California Substance Abuse Record Privacy Laws: A Plain-English Guide for Patients and Providers

Confidentiality of Treatment Records

California Health and Safety Code § 11845.5 makes the identity, diagnosis, prognosis, and treatment information of patients in substance use disorder programs confidential. These Substance Use Disorder Treatment Records are protected by strong Substance Abuse Confidentiality rules and a patient privilege that limits when anyone may see or use them.

These protections sit on top of HIPAA and California’s broader medical privacy laws and work alongside 42 C.F.R. Part 2, the federal confidentiality regulation for SUD programs. When the rules differ, you generally follow the most protective requirement for the records at issue.

This overview is for education, not legal advice. Always confirm how the rules apply to your specific program, payer type, and patient population before disclosing any information.

Authorization and Patient Consent Requirements

Outside narrow exceptions, § 11845.5 and 42 C.F.R. Part 2 require a valid, written authorization before disclosing SUD records. As of 2026, a single patient consent may allow HIPAA-covered entities to use and redisclose Part 2 information for treatment, payment, and health care operations, but only within the limits specified by the consent and applicable law.

What a valid authorization should include

• Whose records are involved and what specific information may be shared.
• The purpose of the disclosure and who may receive the records.
• An expiration date or event, the patient’s signature and date, and a statement about revoking consent.
• Clear limits on further use and redisclosure consistent with Part 2 and state law.

Who may sign

• The adult patient.
• A minor who can legally consent to their own SUD care under California law.
• A parent, guardian, or court-appointed conservator when state law authorizes them to act, or when the patient lacks capacity.

Authorizations should be specific, time-limited, and no broader than necessary. Even with consent, disclose only what is reasonably needed for the stated purpose.

Exceptions to Consent for Disclosure

Both § 11845.5 and 42 C.F.R. Part 2 recognize limited scenarios where consent is not required. Apply the narrowest reading, document your reasoning, and disclose the minimum necessary.

• Medical Emergency Disclosure: When an immediate health threat requires information to diagnose or treat the patient, you may disclose essential details to medical personnel and must document the emergency and what was shared.
• Internal communications: Sharing within a program or among entities with a direct care relationship for coordination of care as permitted by law.
• Qualified service providers: Disclosures to vendors under written qualified service organization agreements for services like billing, EHR hosting, or lab work.
• Research, audit, and evaluation: Allowed under strict privacy safeguards and, where applicable, institutional or legal approvals.
• Mandatory reports: Required disclosures such as suspected child, elder, or dependent adult abuse or neglect, made only to the designated agencies.
• Crimes on program premises or against staff: Limited information may be reported to law enforcement about the incident and the suspect.
• De-identified or aggregate data: Information stripped of identifiers that cannot reasonably identify a patient.
• Court orders: Disclosures made only in accordance with a specific court order that meets Part 2 requirements (see below).

Court-Ordered Disclosure Procedures

For Court Orders for Health Records involving SUD information, a subpoena alone is not enough. Courts must issue a special order that meets 42 C.F.R. Part 2 standards and any California requirements before a program discloses protected records.

What courts must find

• Good cause: The court balances the public interest and need for the information against the patient’s privacy and the potential harm to treatment services.
• No alternative: The information cannot be obtained by other means.
• Narrow scope: The order must limit what is disclosed, who may see it, how long it may be used, and include protective measures (such as sealing and no-redisclosure terms).
• Notice and opportunity to be heard: The patient and program generally receive notice, unless the court finds good cause for an ex parte order consistent with the rules.

Extra limits in criminal matters

• Part 2 sharply restricts using patient records to investigate or prosecute a patient for a crime, allowing such use only under very limited, specified circumstances.

Practical steps for programs

• Verify that a proper Part 2-compliant order exists; do not rely on a subpoena alone.
• Consult counsel, disclose only the minimum ordered, and mark productions with required confidentiality notices.
• Maintain a disclosure log and retain the court order with the record.

Federal Confidentiality Regulations

42 C.F.R. Part 2 applies to most federally assisted SUD programs and protects patient identity and records beyond general HIPAA rules. It is designed to remove fears that treatment information could be used against a patient in court, employment, housing, or family life.

Under updates implemented by 2026, Part 2 is more closely aligned with HIPAA for treatment, payment, and health care operations when a patient gives a single, informed consent. HIPAA’s breach-notification and enforcement frameworks now generally apply to Part 2 violations, while core protections remain: tight limits on legal process, strong redisclosure controls, and continued emphasis on patient choice.

Programs should segment SUD data in their EHRs, train staff on Part 2 and state law, and ensure business associate or qualified service organization agreements reflect Part 2 duties.

Rights of Minors and Dependent Adults

California often allows minors aged 12 and older to consent to counseling and certain treatment for a drug or alcohol problem. When a minor can consent to care, they generally control disclosures of their SUD records; parents or guardians cannot access them without the minor’s written authorization unless an exception applies or state law specifically permits limited involvement for the patient’s best interest.

If a parent or guardian consented to the minor’s treatment, they may authorize disclosures consistent with California law and Part 2. In close calls, obtaining signatures from both the minor and the parent or guardian reduces risk.

For dependent adults or patients lacking capacity, a legally authorized representative (such as a court-appointed conservator or health care agent) may consent to disclosure within the scope of their authority. Mandatory reporting duties and emergency exceptions still apply.

Enforcement and Penalties for Violations

Federal enforcement of Part 2 now largely mirrors HIPAA. Civil monetary penalties can apply for wrongful uses or disclosures, with tiers based on the level of culpability, and criminal penalties are possible for knowing, intentional violations.

In California, improper disclosure of medical information—including SUD records—can trigger statutory damages, actual damages, attorney’s fees, administrative fines, and possible professional discipline. Courts may also sanction parties for violating protective orders and restrict how improperly obtained information may be used.

Key takeaways

• Treat SUD records as uniquely sensitive and default to non-disclosure unless a valid consent or clear exception applies.
• Use precise, time-limited authorizations and disclose only the minimum necessary.
• Do not release records on a subpoena alone; require a Part 2-compliant court order.
• Document emergencies, mandatory reports, and all disclosures to maintain compliance.

FAQs

When can substance abuse records be disclosed without patient consent?

Only in narrow situations such as a bona fide medical emergency, mandated reports of abuse or neglect, limited reports of crimes on program premises or against staff, qualified research/audit/evaluation, internal care coordination as permitted, and disclosures made under a valid Part 2-compliant court order. Even then, share the minimum necessary and document the basis.

What procedures must courts follow to access substance abuse records?

Courts must issue a specific order after finding good cause, determining the information cannot be obtained otherwise, and crafting narrow limits on scope, recipients, duration, and redisclosure. Patients and programs typically receive notice and a chance to be heard, and the records are often sealed with strict protective conditions.

How does California law protect minors’ treatment information?

When a minor (often age 12 or older) can consent to substance use disorder care, they generally control access to their records. Parents or guardians cannot receive those records without the minor’s written authorization unless an exception applies or limited involvement is permitted by state law for the minor’s best interest. Part 2 reinforces these confidentiality rights.

What are the penalties for unlawful disclosure of substance abuse records?

Violations can lead to federal civil monetary penalties and potential criminal liability under Part 2’s HIPAA-aligned framework. California law also permits statutory and actual damages, attorney’s fees, administrative fines, professional discipline, and court sanctions for violating protective orders or confidentiality requirements.