part 2 Compliant Authorization Workflows
Compliant authorization workflows start at intake and continue through discharge. Here's the operational framework that keeps you protected while maintaining revenue cycle efficiency.
Intake Stage: Your admissions team should obtain a comprehensive Part 2 authorization that names CareSource specifically and covers all anticipated disclosure purposes: claims submission, utilization review, care coordination, and discharge planning. Use clear, plain-language forms that patients can actually understand. Include specific expiration dates tied to treatment episode length plus a reasonable buffer for claims processing.
Documentation Stage: Train clinical staff to distinguish between SUD records protected by Part 2 and other health information that may only be covered by HIPAA. This matters for co-occurring disorder treatment. If you're treating both SUD and mental health conditions, some records may have different disclosure rules. Your authorization should address this clearly.
Response Stage: Before responding to any CareSource UR request, verification staff should confirm that a valid Part 2 authorization is on file. Build this into your workflow as a hard stop. No authorization, no disclosure. Period. If consent is missing or expired, pause the UR response and obtain updated authorization before proceeding.
Audit Stage: Maintain authorization documentation as part of the patient record. If CareSource or a regulatory auditor questions a disclosure, you need to produce the signed consent that authorized it. SAMHSA's confidentiality guide recommends keeping authorizations for at least six years after the last disclosure made under them.
Technology helps here. If you're using an EHR or practice management system, configure it to flag CareSource-covered patients and track authorization status. Some systems can block UR document submission if valid consent isn't documented. This prevents well-meaning staff from creating compliance violations while trying to move billing forward.
Just like providers managing insurance reimbursement challenges need systematic approaches to documentation and follow-up, authorization workflows require the same operational discipline.
Common PHI Disclosure Mistakes That Create Audit and Liability Exposure
I've reviewed authorization processes for dozens of addiction treatment programs billing CareSource, and the same mistakes appear repeatedly. Here are the violations that create the most audit and liability risk.
Using HIPAA-only authorizations for SUD record disclosures. Your standard HIPAA release form doesn't satisfy Part 2 requirements. Part 2 has specific elements that must be included, and HIPAA forms typically don't address them. Using the wrong form is the same as having no authorization at all.
Failing to name CareSource specifically. Authorizations that say "my insurance company" or "third-party payers" don't meet Part 2's specificity requirements. You need to list CareSource by name. If the patient has coverage in multiple states or through different CareSource products, specify which plan.
Disclosing information beyond what the authorization covers. If your consent form authorizes sharing "assessment and treatment plan" but you send progress notes and drug screen results, you've exceeded the scope of consent. This is an unauthorized disclosure, even if you have an authorization on file.
Continuing to disclose after authorization expires. Part 2 authorizations must have expiration dates. Once that date passes or the specified event occurs, the authorization is no longer valid. Continuing to respond to CareSource UR requests with expired consent is a violation.
Assuming verbal consent is sufficient. Part 2 requires written authorization with specific elements and a signature. A patient verbally agreeing that you can "share information with CareSource" doesn't meet the standard. Phone authorizations don't work here.
Failing to provide required notices. When you disclose SUD records under a Part 2 authorization, you must include a prohibition on redisclosure statement. This notice tells CareSource that the information is protected by federal law and cannot be redisclosed without patient consent. Most providers forget this step entirely.
These mistakes aren't just technical violations. They create real liability exposure. Patients can file complaints with SAMHSA. State licensing boards can cite you for confidentiality breaches. And in egregious cases, unauthorized disclosures can trigger civil liability. The risk isn't worth the convenience of sloppy authorization practices.
Programs that avoid these pitfalls often benefit from the same systematic approach needed to prevent common operational mistakes in PHP and IOP settings: documented processes, staff training, and regular audits.
CareSource State Medicaid Plan Variations: Ohio, Georgia, Indiana, Kentucky, Michigan
CareSource operates Medicaid managed care plans across five states, and while federal Part 2 requirements apply uniformly, each state's Medicaid program has specific documentation and authorization requirements that layer on top of federal rules.
Ohio: CareSource's largest market. Ohio Medicaid requires specific provider enrollment and credentialing for SUD treatment services. Your authorization workflows should account for Ohio's behavioral health redesign, which consolidated SUD services under managed care. CareSource Ohio has specific UR timelines and documentation requirements for residential and intensive outpatient services.
Georgia: CareSource Georgia covers members through the state's Medicaid and PeachCare programs. Georgia has specific requirements for SUD provider qualifications and treatment program certification. Your Part 2 authorizations should align with Georgia's care management and coordination requirements, which may involve multiple entities beyond CareSource.
Indiana: Indiana's Hoosier Healthwise and Healthy Indiana Plan (HIP) programs include CareSource as a managed care option. Indiana has specific prior authorization requirements for residential SUD treatment that go beyond standard UR. Make sure your authorizations cover both CareSource and any state-required utilization management entities.
Kentucky: CareSource Kentucky serves members through the state's Medicaid managed care program. Kentucky has invested heavily in SUD treatment access and has specific network adequacy requirements. Your authorization processes should account for care coordination with Kentucky's regional behavioral health entities.
Michigan: CareSource participates in Michigan's Healthy Michigan Plan. Michigan separates physical health and behavioral health managed care in some regions, which can create confusion about which entity needs to be named in authorizations. Confirm whether CareSource is managing the behavioral health benefit or if a separate PIHP is involved.
The key across all states: CareSource client information authorization for addiction treatment must meet federal Part 2 standards regardless of state-specific variations. State requirements add to federal protections, they don't replace them. Your authorization forms should satisfy both.
Similar to how providers navigate AHCCCS billing requirements in Arizona or MassHealth processes in Massachusetts, understanding CareSource's state-specific variations requires attention to both federal and state-level requirements.
Protecting Your Program While Maintaining Revenue Cycle Efficiency
Compliant PHI sharing doesn't have to slow down your billing or create operational bottlenecks. The programs that do this well treat authorization workflows as core operational infrastructure, not administrative afterthoughts.
Start with intake. Every CareSource-covered patient should leave their first day with a comprehensive Part 2 authorization in place that covers the full scope of anticipated disclosures. Train admissions staff to explain why the authorization matters and what information will be shared. Patients are generally willing to sign when they understand it enables their treatment to be covered.
Build verification checkpoints into your UR response workflow. Before anyone submits clinical documentation to CareSource, they should confirm valid authorization exists. This takes 30 seconds and prevents violations that can take months to remediate.
Audit your authorization files quarterly. Pull a random sample of CareSource patient records and verify that authorizations are on file, properly executed, not expired, and cover the disclosures you've actually made. Fix gaps before auditors find them.
Train your team on the distinction between HIPAA and Part 2. Most compliance violations happen because well-meaning staff don't understand that SUD records have different rules. Fifteen minutes of training at hire and annual refreshers prevent most problems.
Document your policies and procedures. When an auditor or licensing surveyor asks how you ensure compliant disclosures to payers, you should be able to hand them a written policy that describes your authorization workflow from intake through discharge. Having the policy matters almost as much as following it.
And remember: CareSource 42 CFR Part 2 SUD records requirements exist to protect your patients. Compliance isn't just about avoiding penalties. It's about maintaining the trust that makes treatment possible. Patients who know their confidentiality is protected are more likely to be honest about their substance use, engage in treatment, and achieve recovery outcomes.
Just as cybersecurity protections safeguard patient data from external threats, proper authorization workflows protect patients from inappropriate internal disclosures.
Get Your CareSource Authorization Workflows Right
If you're running an addiction treatment program that bills CareSource, you can't afford to get PHI sharing wrong. The compliance risk is too high, the operational friction is too costly, and the patient trust at stake is too important.
Review your current authorization forms against Part 2's nine required elements. Audit your last 20 CareSource UR responses to confirm you had valid consent before disclosure. Train your admissions and billing teams on the distinction between HIPAA and Part 2. And build verification checkpoints into your workflows that prevent unauthorized disclosures before they happen.
Need help building compliant authorization workflows that don't slow down your revenue cycle? We work with addiction treatment providers across Ohio, Georgia, Indiana, Kentucky, and Michigan to design intake processes, documentation systems, and compliance protocols that keep you protected while maintaining operational efficiency. Reach out today to discuss how we can help your program navigate CareSource PHI sharing requirements without creating billing bottlenecks or audit exposure.
