4.2 42 CFR Part 2 - SUD Confidentiality
Key Takeaways
- 42 CFR Part 2 is the federal confidentiality regulation that applies to federally assisted substance use disorder (SUD) treatment programs and is generally stricter than HIPAA.
- Patient records may not be disclosed without a written consent that contains the elements specified in the rule, with narrow exceptions for medical emergencies, audits, qualified court orders, mandated child abuse reports, and crimes on program premises or against program staff.
- Under the February 2024 final rule, a single patient consent may now authorize use and disclosure for all future treatment, payment, and health care operations (TPO), aligning Part 2 closer to HIPAA.
- The 2024 rule also bars the use of Part 2 records or testimony derived from them in civil, criminal, administrative, or legislative proceedings against the patient without specific patient consent or a qualified court order.
- Redisclosure is prohibited unless the recipient has independent authority; a written prohibition-on-redisclosure notice must accompany every disclosure.
42 CFR Part 2: The Federal SUD Confidentiality Rule
42 CFR Part 2 ("Confidentiality of Substance Use Disorder Patient Records") is a federal regulation issued by the U.S. Department of Health and Human Services (HHS) and administered by the Substance Abuse and Mental Health Services Administration (SAMHSA). It was originally written in 1975 because Congress recognized that the stigma and criminal exposure associated with SUD made standard medical privacy inadequate. Part 2 is stricter than HIPAA in most respects, and when both apply the counselor follows the stricter rule.
This section reflects the February 8, 2024 final rule (published February 16, 2024; effective April 16, 2024) with a compliance date of February 16, 2026 for most provisions. As of February 16, 2026 the HHS Office for Civil Rights (OCR) accepts complaints and enforces Part 2 alongside HIPAA. The ADC exam expects you to know this post-2024 framework, not the pre-2017 version still found in older study guides.
Who Is Covered
Part 2 applies to a Part 2 program, defined as a federally assisted program (or part of a program) that holds itself out as providing, and does provide, SUD diagnosis, treatment, or referral for treatment. "Federally assisted" is broad: it includes federal funding of any portion, federal tax-exempt status, federal certification (such as opioid treatment programs), Medicare/Medicaid participation, and other federal authorization.
The rule attaches to patient identifying information that, alone or in combination, would identify a person as someone with a current or past SUD. It applies whether or not the patient is still in treatment, and even after the patient dies. A solo physician's general medical practice is generally NOT a Part 2 program unless it holds itself out as providing SUD services.
The General Rule
Part 2 records may not be disclosed to any third party without the patient's written consent, except in narrowly defined situations. "Disclosed" is broad: it includes verbal confirmation, written or electronic records, faxes, and even acknowledging that a specific named person is or was a patient. A receptionist who tells a caller "yes, she has an appointment here" has already made an unlawful disclosure if the program is a Part 2 program.
Required Elements of a Valid Written Consent
A Part 2 consent is more specific than a HIPAA authorization. The required elements include:
- The name or general designation of the program(s) making the disclosure.
- The name(s) of the individual(s) or entity(ies) to whom disclosure will be made.
- The name of the patient.
- The purpose of the disclosure.
- How much and what kind of information will be disclosed.
- A statement that the consent is revocable, with the revocation procedure.
- A date, event, or condition on which the consent expires if not revoked.
- The signature of the patient (and, when required, of a parent, guardian, or authorized representative).
- The date the consent is signed.
- A statement that the recipient is prohibited from redisclosing the information without further consent or other legal authority.
Under the 2024 final rule a single consent may authorize all future uses and disclosures for treatment, payment, and health care operations (TPO), similar to a HIPAA authorization. The patient may revoke that consent at any time, in writing.
Exceptions to the Consent Requirement
Disclosure without consent is permitted only in a small number of situations:
| Exception | What It Permits |
|---|---|
| Medical emergency | Disclosure to medical personnel needed to address an immediate threat to health. Document the disclosure. |
| Audit and evaluation | Disclosure to qualified auditors or evaluators under written assurances. |
| Research | Disclosure to qualified researchers under an IRB and written assurances. |
| Qualified court order | Disclosure under a court order issued after a hearing meeting Part 2's specific findings (a routine subpoena is NOT enough). |
| Crime on premises or against staff | Reporting a crime by a patient on program premises or against program staff. |
| Mandated child abuse reporting | State child-abuse and neglect reports are permitted; Part 2 does NOT preempt these laws. |
| Internal program communications | Disclosures among program staff with a legitimate need to know. |
| Qualified Service Organizations (QSOs) | Disclosures to QSOs under a written agreement barring redisclosure. |
The 2024 Final Rule Highlights
The ADC exam reflects the post-2024 framework. Key changes you should be ready to recognize:
- Single TPO consent is permitted for all future treatment, payment, and operations disclosures.
- HIPAA Notice of Privacy Practices (NPP) alignment: Part 2 programs follow HIPAA NPP requirements rather than the older Part 2 patient-notice rule.
- Breach notification under the HIPAA Breach Notification Rule now applies to Part 2 records.
- Proceedings against the patient: Part 2 records and any testimony derived from them cannot be used in civil, criminal, administrative, or legislative proceedings against the patient without specific patient consent or a qualified court order. This is broader than prior law.
- Penalties: violations are now subject to the same civil and criminal penalties as HIPAA, replacing the old criminal-fine-only scheme.
- Segregation/segmentation of Part 2 data is no longer required for recipients who received it under a proper TPO consent.
Redisclosure
A recipient of Part 2 information may not redisclose it without further patient consent or other legal authority. Every disclosure must carry the prohibition-on-redisclosure notice. The reasoning "I received this from the SUD program, so I can pass it along to the referral clinic" is a violation unless the original consent authorized that downstream disclosure or the recipient has independent authority (for example, the receiving provider obtains its own consent for its own purposes). When in doubt, the safe default is: do not confirm, do not disclose, and obtain a valid consent first.
A defense attorney sends a subpoena asking the SUD treatment program to release a patient's records. The patient has not signed a consent. What is the program's CORRECT response?
Which change was introduced by the February 2024 42 CFR Part 2 final rule (compliance date February 16, 2026)?
A counselor at a federally assisted methadone program sees a child being struck in the waiting room by the patient's partner. State law requires reporting suspected child abuse. What does 42 CFR Part 2 require?