HIPAA Rules for Substance Abuse Counselors: What You Need to Know (Including 42 CFR Part 2)

If you counsel patients for substance use disorders, you must navigate both HIPAA and 42 CFR Part 2. HHS finalized sweeping updates to Part 2 in 2024 to better align with HIPAA, with a compliance date of February 16, 2026. This guide explains what that means for your day-to-day practice, how to protect Substance Use Disorder Confidentiality in electronic health records, and when you can disclose information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

HIPAA Privacy Rule Protections

What the Privacy Rule requires

The HIPAA Privacy Rule protects patients’ PHI and permits uses and disclosures without authorization for treatment, payment, and health care operations (TPO). Outside TPO and other narrow allowances, you need a HIPAA-compliant authorization. You also must apply the minimum necessary standard to limit what you use, disclose, or request. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/disclosures-treatment-payment-health-care-operations/index.html?utm_source=openai))

Patient authorization requirements

Patient Authorization Requirements under HIPAA apply to uses beyond TPO (for example, most marketing and many third-party requests). Patients retain core rights—notice, access, amendments, and an accounting of disclosures (with notable exceptions for TPO). Your Notice of Privacy Practices should clearly explain these rights and how you handle sensitive information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Bing-PPC&LDNsummitHB1=&campaign_name__c=Risk&field_event_type_target_id=10&utm_source=openai))

HIPAA Security Rule Requirements

Administrative, physical, and technical safeguards

Protect electronic PHI with a risk-based program: conduct a formal risk analysis, manage risks, train your workforce, control facility access, and document policies. Technical controls should include unique user IDs, role-based access, audit logs, integrity controls, encryption in transit and at rest, and secure transmission—core Electronic Health Record Safeguards that reduce breach risk. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html?key5sk1=953418314db367e0c4aedc568bbb9089724e9125&utm_source=openai))

Practical steps for counselors using EHRs

• Enforce least-privilege access to SUD-related data, monitor audit logs, and review access reports routinely.
• Require multi-factor authentication, encrypt devices and backups, and maintain a contingency plan for outages.
• Harden vendor management with business associate agreements and periodic security reviews. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html?key5sk1=953418314db367e0c4aedc568bbb9089724e9125&utm_source=openai))

Overview of 42 CFR Part 2

Who Part 2 covers

Part 2 applies to Federally Assisted Programs that provide SUD diagnosis, treatment, or referral for treatment, and to “lawful holders” of those records. “Federally assisted” is broad and includes many programs receiving federal funds or operating under federal authorization. ([samhsa.gov](https://www.samhsa.gov/substance-use/treatment/statutes-regulations-guidelines?utm_source=openai))

Why Part 2 is different—and what changed

Part 2 provides stricter Legal Proceeding Disclosure Restrictions than HIPAA: patient records generally cannot be used or disclosed in civil, criminal, administrative, or legislative proceedings against the patient without consent or a proper court order. The 2024 final rule allows a single patient consent for all future TPO uses and disclosures and permits HIPAA-covered recipients to redisclose in accordance with HIPAA (with limits). It also adds de-identified public health disclosures, aligns breach notification and Civil and Criminal Penalties with HIPAA, defines “SUD counseling notes” requiring specific consent, states that data segregation is not required, and adds a right to file a complaint with HHS—key Patient Rights under Part 2. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Patient Consent under 42 CFR Part 2

Consent basics you must capture

Part 2 uses written consent (not a HIPAA authorization) for most disclosures. A valid consent must include the patient’s name; the recipient(s); purpose (the phrase “treatment, payment, and health care operations” suffices for a single, ongoing TPO consent); a description of what will be disclosed; expiration date or event; the patient’s right to revoke; and a signature (with special rules for minors and incapacitated or deceased individuals). If records go to a HIPAA covered entity or business associate under TPO consent, the consent must state that redisclosure may occur as allowed by HIPAA, except for legal proceedings against the patient. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.31?utm_source=openai))

Special rule: SUD counseling notes

“SUD counseling notes” are a clinician’s separate, personal notes analyzing a counseling session. They require their own specific consent and cannot be disclosed under a broad TPO consent. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Disclosures Without Patient Consent

When disclosure is permitted

• Medical emergency: Only the information needed to treat the emergency may be disclosed, and you must document the disclosure promptly. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.51?utm_source=openai))
• Research: Permitted under strict conditions (e.g., IRB or equivalent review). Researchers who receive Part 2 data without consent cannot use it to investigate or prosecute patients. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/part-2/subpart-D?utm_source=openai))
• Audits and evaluations: Allowed for management, financial, or program evaluation activities under defined safeguards. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/part-2/subpart-D?utm_source=openai))
• Public health (de-identified): You may disclose de-identified data to public health authorities consistent with HIPAA de-identification standards. ([govregs.com](https://www.govregs.com/regulations/expand/title42_chapterI_part2_subpartD_section2.53?utm_source=openai))
• Crimes on program premises/against personnel: You may report incidents or threats to law enforcement. ([ecfr.io](https://ecfr.io/Title-42/Section-2.12?utm_source=openai))
• Child abuse/neglect reporting: You must follow state reporting laws; Part 2 does not restrict those mandatory reports. ([ecfr.io](https://ecfr.io/Title-42/Section-2.12?utm_source=openai))
• Court orders: Disclosures can occur only under stringent Part 2 court order procedures (Subpart E). ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/part-2/subpart-E?utm_source=openai))
• Qualified Service Organizations (QSOs): Communications necessary for a QSO to provide services to or for your program are allowed without consent when a QSO agreement is in place. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12?utm_source=openai))

Enforcement and Compliance Deadlines

Key dates and what to do now

• Final rule publication and effective date: HHS published the Part 2 final rule on February 16, 2024; it became effective April 16, 2024. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Compliance date: You must comply with the applicable Part 2 requirements by February 16, 2026. Begin updating policies, consents, workflows, and training now. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Penalties and breach notification: Part 2 now aligns with HIPAA’s civil and criminal enforcement and breach notification framework; OCR may impose HIPAA-style penalties for violations. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Notices of Privacy Practices (HIPAA): Remaining NPP modifications associated with recent HIPAA changes have a compliance date of February 16, 2026; update your NPP to reflect Part 2 rights and redisclosure limits. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/reproductive-health/index.html?utm_source=openai))

CARES Act and Part 2 Amendments

How the CARES Act reshaped SUD confidentiality

Section 3221 of the CARES Act directed HHS to align Part 2 with HIPAA where appropriate. The resulting amendments enable a single TPO consent; allow HIPAA-covered recipients to redisclose under HIPAA (but not for legal proceedings against the patient); require HIPAA-aligned breach notification; align Civil and Criminal Penalties; clarify that data segregation is not required; and strengthen Patient Rights under Part 2, including complaint rights and enhanced notices. For counselors, the practical impact is better care coordination with preserved Substance Use Disorder Confidentiality for patients. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Key takeaways for your practice

• Map which services make you a Part 2 “program” and which records you hold as a “lawful holder.” ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12?utm_source=openai))
• Adopt the new TPO consent and a separate consent for SUD counseling notes; configure your EHR to capture consent metadata and redisclosure limits. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.31?utm_source=openai))
• Harden Electronic Health Record Safeguards under the HIPAA Security Rule and prepare for HIPAA-aligned enforcement. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html?key5sk1=953418314db367e0c4aedc568bbb9089724e9125&utm_source=openai))

FAQs

What is the difference between HIPAA and 42 CFR Part 2?

HIPAA sets a national baseline for PHI privacy and security, allowing broad TPO sharing. Part 2 adds stricter protections for SUD records of Federally Assisted Programs: it generally requires written consent, limits redisclosure, and sharply restricts use in legal proceedings against the patient. The 2024 final rule aligned many mechanics (e.g., single TPO consent, breach notification, penalties) while preserving these heightened protections. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Bing-PPC&LDNsummitHB1=&campaign_name__c=Risk&field_event_type_target_id=10&utm_source=openai))

When can substance abuse counselors share patient information without consent?

Part 2 permits specific exceptions: medical emergencies (with documentation); audits/evaluations; certain research pathways; de-identified public health reporting; reports of crimes on premises or against staff; child abuse/neglect reporting; and disclosures made under a valid Part 2 court order. Communications with Qualified Service Organizations to support your program’s operations are also allowed. Outside these, obtain written consent. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.51?utm_source=openai))

How does the CARES Act impact substance abuse confidentiality rules?

The CARES Act (Section 3221) required HHS to align Part 2 with HIPAA in key areas. The final rule enables a single TPO consent, permits HIPAA-governed redisclosures (with limits), applies HIPAA breach notification, aligns Civil and Criminal Penalties, clarifies that segmentation is not required, and enhances Patient Rights under Part 2. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

What are the enforcement consequences for violating Part 2?

As of the February 16, 2026 compliance date, OCR can pursue HIPAA-style civil monetary penalties for Part 2 violations and refer egregious cases for criminal enforcement. The HIPAA Breach Notification Rule also applies to breaches of Part 2 records, triggering required notifications and potential penalties. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))