Indiana Substance Abuse Record Privacy Laws Explained: Your Rights and Providers' Obligations

Federal Confidentiality Protections

What records are protected and who must comply

In Indiana, the strictest privacy safeguards for substance use disorder (SUD) information come from 42 U.S.C. § 290dd-2 and its implementing rules at 42 CFR Part 2. These rules apply to any SUD program or provider that is federally assisted, which commonly includes organizations that participate in Medicare or Medicaid, hold a federal tax exemption, or maintain a DEA registration. When SUD details are mixed into a general electronic health record, Part 2 still protects the SUD portions of the record.

Patient consent requirements under Part 2

Part 2 generally bars disclosure of SUD records unless you sign a valid written authorization. That authorization must identify you, the specific information to be shared, the purpose of the disclosure, who may receive it, and how long it remains effective. You may revoke consent at any time, except to the extent your provider already relied on it. A prohibition-on-redisclosure notice must accompany Part 2–protected information so downstream recipients understand it cannot be shared further without a new authorization or a specific legal basis.

How Part 2 interacts with HIPAA

HIPAA sets a nationwide baseline for health privacy, but 42 CFR Part 2 is stricter for SUD information. Where both apply, providers must meet the more protective rule. Recent updates align many Part 2 processes with HIPAA, including allowing a single, HIPAA-style consent for treatment, payment, and health care operations across covered entities and their business associates, while preserving Part 2’s core protections against improper use in investigations or prosecutions.

Indiana State Law Requirements

How state rules complement federal law

Indiana law works alongside federal standards to protect your records and govern how providers store, share, and release them. State health-record statutes and mental health provisions require written authorization for most disclosures, define how long records must be retained, and recognize additional safeguards for sensitive behavioral health information. When state and federal rules differ, Indiana providers must follow the requirement that offers you greater privacy.

Special considerations for child welfare and school settings

Indiana Department of Child Services regulations require mandated reports of suspected child abuse or neglect. Part 2 permits those reports without patient consent, but it tightly limits what else may be shared with child welfare beyond the report itself unless a valid authorization or court order exists. Similarly, if SUD services are delivered in schools or juvenile programs, Indiana confidentiality policies continue to apply alongside Part 2, and providers must segment SUD details from education records unless you authorize disclosure.

Disclosure Conditions Without Consent

Permitted disclosure exceptions

• Medical emergencies: Providers may disclose necessary SUD information to medical personnel to address a bona fide emergency when your consent cannot be obtained.
• Research, audit, or evaluation: Sharing is allowed under strict safeguards, including data-use limitations and, where applicable, institutional review oversight.
• Crimes on program premises or against staff: Limited information about the incident may be given to law enforcement.
• Child abuse or neglect reporting: Mandated reports to Indiana authorities are permitted; broader SUD details remain protected.
• Court orders meeting Part 2: A specialized court order—showing good cause and imposing limits—can authorize a narrowly tailored disclosure; a regular subpoena is not enough.
• Qualified Service Organizations: Disclosures to contractors (for example, labs, billing, or IT vendors) are allowed under a Qualified Service Organization Agreement that binds the vendor to Part 2 duties.
• De-identified information: Data stripped of identifiers may be shared for approved purposes.

Even when a disclosure exception applies, providers should document it, share only the minimum necessary information, and include the Part 2 prohibition-on-redisclosure notice.

Access Rights for Parents and Guardians

Who controls a minor’s SUD information

Parental access depends on who lawfully consented to the child’s treatment under Indiana law. If a parent or legal guardian provided consent, that adult generally may authorize disclosures, subject to clinical judgment and safety exceptions. If Indiana law allows the minor to consent to SUD services without a parent, then 42 CFR Part 2 treats the minor as the person who must authorize disclosures, and a parent cannot access those SUD records without the minor’s written consent unless a valid Part 2 court order is obtained.

Practical steps for families

• Ask the provider who consented to treatment and which records are protected by Part 2.
• If you are a parent or guardian, request disclosures using the provider’s Part 2–compliant authorization form.
• If safety is at issue, providers may limit parental access consistent with state and federal law while still making any required reports to the Indiana Department of Child Services.

Confidentiality in Court-Administered Programs

Problem-solving courts and probation-supervised treatment

Participation in Indiana drug courts, family recovery courts, or probation-run treatment programs does not erase Part 2 protections. Team-based information sharing typically requires your written consent that lists the specific court personnel and partners who may receive SUD details. Absent valid consent, the court must use a Part 2–compliant court order to obtain narrowly tailored information; routine subpoenas, discovery requests, and public-records demands are insufficient.

Limits on use in legal proceedings

Even when a Part 2 court order issues, the judge must restrict the scope, duration, and further use of the information. Records disclosed under Part 2 generally cannot be used to investigate or prosecute you for a crime, and redisclosure by the court team remains prohibited except as the order allows.

Patient Rights to Medical Records and Amendments

Your right to see and get copies of your records

You have the right under HIPAA to access your designated record set, including SUD notes that are part of your health record, in paper or electronic form. Providers must respond within HIPAA’s timelines (typically within 30 days, with one possible 30‑day extension) and may charge only reasonable, cost-based copy fees. If a portion is protected by 42 CFR Part 2, the provider may require a Part 2–compliant authorization or apply an applicable exception before releasing that segment.

Requesting corrections (amendments)

You may ask a provider to amend inaccurate or incomplete information. The provider must review the request, act within required timelines, and either make the amendment or issue a written denial that explains why and how you can submit a statement of disagreement. If denied, your statement travels with the record for future uses and disclosures.

Provider Obligations and Compliance Enforcement

Operational duties

• Maintain written confidentiality policies tailored to 42 CFR Part 2 and HIPAA, including role-based access controls and record segmentation for SUD details.
• Use Part 2–compliant patient consent forms and keep redisclosure warnings on any released information.
• Execute Qualified Service Organization Agreements with vendors that handle protected data and train staff regularly on patient consent requirements and disclosure exceptions.
• Respond appropriately to subpoenas and law-enforcement requests; do not release Part 2 records without valid consent or a Part 2 court order.
• Coordinate with Indiana Department of Child Services regulations to satisfy mandated reporting while limiting any additional disclosures to what the law allows.
• Log and document disclosures, manage breaches promptly, and update notices and workflows as federal rules evolve.

Enforcement and penalties

Improper use or disclosure of SUD information can trigger legal penalties for unauthorized disclosure under federal law, including civil monetary penalties and potential criminal liability, and may lead to professional discipline under Indiana licensing rules. Individuals can file complaints with regulators, and organizations may face corrective action plans, audits, and reputational harm.

Bottom line: Indiana providers must pair robust confidentiality policies with precise workflows for consent, exceptions, and court interactions. As a patient, you control most sharing of your SUD information, and clear procedures exist when the law—not consent—permits a limited disclosure.

FAQs

What federal laws protect substance abuse records in Indiana?

The strongest protections come from 42 U.S.C. § 290dd-2 and 42 CFR Part 2, which strictly limit disclosure and redisclosure of SUD information. HIPAA also applies, but where rules differ, the stricter Part 2 standard governs how Indiana providers handle your SUD records.

When can substance abuse information be disclosed without consent?

Key disclosure exceptions include bona fide medical emergencies, qualified research or audits, reports of child abuse or neglect, limited reports of crimes on program premises, and disclosures ordered by a court under the special Part 2 process. Providers may also share with contractors under a Qualified Service Organization Agreement.

How can parents access a child’s substance abuse records?

Ask who legally consented to the child’s treatment. If the parent or guardian consented, they generally may authorize disclosure, subject to safety-based limits. If state law allowed the minor to consent, the minor controls disclosure under Part 2, and the parent cannot access SUD records without the minor’s written authorization or a valid Part 2 court order.

What are the legal consequences for violating confidentiality laws?

Violations can result in civil monetary penalties and, in some cases, criminal liability under federal law. Indiana professionals may also face licensing repercussions, mandatory corrective actions, and contractual consequences with payers or courts.