42 CFR Part 2 vs. HIPAA: Key Differences and When Each Applies

Overview of 42 CFR Part 2

What it protects and who it covers

42 CFR Part 2 sets federal rules for Substance Use Disorder Confidentiality. It governs records that identify someone as having, or having had, a substance use disorder when those records are created or maintained by a “Part 2 program.” Part 2 programs are federally assisted programs that provide SUD diagnosis, treatment, or referral for treatment; some requirements also extend to lawful holders and Qualified Service Organizations that receive such records. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

“Federally assisted” is defined broadly and includes, for example, programs that participate in Medicare, are registered to dispense controlled substances used for SUD treatment, or otherwise receive federal funding or authorization. These rules strictly limit identifying disclosures and apply regardless of record format. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

Core confidentiality baseline

By default, Part 2 programs may not disclose patient-identifying SUD information unless a Part 2 exception applies, the patient gives written consent, or a court issues a qualifying order under Subpart E. Limited emergency and de-identified public health disclosures are permitted, but Part 2 keeps a higher privacy bar than general medical privacy rules. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Overview of HIPAA

What HIPAA regulates

HIPAA establishes national privacy standards for protected health information (PHI) handled by covered entities—health plans, health care providers that conduct standard transactions, and health care clearinghouses—and by their business associates. It permits use and disclosure of PHI without patient authorization for treatment, payment, and health care operations (often called “TPO”). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

Operational guardrails

For most non-treatment purposes, HIPAA’s minimum necessary standard requires you to limit PHI to what’s reasonably needed. HIPAA also includes a Breach Notification Rule requiring notices to affected individuals (and, in some cases, HHS and the media) without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/minimum-necessary-requirement/index.html?utm_source=openai))

Consent Requirements Comparison

Part 2: written consent remains foundational

Part 2 has long required specific, written Patient Consent Requirements for most disclosures. Under the 2024 final rule, patients may now give a single consent for all future treatment, payment, and health care operations disclosures (“TPO consent”). Covered entities and business associates that receive Part 2 records under a TPO consent may redisclose in line with HIPAA, but records still cannot be used against the patient in legal proceedings without a Part 2–compliant court order or patient consent. SUD counseling notes are newly defined and require separate, specific consent. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

HIPAA: authorization generally not required for TPO

HIPAA allows Healthcare Operations Disclosure—as well as treatment and payment uses—without obtaining a patient’s authorization, provided other HIPAA conditions are met. Uses and disclosures outside those core purposes (for example, most marketing) generally require an authorization. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.506?utm_source=openai))

How the two interact after alignment

When a HIPAA covered entity or business associate receives Part 2 records under a TPO consent, HIPAA rules govern most subsequent sharing, but Part 2’s litigation prohibition still applies. This alignment aims to reduce care-coordination friction while preserving heightened SUD protections. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Use of Records in Legal Proceedings

Part 2’s Legal Proceedings Restrictions

Part 2 imposes strict limits: SUD records and testimony relaying their contents generally cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings against a patient without patient consent or a qualifying court order under Subpart E. Orders for noncriminal matters (42 CFR § 2.64) require specific findings and procedural safeguards. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

HIPAA’s litigation pathway

HIPAA permits disclosures for judicial and administrative proceedings under 45 CFR 164.512(e) when process requirements are met (for example, a court order or subpoena with satisfactory assurances). HIPAA also outlines limited, conditional disclosures to law enforcement under 45 CFR 164.512(f). Compared to Part 2, HIPAA is more permissive in the litigation context. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/judicial-and-administrative-proceedings/index.html?utm_source=openai))

Recent Regulatory Changes

Part 2 modernization and alignment

• Final rule effective April 16, 2024; compliance required by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))
• Enables single TPO consent; allows redisclosure under HIPAA; adds a prohibition on using records against patients absent consent or court order. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Aligns Civil and Criminal Penalties with HIPAA; applies the HIPAA Breach Notification framework to Part 2 records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Clarifies that segregation/segmentation of Part 2 data is not required and introduces SUD counseling notes protections; creates a safe harbor for investigative agencies acting with reasonable diligence. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• OCR was delegated authority to administer and enforce Part 2 on August 25, 2025. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

HIPAA reproductive health privacy rule litigation

HHS finalized Privacy Rule amendments on April 26, 2024 to strengthen reproductive health privacy, but on June 18, 2025, the U.S. District Court for the Northern District of Texas vacated most of that rule nationwide. NPP updates unrelated to the vacated provisions remain, with a compliance date of February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/final-rule-fact-sheet/index.html))

Applicability and Scope

When Part 2 applies

Part 2 applies to SUD records from Federally Assisted Programs that provide SUD diagnosis, treatment, or referral and “hold themselves out” as providing those services. It also binds lawful holders and certain intermediaries that receive Part 2 records. A provider that is not a Part 2 program may document SUD information in the medical record without converting that record into a Part 2 record. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

When HIPAA applies

HIPAA governs PHI maintained or transmitted by covered entities and their business associates. If your organization is a HIPAA covered entity that also qualifies as a Part 2 program, both frameworks apply; the stricter Part 2 provisions control for SUD-identifying information, while HIPAA governs other PHI and overall privacy, security, and breach duties. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

Penalties and Enforcement

Civil and Criminal Penalties

HIPAA violations are enforced under the HIPAA Enforcement Rule (45 CFR Part 160, Subparts C–E) with civil money penalties that vary by culpability tier, and certain violations may trigger criminal exposure under 42 U.S.C. § 1320d‑6. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/enforcement-rule/index.html?utm_source=openai))

Part 2 now aligns its enforcement with HIPAA: OCR investigates complaints, conducts reviews, and may impose civil money penalties; the HIPAA Breach Notification obligations also apply to breaches of Part 2 records. Beginning February 16, 2026, individuals may file Part 2 complaints with OCR. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Under HIPAA’s Breach Notification Rule, covered entities must notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach of unsecured PHI; media and HHS notification may also be required depending on impact. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

FAQs

What types of programs does 42 CFR Part 2 apply to?

Part 2 covers Federally Assisted Programs that provide SUD diagnosis, treatment, or referral—such as specialty SUD clinics, identified SUD units within general hospitals, school‑based programs, and private practitioners that hold themselves out as SUD providers. Federal assistance can include Medicare participation, DEA registration to dispense SUD medications, or other federal authorizations or funding. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

How does HIPAA handle disclosures without patient consent?

HIPAA generally permits disclosures for treatment, payment, and health care operations without an authorization, and it allows certain additional disclosures (for example, specific law enforcement or oversight needs) when detailed conditions are met. Uses outside these pathways typically require an authorization. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.506?utm_source=openai))

When are SUD records allowed in legal proceedings?

Part 2 tightly limits litigation use. A Part 2 record or testimony relaying its contents may be used or disclosed only with the patient’s consent or via a Part 2 court order that meets Subpart E standards (for example, good‑cause findings under § 2.64). Even when HIPAA would otherwise allow disclosure, Part 2’s litigation bar controls for SUD‑identifying records. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12))

What are the penalties for violating 42 CFR Part 2?

As of February 16, 2026, OCR enforces Part 2 using HIPAA’s civil money penalty framework and may also refer appropriate matters for criminal enforcement under 42 U.S.C. § 1320d‑6. Part 2 programs must also follow HIPAA Breach Notification requirements when unsecured SUD records are breached. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))