Colorado Substance Abuse Record Privacy Laws Explained: Confidentiality, 42 CFR Part 2, and Your Rights

Overview of 42 CFR Part 2

42 CFR Part 2 is the federal confidentiality rule that specifically protects substance use disorder (SUD) treatment records. It applies to federally assisted SUD programs—such as clinics, hospitals, and individual practitioners that receive federal funds, participate in federal assistance programs, or hold a federal DEA registration—and to their contractors performing services on their behalf.

The rule safeguards any information that could identify you as seeking, being diagnosed with, or receiving SUD services. Compared with HIPAA, 42 CFR Part 2 sets stricter limits on when your records can be disclosed and tightly controls any re-disclosure by recipients.

What records are covered

• Intake, screening, diagnosis, treatment notes, counseling summaries, and medication records (e.g., MOUD).
• Billing, scheduling, referral, and care coordination documents that reveal a SUD diagnosis or treatment.
• Electronic health records and paper files maintained by a Part 2 program or its contractors.

De-identified information that cannot reasonably identify you may be used for analytics or research data anonymization. When records are identifiable, Part 2 controls unless an exception applies or you give valid consent.

How Part 2 relates to HIPAA

HIPAA sets a broad privacy baseline for health information. 42 CFR Part 2 adds extra protections for SUD information and generally prevails when it is more protective. Recent federal changes emphasize HIPAA-HITECH alignment, including breach notification and stronger patient access and transparency requirements.

Patient Consent Requirements

Outside narrow exceptions, a Part 2 program needs your written permission to disclose SUD records. Consent must be specific, informed, and revocable.

Elements of a valid consent

• Your name and a meaningful description of the information to be disclosed.
• The name of the individual, organization, or a defined class of recipients authorized to receive the information.
• The purpose of the disclosure (for example, care coordination, payment, or a specific service).
• A statement that you may revoke consent at any time, and the date, event, or condition when consent expires.
• Your signature and date; electronic signatures may be used if valid under applicable law.

Re-disclosure rules after consent

Part 2 includes a “prohibition on re-disclosure,” meaning recipients generally cannot share your SUD information further unless you consent again or an exception allows it. Under more recent rules, if you authorize disclosure for treatment, payment, and health care operations, HIPAA-covered recipients and their business associates may re-disclose as HIPAA permits for those purposes—but not for law enforcement or other uses that Part 2 forbids.

Revoking consent and expiration

You can revoke your consent at any time, in writing. Revocation stops new disclosures but does not undo disclosures already made while the consent was valid. Consents also expire on the stated date, event, or condition.

State Law Alignment

Colorado law complements federal protections. Colorado Revised Statutes Section 27-82-109 emphasizes patient confidentiality for behavioral health records and restricts disclosures without proper authorization or a legal basis. When state law is more protective, the stronger standard applies; when state law conflicts with 42 CFR Part 2, the federal rule controls.

Practical impacts in Colorado

• Providers assess whether a record is Part 2-protected before sharing SUD information across care teams.
• Subpoenas or court requests must meet specific 42 CFR Part 2 standards before records can be released.
• Integrated care organizations use tailored consent forms and segmentation tools to separate SUD data from general medical records.

Exceptions to Consent Rules

Part 2 allows certain disclosures without your written consent. These are narrow and documented carefully.

• Medical emergencies: Limited information necessary to treat an immediate health threat.
• Research, audit, and evaluation: Disclosures to qualified researchers or oversight bodies under strict safeguards; researchers may also use data that has undergone research data anonymization.
• Qualified Service Organizations (QSOs): Contractors (e.g., labs, EHR vendors, billing services) may receive information under a QSO agreement.
• Court orders: A judge may authorize disclosure if stringent Part 2 criteria and due process are met.
• Crimes on program premises or against personnel: Limited reporting to law enforcement about the incident.
• Child abuse or neglect reporting: As required by law, to appropriate authorities.
• De-identified or aggregate information: When no individual can be identified.

Enforcement and Compliance

Compliance with 42 CFR Part 2 and Colorado confidentiality requirements is enforced through federal and state mechanisms. Recent federal updates extend HIPAA-style remedies and breach notification to Part 2 programs, with HHS Office for Civil Rights enforcement playing a central role alongside existing criminal penalties for intentional violations.

What providers must do

• Designate privacy leadership and maintain policies covering consent, re-disclosure, and data segmentation.
• Use updated, Part 2-compliant consent forms and provide clear patient notices.
• Execute QSO agreements with vendors and train workforce members annually.
• Track and document disclosures, retain required records, and follow breach notification procedures aligned with HIPAA-HITECH alignment.

Consequences for noncompliance

• Civil penalties, corrective action plans, and potential criminal liability for willful violations.
• Licensure, accreditation, or contracting impacts, plus reputational harm and loss of patient trust.

Patient Rights and Protections

You have strong rights over your SUD records. These rights promote transparency, control, and informed decision-making.

• Access and copies: Obtain your records in a reasonably timely manner, including electronic formats when available.
• Amendments: Request corrections if information is incomplete or inaccurate.
• Accounting and transparency: Receive required notices and, when applicable, a list of certain disclosures.
• Consent control: Authorize, limit, or revoke disclosures; set expiration terms.
• Confidential communications and restrictions: Ask that providers contact you in specific ways or restrict certain sharing, consistent with law.
• Freedom from discrimination: Protections limit the use of SUD records in legal proceedings and bar discriminatory uses.
• Complaints: File concerns with your provider and with federal authorities, including HHS for Office for Civil Rights enforcement, without retaliation.

How to exercise your rights

• Ask for the provider’s privacy notice and consent forms; review what will be shared and why.
• Submit written requests to access or amend records and to revoke prior consents.
• If an issue arises, document it and use the provider’s complaint process; escalate to regulators if necessary.

Recent Regulatory Updates

Congress revised the governing statute in the 2020 CARES Act to bring 42 CFR Part 2 closer to HIPAA, including the option to give a single consent for treatment, payment, and health care operations and to apply HIPAA/HITECH-style breach notification and penalties. Federal agencies subsequently issued a comprehensive final rule, effective in 2024 with a compliance date in 2026, to operationalize these changes.

Key changes at a glance

• HIPAA-HITECH alignment: Breach notification, civil penalties, and coordinated HHS Office for Civil Rights enforcement now extend to Part 2 programs.
• Single TPO consent: You may authorize broader sharing for treatment, payment, and operations across HIPAA-covered entities and business associates.
• Stronger transparency: Enhanced notice requirements and clearer patient rights to understand how SUD data is used and shared.
• Continued limits on non-health uses: Strict court-order standards and prohibitions on most law-enforcement re-disclosures remain.

In Colorado, providers are updating policies, consent forms, and vendor agreements to reflect these changes while maintaining protections embedded in Colorado law and 42 CFR Part 2.

FAQs

What records are protected under Colorado substance abuse privacy laws?

Records created or maintained by a federally assisted SUD program that identify you as being screened, diagnosed, referred, or treated for a substance use disorder are protected. This includes intake and treatment notes, medication and lab information, billing and scheduling that reveal SUD care, and electronic or paper files. Colorado protections—such as those reflected in Colorado Revised Statutes Section 27-82-109—operate alongside 42 CFR Part 2 to preserve patient confidentiality.

When can my substance abuse records be disclosed without my consent?

Disclosures without consent are limited to well-defined situations: medical emergencies; qualified research, audits, and evaluations under safeguards (including use of de-identified data through research data anonymization); services by Qualified Service Organizations; court orders that meet strict Part 2 standards; reporting suspected child abuse or neglect; crimes on program premises or against staff; and sharing of de-identified or aggregate information. Routine disclosures typically require your written consent.

How does Colorado law align with federal confidentiality regulations?

Colorado law aligns with 42 CFR Part 2 by requiring patient confidentiality and restricting disclosures absent consent or a legal basis. Where Colorado law is more protective, its standard applies; when there is conflict, the federal rule controls. References in state law, including Colorado Revised Statutes Section 27-82-109, work in tandem with federal protections to ensure your SUD information is handled with heightened care.

What rights do patients have regarding their substance abuse records?

You may access and obtain copies of your records, request amendments, and control how your information is shared by granting, limiting, or revoking consent. You can request confidential communications or additional restrictions, receive required notices and certain disclosures lists, and file complaints—without retaliation—with your provider and federal regulators involved in Office for Civil Rights enforcement. These rights reflect both Colorado protections and the heightened safeguards in 42 CFR Part 2, strengthened by HIPAA-HITECH alignment.