Kentucky Substance Abuse Record Privacy Laws Explained: HIPAA, 42 CFR Part 2, and Patient Rights

Kentucky providers that treat substance use disorders must navigate HIPAA’s Privacy Rule, the heightened protections in 42 CFR Part 2, and Kentucky-specific requirements for behavioral health records. Recent federal updates align many Part 2 rules with HIPAA, with full compliance required as of February 16, 2026, making it crucial to refresh policies, consent workflows, and Health Information Exchange participation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

Overview of HIPAA Privacy Rule

Scope, covered entities, and PHI fundamentals

HIPAA applies to covered entities—health care providers, health plans, and clearinghouses—and their business associates. It governs the use and disclosure of protected health information (PHI) and establishes national standards for privacy, security, and breach notification. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

Permitted uses, authorizations, and “minimum necessary”

Under HIPAA, PHI may be used or disclosed without patient authorization for treatment, payment, and health care operations (TPO), as well as for specific public policy purposes (for example, some public health activities). For other purposes, a valid authorization is required. Covered entities must also limit uses and disclosures to the “minimum necessary” needed to accomplish the intended purpose. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?utm_source=openai))

HIPAA preemption and Kentucky

HIPAA generally preempts contrary state laws, but more stringent state privacy protections prevail. In Kentucky, separate confidentiality provisions still apply alongside HIPAA where they provide greater protection or specific rules (for example, certain behavioral health records and HIE participation standards). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/403/how-do-i-know-if-a-state-law-is-more-stringent-than-hipaa/index.html?utm_source=openai))

Protections under 42 CFR Part 2

Who is covered and what is protected

Part 2 protects patient-identifying records created or maintained by federally assisted SUD programs and by any lawful holder of those records. Its purpose is to ensure the confidentiality of substance use disorder records to reduce stigma and deter misuse. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html?utm_source=openai))

Written consent and the updated single TPO consent

Part 2 generally requires patient written consent before disclosure. The 2024 final rule lets a patient give a single consent for all future uses and disclosures for treatment, payment, and health care operations. When HIPAA-covered entities or business associates receive Part 2 records under this consent, they may redisclose in accordance with HIPAA—except for use in legal proceedings against the patient. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Required consent elements and prohibition on redisclosure

Consent must meet detailed content requirements, including recipient designation, purpose, expiration, the right to revoke, and statements about potential redisclosure under HIPAA when TPO applies. Disclosures made with consent must be accompanied by the consent itself or a clear explanation of its scope, and Part 2 retains a prohibition on redisclosure notice requirement. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.31))

Long-standing and new safeguards

• Part 2 records generally cannot be used in civil, criminal, administrative, or legislative proceedings against the patient without consent or a Part 2–compliant court order.
• The final rule aligns penalties and breach notification with HIPAA and clarifies that segregating/segmenting Part 2 data is not required, even though many organizations continue to segment for workflow control.

These updates modernize Part 2 while preserving its core protections. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Patient Rights under 42 CFR Part 2

Core rights you can exercise

• Provide, deny, or revoke consent in writing at any time (revocation does not undo actions already taken in reliance on a valid consent).
• Receive a Part 2 notice aligned with HIPAA’s Notice of Privacy Practices.
• Request restrictions on certain disclosures and (once the parallel HIPAA update is finalized) obtain an accounting of disclosures.
• File complaints directly with HHS regarding alleged Part 2 violations.
• Expect special protection for SUD counseling notes, which require a separate consent similar to HIPAA psychotherapy notes.

Understanding and using these rights helps you control how your SUD information is shared. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Kentucky Behavioral Health Regulations

State confidentiality requirements

Kentucky licensure regulations for nonhospital alcohol and other drug treatment entities require maintaining confidentiality in line with HIPAA and 42 CFR Part 2 and allow programs to adopt stricter behavioral health confidentiality policies. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/kar/titles/908/001/370/))

KRS 210.235 and disclosures for care coordination

KRS 210.235 protects the confidentiality of Cabinet for Health and Family Services mental/behavioral health records and permits disclosures with consent, as necessary to carry out Kentucky law, and for treatment, payment, or health care operations—including through an electronic Health Information Exchange—consistent with HIPAA. Part 2 still controls if it prohibits a disclosure. ([apps.legislature.ky.gov](https://apps.legislature.ky.gov/law/statutes/statute.aspx?id=42998))

Enforcement Mechanisms for Privacy Laws

HIPAA and Part 2 civil/criminal enforcement

The HHS Office for Civil Rights (OCR) enforces HIPAA’s Privacy, Security, and Breach Notification Rules through investigations, corrective action, resolution agreements, and civil money penalties. DOJ may prosecute criminal violations of HIPAA. After the 2024 Part 2 update, OCR now operates a civil enforcement program for Part 2, with enforcement beginning February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/index.html?utm_source=openai))

State Attorney General and Kentucky licensure actions

State Attorneys General can bring civil actions for HIPAA violations on behalf of state residents, supplementing federal oversight. Separately, Kentucky can take licensure actions—up to denial, suspension, or revocation—against behavioral health programs for substantial regulatory violations. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/state-attorneys-general/index.html?utm_source=openai))

Together, these pathways create meaningful civil and criminal penalties for noncompliance and reinforce Office for Civil Rights enforcement across both HIPAA and Part 2. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Integration with Health Information Exchanges

KHIE’s opt-out model and HIPAA-sharing

The Kentucky Health Information Exchange (KHIE) uses an opt-out consent model and follows a “no further consent needed” approach for information that is shareable under HIPAA. Opting out halts KHIE sharing for treatment, though public health reporting continues as required by law. ([khie.ky.gov](https://khie.ky.gov/Resources/Pages/KHIE-Consent-Model.aspx))

Sharing Part 2 data via KHIE

KHIE offers a Consent Management Tool specifically for 42 CFR Part 2 data. Patients can provide electronic signatures to opt in to share Part 2–protected information; participating Part 2 programs use Qualified Service Organization Agreements (QSOAs) with KHIE, and the portal flags Part 2 documents to support careful handling and Health Information Exchange compliance. ([khie.ky.gov](https://khie.ky.gov/Resources/Pages/KHIE-Consent-Management-Tool.aspx))

Although the federal rule does not require data segmentation, organizations often segment or tag SUD information and attach the consent (or scope explanation) to each disclosure to honor the prohibition on redisclosure and patient instructions. Kentucky law expressly allows HIPAA-permitted TPO exchanges via HIE, but Part 2 restrictions still control. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Compliance Challenges and Best Practices

Common challenges

• Determining whether you are a Part 2 “program” or a “lawful holder” and mapping which records are Part 2–protected.
• Designing consent workflows that support the single TPO consent, revocation, and the prohibition on redisclosure, including attaching the consent or scope explanation to each consent-based disclosure.
• Aligning Notices of Privacy Practices with Part 2’s updated patient notice requirements and HIPAA.
• Operationalizing HIE participation (for example, KHIE) while honoring Part 2 requirements and internal behavioral health confidentiality policies.
• Preparing for Office for Civil Rights enforcement of both HIPAA and Part 2, including breach response and documentation.

Practical best practices

• Update policies, procedures, and training to reflect the February 16, 2026 Part 2 compliance date and HIPAA-aligned penalties and breach notification.
• Standardize Patient written consent forms to meet Part 2 content rules, including redisclosure statements, revocation language, and recipient designations (including intermediaries/HIEs).
• Implement data tagging/segmentation and consent management in EHRs and HIE connections; maintain the Prohibition on redisclosure notice and include the consent or its scope with each applicable disclosure.
• Use QSOAs for Part 2 data sharing with KHIE and Business Associate Agreements for HIPAA data sharing; audit routinely and document access and disclosures.
• Test incident response and complaint-handling pathways, including how to route Part 2 complaints to HHS and report breaches under HIPAA rules.

These steps strengthen confidentiality of substance use disorder records, reduce risk, and support coordinated care. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Conclusion

Kentucky law, HIPAA, and 42 CFR Part 2 now work together more smoothly: HIPAA sets baseline privacy, while Part 2 preserves heightened SUD protections with modernized consent and enforcement. By updating consent workflows, notices, and HIE connections—and training staff—you can safeguard patient rights and maintain compliant, coordinated care. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/index.html?utm_source=openai))

FAQs.

What protections does 42 CFR Part 2 provide for substance abuse records?

Part 2 protects patient‑identifying SUD records against disclosure without Patient written consent, strictly limits use in legal proceedings without consent or a court order, requires a Prohibition on redisclosure notice with consent‑based disclosures, and now aligns penalties and breach notification with HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html?utm_source=openai))

How does HIPAA differ from 42 CFR Part 2 in Kentucky?

HIPAA allows TPO disclosures without authorization and serves as a national “floor,” while Kentucky law can be more protective; for example, KRS 210.235 sets confidentiality rules for state behavioral health records and allows TPO/HIE disclosures consistent with HIPAA. Part 2 adds extra SUD‑specific protections that override any state law authorizing broader disclosure. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/403/how-do-i-know-if-a-state-law-is-more-stringent-than-hipaa/index.html?utm_source=openai))

What are patient rights regarding substance abuse record disclosures?

Under Part 2, you can decide who may receive your SUD records, revoke consent in writing, receive a Part 2 notice aligned with HIPAA, request certain restrictions, and file complaints with HHS. SUD counseling notes require a separate consent, similar to psychotherapy notes under HIPAA. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

How are violations of substance abuse record privacy laws enforced in Kentucky?

OCR enforces HIPAA and, as of February 16, 2026, operates a civil enforcement program for Part 2. Criminal HIPAA violations may be referred to DOJ. State Attorneys General can also bring civil HIPAA actions, and the Kentucky Cabinet may deny, suspend, or revoke behavioral health program licenses for substantial violations. ([hhs.gov](https://www.hhs.gov/press-room/hhs-announce-civil-enforcement-program-sud-patient-records.html))