District of Columbia Substance Abuse Record Privacy Laws: What Patients and Providers Need to Know

Confidentiality of Substance Abuse Records

Substance use disorder (SUD) treatment information is protected by one of the strictest U.S. privacy laws: 42 U.S. Code § 290dd-2 and its implementing rules (often called “Part 2”). These rules layer on top of HIPAA and, in many situations, are more protective, limiting who may see your diagnosis, treatment, or referral records and how they may be used.

Part 2 generally applies to programs that provide SUD diagnosis, treatment, or referral and are federally assisted. Covered “records” include any information that would identify you as having sought or received SUD services, whether on paper, in an EHR, or through a health information exchange.

Providers must adopt clear confidentiality policies, train staff regularly, and display the required confidentiality notice that restricts redisclosure. As a rule, recipients of Part 2 records may not redisclose them unless you give patient written consent or a specific exception applies.

• Core rule: no use or disclosure without valid patient written consent, unless a Part 2 exception applies.
• Redisclosure limits: recipients are bound by Part 2 unless another rule specifically permits redisclosure.
• Document everything: programs must track and document disclosures allowed under exceptions.

Permitted Disclosure of Records

With patient written consent

You may authorize sharing by signing a Part 2–compliant consent that specifies who may receive your information, the purpose, what will be shared, and how long the consent lasts. A single consent may allow disclosures for treatment, payment, and health care operations among covered entities, and you can revoke consent at any time in writing.

Without consent (narrow exceptions)

• Medical emergencies: disclosures to medical personnel when there is an immediate threat to your health and you cannot consent; the program must document the emergency.
• Research, audit, and evaluation: permitted under strict conditions (for example, IRB/Privacy Board approval or government oversight) with safeguards against re-identification.
• Crimes on program premises or against staff: limited information may be disclosed to law enforcement.
• Child abuse or neglect reporting: mandatory reports may be made as required by law.
• De-identified or aggregate data: information stripped of identifiers may be shared for public health or quality improvement.

Court-ordered disclosure

Court-ordered disclosure is allowed only under a specialized, Part 2–compliant order after the court finds good cause, narrowly limits what may be disclosed, and imposes protective conditions. General subpoenas or routine discovery requests are not enough; programs should seek legal review before responding to any order.

Qualified service organizations

Vendors that support your program (for example, billing, EHR hosting, or lab services) may receive records under a Qualified Service Organization agreement, which binds them to Part 2 protections and prohibits unauthorized redisclosure.

Patient Access to Records

You generally have the right to inspect or obtain a copy of your own SUD treatment records. Programs may ask for a written request and must respond within a reasonable timeframe, typically consistent with HIPAA’s 30-day standard (with limited extensions). Reasonable, cost-based fees for copies may apply, but access cannot be denied because of unpaid bills.

• How to request: submit a dated, signed request identifying the records and delivery format you want (paper or electronic).
• What you can expect: a copy of your records or a timely written explanation of any lawful denial (for example, psychotherapy notes are treated differently under HIPAA).
• Corrections: you may request an amendment; if denied, you can add a statement of disagreement to your file.

Federal Regulations on Substance Abuse Records

Federal protections arise from 42 U.S. Code § 290dd-2 and regulations known as 42 CFR Part 2. Recent updates modernized Part 2 to align more closely with HIPAA, including allowing a single consent for treatment, payment, and health care operations and applying HIPAA-style safeguards, penalties, and breach notification to Part 2 records.

Part 2 strictly limits use of SUD records in legal proceedings against you. Even when records are shared with consent for care coordination, recipients generally must handle them under HIPAA standards and may not use them to investigate or prosecute you without either your consent or a proper court order.

De-identification standards now mirror HIPAA, enabling safe use of data for quality improvement and public health without exposing patient identities. Programs should ensure Notices of Privacy Practices and confidentiality policies reflect these updates.

District of Columbia Specific Laws

The District of Columbia complements federal rules with local requirements that govern health information generally and SUD information specifically. District provisions such as D.C. Code § 7–3006 operate alongside Part 2 and HIPAA, adding duties for providers that practice in the District.

Oversight of SUD services is housed within the District’s Department of Behavioral Health (formerly the Addiction Prevention and Recovery Administration). Providers should align their confidentiality policies with District reporting obligations, youth-consent rules where applicable, and any program licensing standards that reference SUD record handling.

In practice, this means verifying that your consent forms meet both Part 2 and District requirements, ensuring staff understand local mandatory-reporting triggers, and documenting disclosures in ways that satisfy District recordkeeping rules.

Record Maintenance and Security

Protecting SUD information requires secure record storage, disciplined access control, and auditable processes. Your policies should specify who may access records, for what purpose, and how access is approved, logged, and reviewed.

• Secure record storage: encrypt data at rest and in transit; use multi-factor authentication; restrict access by role; and maintain detailed access logs.
• Segmentation and tagging: clearly flag Part 2 records in the EHR/HIE so they are shared only with proper consent or under an exception.
• Vendor management: execute Qualified Service Organization or HIPAA Business Associate agreements and vet vendors’ security practices.
• Paper safeguards: lock paper files, control keys, and use secure bins and certified shredding for disposal.
• Training and drills: conduct onboarding and annual refreshers on confidentiality policies, and practice breach and subpoena response workflows.
• Minimum necessary: limit what is accessed or disclosed to the least amount of information required for the stated purpose.

Exceptions to Confidentiality

While patient written consent is the default, law recognizes narrow exceptions. Providers should verify the legal basis for any disclosure and record the reason, recipient, date, and content shared.

• Medical emergencies requiring immediate treatment when consent cannot be obtained.
• Research, audit, or evaluation under approved protocols and data protections.
• Reports of suspected child abuse or neglect as required by law.
• Crimes on program premises or directed at staff, disclosed to law enforcement within limits.
• Court-ordered disclosure under a Part 2–compliant order, crafted as narrowly as possible.
• De-identified or aggregate data that cannot reasonably identify an individual.

Patient Rights and Protections

You have strong rights over your SUD information. You control most disclosures through consent, may access and obtain copies of your records, and can revoke consent to stop future sharing. You can also ask a provider to limit certain uses or disclosures, especially when you pay in full out of pocket.

Federal reforms strengthened protections against using SUD records in legal proceedings against you and aligned penalties with HIPAA for improper disclosures. You can expect clear notices describing how your information is used, and you may request an accounting of certain disclosures.

If you believe your rights were violated, you may file a complaint with the program and with appropriate federal or District authorities. Providers should maintain easy-to-follow procedures for complaints and non-retaliation policies.

Conclusion

District patients and providers operate under robust, layered privacy rules. By centering consent, honoring narrow exceptions, keeping secure record storage, and maintaining clear confidentiality policies, you can protect SUD information while enabling safe, coordinated care under both federal law (including 42 U.S. Code § 290dd-2) and District requirements such as D.C. Code § 7–3006.

FAQs.

What protections exist for substance abuse records in the District of Columbia?

Records are protected by federal law—primarily 42 U.S. Code § 290dd-2 and 42 CFR Part 2—plus HIPAA and District rules. Together, they require patient written consent for most disclosures, restrict redisclosure, and impose strong security and accountability standards on programs operating in the District.

When can substance abuse records be disclosed without patient consent?

Only in limited circumstances, such as medical emergencies, approved research or audits, reports of child abuse or neglect, crimes on program premises, de-identified data uses, or a court-ordered disclosure that meets Part 2’s strict requirements. Routine subpoenas or general requests are not enough.

How can patients access their substance abuse treatment records?

Submit a signed, dated request to your provider identifying the records and format you want. Programs must respond within a reasonable timeframe, typically consistent with HIPAA’s 30-day standard, may charge a reasonable, cost-based copy fee, and cannot deny access because of unpaid bills.

What are provider obligations under D.C. substance abuse privacy laws?

Providers must implement confidentiality policies, obtain and document valid consents, limit disclosures to what the law allows, maintain secure record storage with role-based access and encryption, train staff, manage vendors under proper agreements, and align practices with federal rules and District requirements, including those associated with D.C. Code § 7–3006 and oversight formerly led by the Addiction Prevention and Recovery Administration.