HIPAA vs 42 CFR Part 2: What’s the Difference and When Each Rule Applies

Scope and Purpose

Understanding HIPAA vs 42 CFR Part 2 starts with scope. HIPAA sets a national baseline for privacy and security of Protected Health Information held by health plans, most providers, clearinghouses, and their business associates. It aims to ensure information flows for care, payment, and operations while safeguarding patient privacy.

42 CFR Part 2 focuses on Substance Use Disorder Records created by federally assisted programs that diagnose, treat, or refer for SUD. Its purpose is to protect patients from stigma and legal or social harms by restricting disclosures that would identify someone as having sought or received SUD services.

Both rules can apply at once—for example, when a hospital (HIPAA-covered) operates an SUD clinic (Part 2 program). In those cases, you must satisfy each rule, defaulting to the stricter requirement for the information at issue.

Consent Requirements

Under HIPAA, Patient Consent (authorization) is not required for treatment, payment, and health care operations. Authorization is generally required for marketing, sale of PHI, most uses of psychotherapy notes, and many non-routine disclosures unless a specific privacy exception applies (for example, public health reporting or certain law-enforcement purposes).

Under 42 CFR Part 2, written patient consent is typically required for disclosures—even for care coordination—unless an explicit exception applies. A valid consent identifies the patient and program, describes the information, names the recipient, states the purpose and expiration, and is signed and dated. Patients may revoke consent prospectively at any time.

• Common Part 2 exceptions without patient consent include: a bona fide medical emergency; reporting child abuse or neglect as required by law; crimes on program premises or against program personnel; qualified audit or evaluation activities; certain research; and disclosures made under a Court Order that meets Part 2 criteria.
• When both HIPAA and Part 2 could permit disclosure, you must verify that a Part 2 exception or patient consent exists if the information would identify a person as having a substance use disorder.

Redisclosure Restrictions

HIPAA permits recipients who are covered entities or business associates to use and disclose PHI consistent with HIPAA’s rules. The “minimum necessary” standard applies to many non-treatment uses, and downstream partners are bound by business associate agreements or their own covered-entity obligations.

42 CFR Part 2 imposes tighter redisclosure limits. Any permitted disclosure must carry a prohibition on redisclosure notice. Recipients may not further disclose Substance Use Disorder Records unless the patient gives new consent, the information is de-identified, an explicit Part 2 exception applies, or a qualifying Court Order authorizes it. In integrated systems, segmenting SUD data in the EHR helps prevent inadvertent redisclosure.

Subpoena and Legal Proceedings

HIPAA allows disclosures in judicial or administrative proceedings when specific conditions are met—for example, a subpoena accompanied by satisfactory assurances (such as proof of patient notice and opportunity to object), a qualified protective order, or a court order. Even then, you should disclose only what is necessary.

Part 2 sets a higher bar. A subpoena or routine court order is not enough to release patient-identifying SUD information. You need a specialized Part 2 Court Order showing good cause, narrowly limiting the scope, and imposing safeguards. Records generally may not be used to investigate or prosecute a patient for a crime unless a qualifying Part 2 order expressly permits it.

Penalties for Violations

HIPAA violations can result in tiered civil monetary penalties that escalate with the level of culpability, plus potential criminal liability for knowingly obtaining or disclosing PHI in violation of the rule. Enforcement typically involves the HHS Office for Civil Rights and, for criminal matters, the Department of Justice.

Part 2 violations can also trigger Civil and Criminal Penalties. Enforcement actions may involve HHS and the Department of Justice, and penalties can apply per incident. Because of the heightened sensitivity around SUD information, regulators expect strong policies, workforce training, and auditing to prevent and detect unauthorized disclosures.

Breach Notification

HIPAA’s Breach Notification rule requires covered entities to notify affected individuals without unreasonable delay and no later than 60 days after discovery of a breach of unsecured PHI. Depending on the size of the breach, you must also notify HHS and, for large incidents, the media. Business associates must report breaches to the covered entity, and all parties must document risk assessments and mitigation steps.

For Part 2 programs that are also HIPAA covered entities or business associates, the same Breach Notification obligations apply to incidents involving SUD information. If a Part 2 program is not otherwise subject to HIPAA, it must still safeguard records, mitigate harm, and follow applicable federal and state breach-notification laws. Any notices must be crafted carefully to avoid revealing a person’s SUD treatment to unauthorized recipients.

Anti-Discrimination Protections

HIPAA is primarily a privacy and security framework for Protected Health Information; it is not a broad anti-discrimination law. It does, however, prohibit certain forms of retaliation and limits conditioning treatment on unnecessary authorizations.

Part 2 includes explicit Anti-Discrimination Provisions. Substance Use Disorder Records generally cannot be used to deny admission, treatment, employment, housing, or benefits, and they are tightly restricted in civil, criminal, or administrative proceedings absent a qualifying Court Order. These protections aim to reduce stigma so individuals feel safe seeking care.

In practice, treat SUD information as Part 2–protected first. If both rules apply, meet HIPAA’s baseline and Part 2’s heightened requirements, obtain Patient Consent when needed, and never rely on a subpoena alone where a specialized Court Order is required.

FAQs

What distinguishes HIPAA from 42 CFR Part 2?

HIPAA sets nationwide standards for the privacy and security of Protected Health Information across covered entities and business associates, permitting many routine disclosures for treatment, payment, and operations. 42 CFR Part 2 adds stricter confidentiality for Substance Use Disorder Records created by federally assisted SUD programs, requiring tighter consent, redisclosure limits, and specialized court orders before release.

When is patient consent required under 42 CFR Part 2?

Patient Consent is generally required for disclosures that would identify someone as seeking, receiving, or having a substance use disorder, including many care-coordination scenarios. Limited exceptions exist—such as bona fide medical emergencies, certain research, qualified audits or evaluations, reporting child abuse or neglect, crimes on program premises or against personnel, and disclosures under a Part 2–compliant Court Order.

How do redisclosure rules differ between HIPAA and 42 CFR Part 2?

Under HIPAA, recipients who are covered entities or business associates may further use or disclose PHI as HIPAA allows. Under Part 2, recipients are warned by a prohibition-on-redisclosure notice and generally cannot redisclose Substance Use Disorder Records without new patient consent, de-identification, a specific Part 2 exception, or a qualifying Court Order.

What legal standards apply to subpoenas under each rule?

HIPAA permits disclosures in response to subpoenas or discovery requests when certain safeguards are met, such as patient notice and an opportunity to object or a qualified protective order, or when a court order authorizes it. Part 2 requires a specialized Court Order that meets strict criteria; a subpoena or routine order by itself is insufficient to release patient-identifying SUD information.