Georgia Substance Abuse Record Privacy Laws: What Patients and Providers Need to Know

Federal Part 2 Regulations

Under 42 CFR Part 2, substance use disorder records receive heightened protection beyond standard medical privacy rules. If you operate a treatment program or lawfully hold Substance Use Disorder Records, you must treat patient-identifying information as confidential and disclose it only as Part 2 permits. In 2024, HHS finalized major updates aligning certain elements with HIPAA—most notably allowing a single patient consent for future treatment, payment, and health care operations (TPO). The rule took effect April 16, 2024, with a compliance date of February 16, 2026, and OCR now enforces Part 2. These records still cannot be used in legal proceedings against a patient without specific consent or a court order plus a subpoena (or similar legal mandate). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

Part 2’s core purpose is to ensure Treatment Program Confidentiality so people are not deterred from seeking care. The regulation applies to “Part 2 programs” and other lawful holders and restricts use and disclosure of patient records in civil, criminal, administrative, or legislative proceedings, subject to narrow exceptions. ([ecfr.io](https://ecfr.io/Title-42/Section-2.2?utm_source=openai))

Georgia State Confidentiality Statutes

Georgia adds state-level protections that work alongside Part 2. Georgia Code Section 26-5-17 requires confidentiality for records and communications of a “drug dependent person” obtaining services from a licensed program. Disclosure generally requires the patient’s written authorization; otherwise, release follows a court order issued after a full and fair show‑cause hearing. The statute also permits limited, non–patient-identifying access for DBHDD licensing purposes. ([law.justia.com](https://law.justia.com/codes/georgia/title-26/chapter-5/article-1/section-26-5-17/))

For individuals treated under the state mental health and substance use framework, O.C.G.A. § 37-7-166 makes clinical records confidential and lists specific, narrow exceptions—such as disclosures to treating staff, bona fide medical emergencies, the patient’s attorney with consent, and production under a court order following a show‑cause hearing. ([law.justia.com](https://law.justia.com/codes/georgia/2023/title-37/chapter-7/article-6/part-2/section-37-7-166/))

Where a Georgia statute would require broader disclosure than Part 2 allows, Part 2 controls; state law cannot diminish federal SUD protections. Use these Georgia provisions to supplement, not replace, your 42 CFR Part 2 compliance. ([ecfr.io](https://ecfr.io/Title-42/Section-2.2?utm_source=openai))

DBHDD Policy Compliance

Georgia’s Department of Behavioral Health and Developmental Disabilities (DBHDD) requires a clear Behavioral Health Privacy Policy framework across its hospitals and programs. DBHDD’s HIPAA Policy 23‑101 (Notice of Privacy Practices) explains how protected health information is used and disclosed and how individuals can access their information. Providers should ensure their posted NPP reflects the 2024 Part 2 changes by the February 16, 2026 compliance date. ([dbhdd.georgia.gov](https://dbhdd.georgia.gov/organization/be-informed/privacy-rules-regulations))

DBHDD’s Patient’s Rights rules also require facilities to inform individuals of their rights and to train staff accordingly—foundational steps for HIPAA Compliance and Part 2 adherence in daily operations. ([dbhdd.georgia.gov](https://dbhdd.georgia.gov/document/document/patients-rights-regs-final-sospdf/download))

Conditions for Disclosure without Consent

Outside a valid, Part 2‑compliant consent (now often a single TPO consent), disclosure is permitted only in limited circumstances. Key pathways include: ([ecfr.io](https://ecfr.io/Title-42/Part-2/Subpart-D))

• Medical emergencies: Disclose to medical personnel as needed when an immediate threat exists and prior consent cannot be obtained. Document the emergency disclosure. ([ecfr.io](https://ecfr.io/Title-42/Part-2/Subpart-D))
• Scientific research: Allowed under strict conditions, including IRB or equivalent safeguards and compliance with human‑subjects rules. ([ecfr.io](https://ecfr.io/Title-42/Part-2/Subpart-D))
• Management audits, financial audits, and program evaluation: Disclose to authorized auditors/evaluators, with redisclosure limits. ([ecfr.io](https://ecfr.io/Title-42/Part-2/Subpart-D))
• Court‑Authorized Disclosure: A court can authorize use/disclosure under Subpart E, but to actually compel production you also need a subpoena or similar compulsory process. Orders are narrowly tailored and must meet detailed criteria. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/part-2?utm_source=openai))
• Crimes on program premises or against program personnel: Programs may disclose limited information to law enforcement about incidents directly related to such crimes or threats. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12?utm_source=openai))

Patient Rights and Protections

As a patient in Georgia, your Substance Use Disorder Records are safeguarded under both 42 CFR Part 2 and Georgia statutes. You control most disclosures through written consent, and—after the 2024 rule—may use one consent for ongoing TPO uses/disclosures. Even then, SUD records cannot be used in legal proceedings against you without a compliant court order and subpoena (or similar legal mandate). ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html?utm_source=openai))

You also have HIPAA rights, including receiving a Notice of Privacy Practices and accessing your health information from HIPAA‑covered entities. DBHDD policy requires staff to inform you of your rights and how to exercise them, and OCR now enforces Part 2 using HIPAA’s enforcement framework. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

Provider Responsibilities for Record Handling

To stay compliant, you should: (1) identify which records are Part 2‑protected, (2) use Part 2‑compliant consent forms—leveraging the single TPO option where appropriate, (3) maintain segmentation or tagging in your EHR to prevent unauthorized redisclosure, (4) train staff to recognize Part 2 records and exceptions, and (5) update your HIPAA Notice of Privacy Practices and internal policies by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))

Covered entities and business associates remain bound by HIPAA’s requirements when using/disclosing SUD information under a valid TPO consent, and OCR will apply HIPAA’s enforcement and breach-notification framework to Part 2 violations. Align your Behavioral Health Privacy Policy, logging, and auditing practices accordingly. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html?utm_source=openai))

Exceptions for Public Health Reporting

Part 2 permits disclosure to a public health authority only if the data are de‑identified to HIPAA standards. That means removing or otherwise rendering impossible any patient identification under 45 CFR 164.514(b). If a public health agency needs identifiable information, you generally must obtain patient consent or proceed under another permissible Part 2 pathway (for example, a specific court order), because there is no broad “required by law” exception in Part 2 comparable to HIPAA. ([ecfr.io](https://ecfr.io/Title-42/Section-2.54))

Bottom line: Georgia providers should treat public health reporting for SUD data as a de‑identified reporting exercise unless a specific, Part 2‑compliant consent or court process authorizes identifiable disclosures. This approach preserves Georgia’s strong confidentiality statutes while meeting federal expectations. ([law.justia.com](https://law.justia.com/codes/georgia/title-26/chapter-5/article-1/section-26-5-17/))

FAQs

What are the key protections under Georgia substance abuse privacy laws?

Georgia law makes SUD treatment records confidential and limits disclosure to specific scenarios, such as written patient authorization or a court order issued after a full and fair show‑cause hearing. These state rules work in tandem with 42 CFR Part 2, which adds federal protections and prohibits using SUD records in legal proceedings against a patient without strict procedural safeguards. ([law.justia.com](https://law.justia.com/codes/georgia/title-26/chapter-5/article-1/section-26-5-17/))

When can substance abuse records be disclosed without patient consent?

Only in narrow situations, including bona fide medical emergencies, certain approved research, authorized audits/evaluations, de‑identified public health reporting, limited reports of crimes on program premises or against staff, and court‑authorized disclosures that meet Subpart E requirements. Each pathway carries strict conditions and documentation requirements. ([ecfr.io](https://ecfr.io/Title-42/Part-2/Subpart-D))

How do federal Part 2 regulations interact with Georgia state laws?

Part 2 sets the federal floor—its protections control if a state rule would allow broader disclosure. Georgia provisions like Georgia Code Section 26-5-17 and § 37‑7‑166 add detail on when records may be released (e.g., show‑cause hearings), but they cannot dilute Part 2’s confidentiality standards. ([law.justia.com](https://law.justia.com/codes/georgia/title-26/chapter-5/article-1/section-26-5-17/))

What responsibilities do providers have to maintain confidentiality?

Providers should classify and segregate SUD records, use Part 2‑compliant consent (including the single TPO option), train staff, and update their HIPAA Notice of Privacy Practices and internal procedures by February 16, 2026. OCR enforces Part 2 using HIPAA’s enforcement framework, so your HIPAA Compliance program—including breach response—must fully cover SUD information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html?utm_source=openai))