HIPAA Rules for Opioid Addiction Treatment Records: What You Need to Know

HIPAA Privacy Rule Protections

HIPAA sets national privacy standards for patient health information (PHI), including opioid addiction treatment details held by HIPAA covered entities and their business associates. It limits uses and disclosures to what the Privacy Rule permits or what you authorize in writing, emphasizes the minimum necessary standard, and gives you rights such as access to your records and the ability to file complaints. The Office for Civil Rights (OCR) administers and enforces these protections. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf))

Under HIPAA’s permitted purposes, providers may use or disclose PHI for treatment, payment, and health care operations (TPO) without separate authorization, but they must still safeguard confidentiality. When opioid use disorder care is documented in a HIPAA record that does not originate from a Part 2 program, HIPAA’s baseline rules apply; when Part 2 records are involved, additional protections described below may also attach. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf))

42 CFR Part 2 Confidentiality Requirements

42 CFR Part 2 specifically protects the confidentiality of substance use disorder (SUD) treatment records from federally assisted treatment programs. “Federally assisted” is interpreted broadly and includes many programs that receive federal funds or are otherwise federally regulated. Part 2 generally requires written patient consent for disclosures and applies to “lawful holders” who receive Part 2 records, not just the originating program. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html?utm_source=openai))

Part 2 adds safeguards beyond HIPAA. Disclosures made with consent must include a prohibition on redisclosure notice to alert recipients that further sharing is restricted. In addition, Part 2 records and testimony may not be used to investigate or prosecute a patient without the patient’s consent or a court order meeting stringent criteria. ([samhsa.gov](https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs?utm_source=openai))

CARES Act Amendments Impact

The CARES Act (Section 3221) directed HHS to align key aspects of Part 2 with HIPAA and the HITECH Act. As implemented by HHS in 2024, these amendments allow a single patient consent for future TPO uses/disclosures, apply HIPAA’s breach notification framework to Part 2 records, and align civil and criminal penalties with HIPAA authorities—all while preserving core SUD confidentiality protections. ([public-inspection.federalregister.gov](https://public-inspection.federalregister.gov/2024-02544.pdf?utm_source=openai))

2024 Part 2 Final Rule Updates

What changed for consent and redisclosure

You can now give a single consent that authorizes future TPO uses and disclosures. HIPAA covered entities and business associates that receive Part 2 records under this consent may redisclose them consistent with HIPAA, though those records still cannot be used in legal proceedings against you without specific consent or a qualifying court order. Each disclosure must include either a copy of your consent or a clear explanation of its scope. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

New safeguards and patient rights

The rule clarifies that segregating or segmenting Part 2 data is not required to comply, easing integration with other medical records. It creates a “safe harbor” for investigative agencies that exercise reasonable diligence before demanding records, establishes a right to file complaints directly with the HHS Secretary, and defines specially protected SUD counseling notes that require separate consent—similar to HIPAA’s psychotherapy notes. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Public health and breach alignment

Part 2 programs may disclose de-identified data to public health authorities using HIPAA’s de-identification standard. Breach notification requirements are now the same as HIPAA’s, including obligations for timely notice after discovering a breach of unsecured Part 2 records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Compliance date

Entities subject to Part 2 must comply with the final rule by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Enforcement and Penalties for Violations

OCR enforces the HIPAA Privacy, Security, and Breach Notification Rules and now operates a civil enforcement program for Part 2. Starting February 16, 2026, OCR investigates complaints, enters resolution agreements, requires corrective action, and, when appropriate, imposes civil money penalties aligned with HIPAA’s tiered penalty structure. Criminal penalties may also apply for certain wrongful disclosures. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html?utm_source=openai))

Your breach notification obligations also track HIPAA: notify affected individuals without unreasonable delay and no later than 60 days after discovering a breach; notify HHS (and, for larger incidents, the media) as required. These breach notification obligations now expressly apply to unsecured Part 2 records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))

Privacy Notice Obligations

By February 16, 2026, HIPAA covered entities must update their Notice of Privacy Practices (NPP) to include information about SUD records protected by Part 2. Federally assisted SUD programs must also provide a Part 2 patient notice that more closely aligns with the HIPAA NPP. HHS has published model notices, and covered entities/programs must make notices available upon request and post them on applicable public-facing websites. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/npp-provider-spanish-text.docx))

State-Specific Regulations on Treatment Records

HIPAA sets a federal floor, so more protective state privacy laws generally are not preempted; if a state law gives you stronger privacy rights, you follow the stricter rule so long as compliance with both laws is possible. At the same time, Part 2 explicitly bars states from authorizing or compelling disclosures that Part 2 prohibits. In practice, you comply with Part 2 and the most protective applicable state law. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/405/is-this-more-protective-state-law-preempted-by-the-privacy-rule/index.html?utm_source=openai))

Bottom line: opioid addiction treatment records may be protected by HIPAA and, when they originate from federally assisted treatment programs, by Part 2’s enhanced substance use disorder confidentiality rules. The 2024 final rule and CARES Act alignment make coordination of care easier while preserving strict limits on legal uses and strengthening breach notification and OCR enforcement. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

FAQs.

What are the key HIPAA protections for opioid addiction treatment records?

HIPAA restricts uses and disclosures of patient health information to what the rule permits or what you authorize, enforces the minimum necessary standard, and gives you rights such as access to your records and the ability to complain to OCR. When opioid treatment information sits in HIPAA-only records, HIPAA’s baseline applies; if it includes Part 2 records, Part 2’s stricter rules may also apply. ([hhs.gov](https://www.hhs.gov/sites/default/files/ocr/privacy/hipaa/understanding/summary/privacysummary.pdf))

How does 42 CFR Part 2 enhance privacy for substance use disorder records?

Part 2 covers SUD records from federally assisted treatment programs and generally requires written patient consent for disclosures. It obligates recipients to honor a prohibition on redisclosure notice and restricts the use of records and testimony in legal proceedings against you without consent or a qualifying court order, providing stronger confidentiality than standard HIPAA rules in those contexts. ([samhsa.gov](https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs?utm_source=openai))

What changes were introduced by the 2024 Part 2 Final Rule?

The rule allows a single consent for TPO uses/disclosures, permits HIPAA-governed redisclosure by covered entities/business associates that receive records under that consent, adopts HIPAA-style breach notification, clarifies that segregation is not required, defines specially protected SUD counseling notes, creates a safe harbor for investigative agencies, and establishes a direct complaint right to HHS. Compliance is required by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

How are breaches of opioid addiction treatment records reported and enforced?

If unsecured PHI or Part 2 records are breached, you must follow HIPAA’s breach notification obligations: notify affected individuals without unreasonable delay and within 60 days of discovery, and report to HHS (and sometimes the media) based on incident size. OCR enforces these requirements and, beginning February 16, 2026, also enforces Part 2 with HIPAA-aligned civil money penalties and corrective action. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html?utm_source=openai))