42 CFR Part 2 Explained: What It Is, Who It Applies To, and Key Requirements

Purpose of 42 CFR Part 2

42 CFR Part 2 implements federal Substance Use Disorder Confidentiality protections for records that identify someone as receiving SUD diagnosis, treatment, or referral. Its core aim is to specify when and how SUD patient records may be used and disclosed so people can seek care without fear of stigma, discrimination, or legal exposure. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

HHS finalized major updates to Part 2 in 2024 to implement the CARES Act. The final rule took effect on April 16, 2024, with a compliance date of February 16, 2026, modernizing privacy rules while preserving heightened protections for SUD information. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Applicability of the Regulation

Part 2 applies to “Part 2 programs”—any federally assisted program that provides SUD diagnosis, treatment, or referral for treatment. Some requirements also extend to people and organizations that receive Part 2 records, including HIPAA covered entities and business associates, Qualified Service Organizations (QSOs), intermediaries, and other lawful holders. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

“Federally assisted” captures a wide range of support, such as Medicare participation, federal funding, federal licensing/registration (including authority to dispense controlled substances for SUD treatment), or IRS tax-exempt status. If a program holds itself out as providing SUD services and receives federal assistance, it is covered; if it is not federally assisted, Part 2 generally does not apply. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

Part 2’s restrictions also bind recipients. Notably, when Part 2 records are received under a valid single consent for treatment, payment, and health care operations (TPO), the recipient is not required to segregate or segment those records solely because they are Part 2 records. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

Key Requirements for Compliance

Patient Consent for Record Disclosure

In general, disclosure requires the patient’s written consent. Under the 2024 rule, a patient may give a single, durable TPO consent authorizing all future uses and disclosures for treatment, payment, and health care operations until revoked in writing. When a HIPAA-regulated recipient receives Part 2 records with a TPO consent, it may redisclose as HIPAA allows—except that Part 2 information may not be used or disclosed in legal proceedings against the patient. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Each consented disclosure must be accompanied by required notice language, and the consent itself must include specified elements (for example, what is being disclosed, to whom, purpose, expiration, and revocation rights). When the recipient is a HIPAA covered entity or business associate and the purpose is TPO, the consent notice must explain that HIPAA redisclosure is permitted except for use in civil, criminal, administrative, or legislative proceedings against the patient. ([old.govregs.com](https://old.govregs.com/regulations/expand/title42_chapterI_part2_subpartC_section2.32?utm_source=openai))

Disclosures Allowed Without Consent

• Medical emergencies (to medical personnel to meet a bona fide emergency).
• Qualified research, audit, or program evaluation activities that meet Part 2 conditions.
• Court-ordered disclosures that satisfy strict Part 2 procedures (see below).
• Reports of crimes on program premises or against program personnel, and suspected child abuse/neglect reports to appropriate authorities (original SUD records remain protected). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

Outside these limited exceptions, programs generally may not share information that would identify a person as having or having had an SUD without patient consent. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Court-Ordered Disclosure Procedures

Courts may authorize disclosures only under narrow, procedurally protective standards. For noncriminal matters, a judge must find “good cause,” including that other ways of obtaining the information are unavailable or ineffective and that the public interest outweighs potential harm. Orders must be no broader than necessary and include protective measures (for example, sealing records). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.64))

For criminal investigations or prosecutions of a patient, the court must find the alleged crime is extremely serious (e.g., homicide, serious bodily injury offenses), the records are likely to provide information of substantial value, alternatives are not available or effective, and the public interest outweighs potential harm, among other safeguards. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.65))

SUD Record Security Measures and Breach Notification

Part 2 requires policies and safeguards to protect records and aligns breach notification with HIPAA. Specifically, 45 CFR part 160 and subpart D of 45 CFR part 164 apply to breaches of unsecured Part 2 records, triggering individual and HHS notifications consistent with the HIPAA Breach Notification Rule framework. ([ecfr.io](https://ecfr.io/Title-42/Section-2.16?utm_source=openai))

OCR provides a centralized breach reporting portal and guidance to help organizations meet Health and Human Services Compliance obligations for Part 2 breaches. ([ocrportal.hhs.gov](https://ocrportal.hhs.gov/ocr/breach/breach_frontpage.jsf?faces-redirect=true&utm_source=openai))

Relationship to HIPAA and Other Laws

Part 2 now harmonizes many concepts with HIPAA while retaining unique protections. With a single TPO consent, HIPAA rules generally govern subsequent sharing by HIPAA-regulated recipients; however, Part 2’s bar on using SUD records in civil, criminal, administrative, or legislative proceedings against the patient still applies. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Part 2 sets a stringent federal baseline for SUD confidentiality. Providers must also follow other applicable laws and professional obligations; where state law is more protective than federal rules, organizations should apply the stricter standard to avoid impermissible disclosures.

Enforcement and Penalties

The HHS Office for Civil Rights (OCR) administers and enforces Part 2. OCR’s authorities mirror HIPAA’s enforcement framework, including complaint investigations, compliance reviews, and the ability to impose civil money penalties for confidentiality violations. OCR began accepting complaints and breach reports for Part 2 on February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

The 2024 updates align Part 2 with HIPAA’s penalty structure and breach-notification standards, meaning Civil Penalties for Confidentiality Violations are assessed under the HIPAA Enforcement Rule (45 CFR part 160, subparts C–E). OCR has announced a dedicated civil enforcement program for Part 2 to support consistent nationwide compliance. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Conclusion

In short, 42 CFR Part 2 protects SUD information more strictly than general health data, applies broadly to Federally Assisted Substance Use Programs and their record recipients, and requires clear Patient Consent for Record Disclosure or a tightly controlled legal process. The 2024 rule modernizes operations (single TPO consent, HIPAA-aligned breach rules) while preserving robust Court-Ordered Disclosure Procedures and prohibiting use of SUD records against patients in legal proceedings. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

FAQs.

What types of programs does 42 CFR Part 2 apply to?

Part 2 applies to any federally assisted program that provides SUD diagnosis, treatment, or referral for treatment—including clinics, hospital units, OTPs, and private practices that hold themselves out as providing SUD services and receive federal assistance. Certain requirements also apply to recipients of Part 2 records (e.g., HIPAA covered entities, business associates, QSOs, intermediaries, and other lawful holders). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

How does 42 CFR Part 2 differ from HIPAA?

HIPAA generally permits TPO disclosures without patient authorization, while Part 2 requires written consent for most disclosures of SUD records. The 2024 rule lets patients give a single TPO consent so HIPAA rules can govern most subsequent sharing—yet Part 2 still forbids using those records in legal proceedings against the patient without consent or a compliant court order. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

When can SUD records be disclosed without patient consent?

Only in narrow circumstances, such as bona fide medical emergencies, qualifying research or audits/evaluations, and disclosures authorized by a Part 2 court order. Programs may also communicate limited information about crimes on the premises or against staff and make mandated child abuse/neglect reports, but the underlying SUD records remain protected. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

What are the penalties for violating 42 CFR Part 2?

OCR enforces Part 2 using HIPAA’s enforcement framework. Violations can result in civil money penalties, and OCR may conduct investigations or compliance reviews. As of February 16, 2026, OCR accepts Part 2 complaints and breach reports through its established processes. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))