You've got your SUD program up and running. Your clinicians are credentialed, your census is growing, and you're finally billing insurance. Then someone on your team forwards a patient's treatment records to a referring provider without the right consent form. Or your biller sends detailed substance use information to a third-party administrator for a claim dispute. Or a court subpoena lands on your desk and you respond without understanding what 42 CFR Part 2 actually requires.
These aren't hypothetical scenarios. They're compliance violations that happen every day in IOPs, PHPs, and residential programs across the country. And unlike garden-variety HIPAA missteps, 42 CFR Part 2 violations carry serious consequences: SAMHSA enforcement actions, civil liability, payer audits, and in some cases, loss of federal funding.
If you're operating a substance use treatment program, understanding 42 CFR Part 2 substance use programs compliance isn't optional. It's foundational. This article breaks down what Part 2 actually is, how it differs from HIPAA, what changed in 2024, and what compliance looks like operationally in your program.
What Is 42 CFR Part 2?
42 CFR Part 2 is a federal regulation that protects the confidentiality of substance use disorder patient records. It was originally enacted in the 1970s to address stigma and encourage people to seek SUD treatment without fear that their records would be used against them in criminal or civil proceedings.
Part 2 is separate from HIPAA. It's stricter. And it applies specifically to programs that provide SUD diagnosis, treatment, or referral for treatment.
Where HIPAA allows covered entities to use and disclose protected health information (PHI) for treatment, payment, and healthcare operations (TPO) without patient authorization, Part 2 historically required written patient consent for nearly every disclosure, even within your own care team. That changed significantly in 2024, but the core principle remains: 42 CFR Part 2 requirements SUD treatment programs must follow are more restrictive than HIPAA alone.
Which Programs Does 42 CFR Part 2 Apply To?
Part 2 applies to any "federally assisted" program that specializes in providing SUD diagnosis, treatment, or referral. The term "federally assisted" is broader than most operators realize.
You're federally assisted if your program:
- Receives federal funding (grants, contracts, Medicaid, Medicare)
- Is authorized or licensed by the federal government (DEA registration for MAT, for example)
- Is a nonprofit with federal tax-exempt status under 501(c)(3)
- Operates under federal oversight in any capacity
In practice, this covers nearly every SUD treatment program in the United States. If you're billing Medicaid or Medicare, you're in. If you're a licensed outpatient treatment provider with DEA authority to prescribe buprenorphine, you're in. If you're a 501(c)(3) sober living operator providing any level of SUD counseling or referral services, you're likely in.
The key qualifier is that your program must "hold itself out" as providing SUD services. A general medical practice that occasionally treats patients with SUD isn't covered. A dedicated IOP that markets itself as an addiction treatment program absolutely is.
How 42 CFR Part 2 Differs from HIPAA
This is where operators get tripped up. HIPAA and Part 2 overlap, but they're not the same. And when both apply, you have to follow the stricter standard.
Here's the operational difference: under HIPAA, you can share PHI for treatment, payment, and healthcare operations without patient authorization. You can send a patient's chart to a consulting psychiatrist, submit claims to insurance, or conduct internal quality reviews without asking permission every time.
Under Part 2, historically, you couldn't. Every disclosure required specific written consent or a qualifying court order. That made care coordination, billing, and even internal case conferencing a paperwork nightmare.
The other major distinction: substance use records confidentiality federal law under Part 2 prohibits redisclosure. If you share Part 2 records with a third party (with proper consent), that recipient can't turn around and share those records with someone else unless the original consent explicitly allows it. HIPAA doesn't impose the same redisclosure restriction.
Part 2 also applies stricter standards around court orders, criminal justice disclosures, and what information can be shared in legal proceedings. Even with a subpoena, you generally can't disclose Part 2 records without patient consent or a court order that meets specific Part 2 criteria.
What the 2024 Amendments Changed
On February 8, 2024, SAMHSA and HHS published a final rule that significantly revised 42 CFR Part 2. The changes were driven by the CARES Act and aimed to align Part 2 more closely with HIPAA while maintaining core confidentiality protections.
The 2024 final rule introduced several major updates:
Single Consent for TPO: Programs can now obtain a single, general consent that covers future uses and disclosures for treatment, payment, and healthcare operations. This is a huge operational shift. You no longer need a separate consent every time you want to coordinate care with another provider or submit a claim to insurance.
SUD Counseling Notes Protection: The rule created a new category of protected records called "SUD counseling notes," analogous to HIPAA psychotherapy notes. These require separate, specific consent for disclosure and can't be included in general TPO consent.
Alignment with HIPAA Penalties and Breach Notification: Part 2 penalties and breach notification requirements now align with HIPAA standards. If you have a Part 2 breach, you follow the same notification protocols you would for a HIPAA breach.
Restrictions on Use in Legal Proceedings: The rule tightened restrictions on using Part 2 records in civil, criminal, administrative, and legislative proceedings. Even with a subpoena, disclosure generally requires patient consent or a specific court order that meets Part 2 criteria.
Patient Rights: Patients now have the right to opt out of fundraising communications, similar to HIPAA rules.
The final rule was effective April 16, 2024, but compliance isn't required until February 16, 2026. That gives programs time to update consent forms, train staff, and reconfigure workflows. But it's not optional. If you're operating a SUD program, you need to be ready.
Practical Compliance Requirements for SUD Programs
So what does 42 CFR Part 2 vs HIPAA behavioral health compliance actually look like day-to-day in an IOP, PHP, or residential program?
Consent Forms
Your Part 2 consent forms need to be specific. They must identify the patient, the program making the disclosure, the recipient of the information, the purpose of the disclosure, how much information will be shared, the expiration date or event, and the patient's right to revoke consent.
Post-2024, you can use a general consent for TPO, but you still need separate, specific consent for disclosures outside TPO (like sharing records with a lawyer, employer, or family member) and for SUD counseling notes.
Your forms also need to include the Part 2 prohibition on redisclosure statement, which tells recipients they can't share the information further without authorization.
Staff Training
Every staff member who touches patient records needs to understand Part 2. That includes clinicians, billing staff, front desk coordinators, and case managers. They need to know what records are covered, when consent is required, what disclosures are prohibited, and how to respond to subpoenas or requests for information.
If you're operating in California, this overlaps with DHCS required training for SUD facilities, which mandates specific compliance education for licensed programs.
EHR Configuration
Your EHR needs to support Part 2 compliance. That means flagging SUD records, tracking consents, restricting access to SUD counseling notes, and generating compliant disclosure forms. Not all EHRs handle this well. When you're evaluating EHR systems for your treatment center, Part 2 functionality should be a non-negotiable requirement.
Billing and Claims Submission
Under the 2024 rule, you can share Part 2 records with payers for payment purposes using a general TPO consent. But you still need to be careful about what information you're disclosing and whether your consent actually covers the disclosure you're making.
When you're submitting claims to commercial payers like Elevance Health for addiction treatment coverage, make sure your billing staff understands that patient consent SUD treatment records disclosure rules still apply, even if you're just trying to get paid. Understanding behavioral health billing compliance requirements is essential to avoiding inadvertent Part 2 violations during the claims process.
Breach Response
If you have a Part 2 breach (unauthorized disclosure, lost records, EHR hack), you follow HIPAA breach notification protocols. That means notifying affected patients, HHS, and in some cases, the media. But you also need to document the breach, assess harm, and implement corrective action to prevent future violations.
Common 42 CFR Part 2 Violations Operators Don't Realize They're Making
Even well-intentioned programs make Part 2 mistakes. Here are the most common ones:
Billing Disclosures Without Proper Consent: Sending detailed treatment notes or progress summaries to a payer or third-party administrator without a consent that specifically covers that disclosure. Under the old rule, this was a clear violation. Under the 2024 rule, it's allowed if you have a valid TPO consent, but many programs still don't.
Responding to Subpoenas Without a Court Order: A subpoena isn't enough to compel disclosure of Part 2 records. You need patient consent or a court order that meets Part 2's specific criteria. Many programs don't understand this and hand over records when served.
Sharing Information with Referral Sources: Sending patient updates to a referring provider, case manager, or probation officer without proper consent. Even if the referral source originally connected the patient to your program, you can't share information back without authorization.
Improper Redisclosure: Sharing Part 2 records with a third party (like a consulting psychiatrist) who then shares those records with someone else (like a primary care physician) without the patient's original consent covering that secondary disclosure.
Failure to Train Staff: Assuming your team understands Part 2 because they understand HIPAA. They're not the same, and untrained staff will make mistakes.
How Non-Compliance Gets Flagged and What Happens Next
Part 2 violations typically surface in a few ways: patient complaints, payer audits, SAMHSA investigations, or civil litigation.
If a patient believes their Part 2 rights were violated, they can file a complaint with SAMHSA. SAMHSA investigates, and if they find a violation, they can impose corrective action plans, fines, or in extreme cases, recommend termination of federal funding.
Payer audits can also uncover Part 2 issues. If an insurer reviews your claims and discovers you've been disclosing SUD records without proper consent, they can deny claims, demand repayment, or terminate your contract.
Civil liability is another risk. Patients can sue for unauthorized disclosure of Part 2 records, and damages can be significant, especially if the disclosure caused harm (job loss, custody issues, criminal exposure).
The consequences aren't just financial. Part 2 violations damage your program's reputation, erode patient trust, and create operational chaos while you scramble to implement corrective action.
Frequently Asked Questions About 42 CFR Part 2
Does Part 2 apply to telehealth SUD services?
Yes. If you're providing SUD treatment via telehealth and you meet the definition of a federally assisted program, Part 2 applies. The mode of service delivery doesn't change your obligations.
Can I share Part 2 records with a patient's primary care physician?
Only with proper patient consent. Under the 2024 rule, a general TPO consent can cover this if the disclosure is for treatment purposes, but you still need that consent on file.
What if a patient is a minor?
Part 2 generally allows minors to consent to disclosure of their own records if they have legal capacity to consent to SUD treatment under state law. This varies by state, so check your local regulations.
Do I need separate Part 2 policies or can I integrate them into my HIPAA policies?
You can integrate them, but your policies need to clearly distinguish Part 2 requirements from HIPAA requirements and specify when the stricter Part 2 rules apply.
What happens if I'm opening a new SUD program and don't have Part 2 compliance in place yet?
You need to build it from day one. If you're opening a drug rehab or launching any SUD program, Part 2 compliance should be part of your initial infrastructure, not an afterthought.
Building Part 2 Compliance Into Your Program
If you're launching a new SUD program or scaling an existing one, Part 2 compliance needs to be baked into your operations from the start. That means the right consent forms, staff training protocols, EHR configuration, billing workflows, and breach response plans.
It also means understanding how Part 2 intersects with payer requirements, state licensing standards, and your broader compliance obligations. When you're managing utilization review requirements or navigating credentialing with commercial payers, Part 2 considerations are always in play.
The 2024 amendments made Part 2 more workable, but they didn't eliminate the complexity. And with the February 2026 compliance deadline approaching, now is the time to get your house in order.
Need help building Part 2 compliance infrastructure for your SUD program? ForwardCare works with behavioral health operators to implement compliant billing, credentialing, and operational systems that actually work in the real world. Whether you're launching a new program or cleaning up compliance gaps in an existing one, we can help. Reach out and let's talk about what you're building.
