HIPAA Checklist for Addiction Medicine Specialists (Including 42 CFR Part 2)

Addiction Medicine Treatment Considerations

Confirm your regulatory footprint

• Determine whether you are a HIPAA covered entity, business associate, hybrid entity, and/or a “Part 2 program” for 42 CFR Part 2 compliance.
• Map all points where substance use disorder (SUD) records are created, received, maintained, or transmitted, including EHRs, patient portals, eRx, PDMP queries, telehealth platforms, and care coordination tools.
• Identify integrated-care touchpoints (primary care, mental health, pain management, ED, harm-reduction partners) where SUD patient confidentiality requirements must be enforced.

Operational safeguards for SUD data

• Segment or tag SUD content in the EHR so access, disclosure logs, and redisclosure limits can be automated.
• Apply role-based access, minimum-necessary use, and need-to-know break-glass controls for emergencies.
• Use secure messaging, approved telehealth solutions, and closed-loop referral workflows that respect legal protections for SUD records.
• Train your workforce annually on HIPAA and 42 CFR Part 2, with scenario-based refreshers for front desk, nursing, prescribers, and billing.

Documents you should maintain

• HIPAA policies and procedures; Part 2-specific policies; incident response and breach notification protocol.
• Business associate agreements (BAAs) and qualified service organization agreements (QSOAs), as applicable.
• Patient-facing materials: privacy notices, model notices, consent and revocation forms, complaint process.
• Audit logs for access/disclosure, records of patient requests, sanctions, and training attestations.

Patient Confidentiality Requirements

Part 2 sets stricter rules for SUD patient confidentiality than HIPAA. If you are a Part 2 program, you generally may not disclose identifiable SUD records without the patient’s written consent, except in limited circumstances. Apply the minimum necessary standard and ensure redisclosure limits are preserved downstream.

Permitted disclosures without patient consent (narrowly applied)

• Medical emergencies, where immediate disclosure is needed to treat an acute condition.
• Reports of suspected child abuse or neglect, consistent with law.
• Crimes on program premises or against program personnel (limited information set).
• Qualified audits, evaluations, and certain research activities with required safeguards.
• Court orders that meet Part 2’s specific criteria.
• De-identified information that cannot reasonably identify a patient.

Redisclosure limitations

• Accompany each permitted disclosure of SUD records with a Part 2 redisclosure notice, alerting recipients that further sharing is restricted.
• Where a patient grants a single consent authorization for treatment, payment, and health care operations (TPO), recipients may redisclose only as allowed by that consent and applicable privacy laws—never to pursue legal action against the patient absent a qualifying court order.

Consent Requirements under 42 CFR Part 2

Part 2 requires written consent for most disclosures. The 2024 updates allow a single consent authorization for future TPO uses and disclosures, reducing repetitive form collection while preserving heightened privacy.

Build a compliant consent workflow

• Collect written or electronic consent that includes: patient identity; description of information; purpose; recipient(s) or class of recipients; right to revoke; expiration; signature and date.
• Use layered consent options: TPO single consent authorization, plus optional, more limited consents (e.g., to a specific family member or community partner).
• Automate consent management: version control; flag expired or revoked consents; display consent status at the point of disclosure.
• For minors, follow state law on who may consent to SUD treatment and who may receive information; when minors consent, parents may be restricted from access without the minor’s authorization unless an exception applies.
• Document each disclosure made under consent and retain logs to support accounting-of-disclosures rights and audits.

Prohibitions on Legal Use of SUD Records

Part 2 erects strong legal protections for SUD records. In general, records cannot be used to initiate or substantiate criminal charges or be introduced in civil, criminal, administrative, or legislative proceedings against a patient without the patient’s consent or a Part 2–compliant court order.

Litigation and law enforcement safeguards

• Do not respond to subpoenas or discovery requests for SUD records unless accompanied by a Part 2–compliant court order; consult counsel and your privacy officer.
• Limit disclosures about crimes on premises or against personnel to the minimum facts necessary.
• Maintain a litigation hold and secure channel for legal requests; log receipt, review, and disposition of each request.
• Train staff to escalate any request for SUD records to compliance before responding.

Breach Notification and Reporting

Apply the HIPAA Breach Notification Rule to unsecured SUD and other PHI. Presume a breach unless a documented risk assessment shows a low probability of compromise. Your breach notification protocol should be tested and time-bound.

Timeframes and required notices

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For breaches affecting 500 or more individuals in a state or jurisdiction, notify the HHS Secretary and prominent media within 60 days of discovery.
• For fewer than 500 individuals, report to HHS no later than 60 days after the end of the calendar year in which the breach was discovered, and notify each affected individual as above.
• Coordinate with business associates/QSOs to ensure prompt reporting and documentation.

Content and documentation

• Include what happened, the types of information involved, steps individuals should take, your mitigation and containment actions, and contact information.
• Complete a four-factor risk assessment, preserve forensic artifacts, apply sanctions where appropriate, and update safeguards to prevent recurrence.
• Retain incident files, determinations, and notices for audit and Office for Civil Rights enforcement review.

Privacy Notices and Model Notices

Update your Notice of Privacy Practices to reflect privacy notice requirements that address SUD patient confidentiality and Part 2. Use plain language, make it available at first service, post it prominently in your facility and online, and document distribution.

What to include

• A description of how you use and disclose SUD records, the role of single consent authorization for TPO, and restrictions on redisclosure.
• Patient rights: access, amendments, complaints (including how to contact your privacy office and the U.S. Department of Health and Human Services), and accounting of disclosures as applicable.
• Your duties: safeguard information, follow the notice, and notify patients following certain breaches.
• Language access and alternate formats for meaningful access.
• Use current HHS model language for Part 2 where available, adapting it to your operations.

Enforcement and Compliance Reviews

The HHS Office for Civil Rights enforces HIPAA and now also oversees many aspects of Part 2. Expect desk or on-site reviews, document requests, and timelines. Outcomes may include closure with technical assistance, a corrective action plan, or civil monetary penalties for willful neglect or persistent noncompliance.

Readiness checklist

• Designate privacy and security officers with clear authority and escalation pathways.
• Maintain up-to-date risk analyses, policies, training records, BAAs/QSOAs, consent logs, access logs, and incident response files.
• Perform internal audits of disclosures and redisclosure notices; test emergency access and breach drills at least annually.
• Embed SUD safeguards into new projects through a documented privacy and security-by-design review.

Conclusion

Protecting SUD patient confidentiality requires blending HIPAA’s standards with 42 CFR Part 2’s heightened rules. By segmenting data, using single consent authorization appropriately, tightening redisclosure controls, maintaining a tested breach notification protocol, and preparing for Office for Civil Rights enforcement, you create a durable compliance program that supports patient trust and coordinated addiction care.

FAQs

What are the key confidentiality protections under 42 CFR Part 2?

Part 2 tightly restricts disclosures of identifiable SUD records without patient consent and bars using those records against a patient in legal proceedings absent a qualifying court order. Limited exceptions allow disclosures (e.g., medical emergencies, mandated child-abuse reports, audits/evaluations, certain research). Each disclosure must preserve redisclosure limits, and systems should segment SUD data to enforce these protections.

How does single consent apply to SUD treatment records?

Patients may authorize a single, durable consent for future treatment, payment, and health care operations disclosures of their Part 2 records. You should capture required consent elements, support electronic signatures, display consent status at the point of use, and allow revocation at any time. Recipients may only use and redisclose as permitted by the consent and applicable law, never to pursue legal action against the patient without a proper court order.

What are the breach notification requirements for Part 2 programs?

Follow the HIPAA Breach Notification Rule for unsecured SUD information: conduct a risk assessment, notify affected individuals without unreasonable delay and within 60 days of discovery, notify HHS (and the media for large breaches), and document containment and mitigation. Coordinate closely with business associates and QSOs to ensure timely reporting and complete incident files.

How is noncompliance with Part 2 enforced?

The HHS Office for Civil Rights enforces Part 2 alongside HIPAA, using investigations, compliance reviews, and resolution tools such as corrective action plans and civil monetary penalties. Maintaining current policies, workforce training, consent/disclosure logs, and breach response documentation is essential to demonstrate good-faith compliance during OCR reviews.