Request a demo

Share your information and we'll be in touch shortly.

By submitting, you agree to our Privacy Policy

Thank you.

We'll be in touch.
Something went wrong while submitting the form
Compliance

42 CFR Part 2

42 CFR Part 2 is a federal regulation that provides heightened privacy protections for patient records created by federally assisted substance use disorder (SUD) treatment programs, restricting the disclosure of patient-identifying information beyond what HIPAA alone requires.
Ease Health Team
42 CFR Part 2
Table of contents
TOC Header

42 CFR Part 2 is a federal regulation that provides heightened privacy protections for patient records created by federally assisted substance use disorder (SUD) treatment programs, restricting the disclosure of patient-identifying information beyond what HIPAA alone requires. Originally enacted in the 1970s to encourage people to seek addiction treatment without fear of legal or social consequences, Part 2 remains one of the most significant compliance obligations for behavioral health organizations that treat substance use disorders.

How Part 2 Differs from HIPAA

The most critical difference between Part 2 and HIPAA involves consent requirements. HIPAA permits disclosure of PHI for treatment, payment, and healthcare operations (TPO) without specific patient authorization. Part 2 requires specific written consent from the patient for virtually any disclosure, including disclosures for treatment and payment purposes. This means that a behavioral health provider cannot share a patient's SUD treatment records with another treating provider, a pharmacy, or an insurance company without obtaining a Part 2-compliant consent form first.

Who Must Comply with Part 2

Part 2 applies to "federally assisted" programs that hold themselves out as providing, and do provide, substance use disorder diagnosis, treatment, or referral for treatment. "Federally assisted" has a broad definition that includes any program receiving federal funding (including Medicaid, Medicare, block grants, or tax-exempt status). In practice, this captures the vast majority of SUD treatment programs in the United States, including private facilities that accept Medicaid or hold 501(c)(3) status.

Part 2 Consent Requirements

A valid Part 2 consent form must include the name of the patient, the name of the program making the disclosure, the name of the recipient(s) of the information, the purpose of the disclosure, a description of how much and what kind of information will be disclosed, the patient's signature and date, a statement that the consent can be revoked, and the date, event, or condition upon which the consent expires. Unlike HIPAA authorizations, Part 2 consents cannot be bundled into general treatment consent forms — they must be separate, specific documents.

2024 Part 2 Updates

SAMHSA published final rules in 2024 that align Part 2 more closely with HIPAA in certain areas. Key changes include permitting disclosure of Part 2 records for treatment, payment, and healthcare operations with a single, general consent (rather than requiring separate consents for each recipient), expanding the definition of "treating provider" to facilitate care coordination, and maintaining the prohibition on using Part 2 records in criminal proceedings against the patient without a court order. These updates reduce some administrative burden while preserving core patient protections.

EHR Compliance with Part 2

Behavioral health EHR systems must support Part 2 compliance through segmented consent management that tracks which records require Part 2 consent before disclosure, role-based access controls that restrict SUD record access to authorized users, audit trails documenting all access to and disclosure of Part 2-protected information, consent form management tracking active consents, their scope, and expiration dates, and the ability to separate SUD treatment information from general behavioral health records in disclosures. Systems that do not support this level of granularity create compliance risk for organizations treating SUD.

FAQs

Does Part 2 apply if my practice treats both mental health and SUD?

Yes. If your practice holds itself out as providing SUD treatment and is federally assisted, Part 2 applies to the SUD treatment records. Mental health records that do not involve SUD treatment are governed by HIPAA alone. Managing both frameworks simultaneously is a core challenge for dual-diagnosis programs.

Can I share Part 2 records with another treating provider?

Under the 2024 updated rules, yes — with a valid Part 2 general consent signed by the patient. Without consent, Part 2 records cannot be shared even for treatment purposes, unlike HIPAA which permits treatment disclosures without specific authorization.

What are the penalties for Part 2 violations?

Criminal penalties for Part 2 violations include fines up to $500 for a first offense and up to $5,000 for subsequent offenses. The 2024 updates also align Part 2 enforcement with HIPAA's civil penalty structure, allowing HHS to impose civil monetary penalties for violations.

How does Part 2 affect care coordination?

Part 2 historically created barriers to care coordination because each disclosure required specific consent. The 2024 updates address this by allowing a single general consent to cover disclosures for treatment, payment, and healthcare operations, significantly simplifying coordination between SUD programs and other providers.

Learn More

EHR
Behavioral Health
Mental Health
Practice Management
Healthcare Technology