Michigan Substance Abuse Record Privacy Laws Explained: Confidentiality, HIPAA, and 42 CFR Part 2

Overview of 42 CFR Part 2

42 CFR Part 2 is the federal confidentiality rule that protects the privacy of individuals receiving substance use disorder (SUD) diagnosis, treatment, or referral services. It applies to Federally Assisted SUD Programs and establishes rigorous Substance Use Disorder Confidentiality standards that go beyond typical medical privacy rules.

In practice, the rule generally prohibits disclosing SUD-identifying information without SUD Patient Consent. A valid consent must specify who may disclose, to whom, for what purpose, what information, and for how long; you may revoke it at any time unless relied upon. Records must also carry a “no re-disclosure” notice to prevent downstream sharing without authorization.

Core exceptions to consent

• Medical emergencies necessary to address an immediate health or safety threat.
• Research or audit/evaluation under strict safeguards that prevent identifying patients in reports.
• Court orders that meet Part 2’s heightened standards (narrowly tailored and protective).
• Reporting crimes on program premises or against staff, and mandated child abuse/neglect reporting.
• Disclosures to Qualified Service Organizations (QSOs) that perform services under a QSO agreement.

Because violations can deter people from seeking care, Part 2 sets a high bar: when in doubt, obtain written consent or rely on a clearly applicable exception before sharing SUD records.

HIPAA Privacy Rule Standards

HIPAA governs Health Information Privacy for protected health information (PHI) held by covered entities (health plans, most providers, clearinghouses) and their business associates. HIPAA permits use and disclosure without authorization for treatment, payment, and health care operations (TPO), and for limited public policy purposes such as certain public health and oversight activities.

The Privacy Rule’s “minimum necessary” standard requires you to limit non-treatment uses and disclosures to the least information needed. Covered entities must provide a Notice of Privacy Practices, honor patient access and amendment rights, and execute business associate agreements (BAAs) with vendors that handle PHI.

Unlike Part 2, HIPAA’s baseline allows relatively broad information flow for TPO. When SUD information is subject to both HIPAA and Part 2, you follow the stricter rule—most often Part 2’s consent-first approach.

Interaction Between 42 CFR Part 2 and HIPAA

Programs and clinicians frequently operate under both regimes. The key principle is simple: where rules conflict, the more protective requirement controls. As a result, HIPAA-permitted sharing for TPO may still be barred unless you have Part 2-compliant consent or a Part 2 exception fits.

Operationally, align consent and data-handling workflows. Use a single, plain-language consent that meets Part 2’s elements and, where appropriate, authorizes HIPAA uses. Segment SUD data in your EHR so only personnel with a valid need and authority can access it, and attach the prohibition-on-redisclosure notice to outgoing records.

Agreements and alignment

• Part 2 uses Qualified Service Organization Agreements (QSOAs); HIPAA uses BAAs. Many vendors need both, or a combined agreement covering Part 2 and HIPAA terms.
• Recent HITECH Act Alignment initiatives have increased consistency between the frameworks, including breach handling and penalties. Build policies that anticipate these harmonized requirements.

Michigan State Confidentiality Laws

Michigan layers state protections on top of federal rules. State-licensed SUD providers must comply with 42 CFR Part 2 and HIPAA while also following Michigan’s medical records and behavioral health confidentiality requirements. Practically, that means obtaining written consent before sharing SUD-identifying information unless a clear exception applies.

Michigan law supports robust patient access to their own records and expects providers to maintain confidentiality policies, staff training, and secure record-keeping. When minors receive SUD services under Michigan law, consent and access rules can differ; verify who may authorize disclosure and when parental access is limited or permitted.

If you are a Michigan provider, align your intake forms, consent templates, and EHR workflows with both federal standards and state licensure expectations to prevent unauthorized redisclosure and to streamline compliant care coordination.

Patient Rights Under 42 CFR Part 2

Patients control most disclosures of their SUD records. You must obtain SUD Patient Consent that clearly states the recipient, purpose, and scope of information. Patients may revoke consent at any time, and your system should make revocations immediate and prospective.

Patients have the right to receive a confidentiality notice, to expect the prohibition on redisclosure to travel with their records, and to complain if they believe their privacy was violated. Where HIPAA applies, patients also have rights to access, obtain copies, request amendments, receive an accounting of certain disclosures, and request confidential communications.

Breach Notification Requirements

Breach Notification Compliance hinges on timely action. Under HIPAA’s Breach Notification Rule, you must assess incidents to determine if there is a low probability that PHI was compromised. If not low, notify affected individuals without unreasonable delay and no later than 60 days, include required content, notify HHS, and, for large breaches, notify prominent media and keep a public log.

With continuing HITECH Act Alignment, Part 2 programs are expected to follow HIPAA-like breach processes for SUD records. Treat SUD incidents with the same rigor: secure your systems, document your risk assessment, send notices that avoid revealing SUD status to unauthorized parties, and remediate gaps to prevent recurrence.

Michigan’s general data breach law operates alongside these duties and may require notice to Michigan residents when defined personal information is compromised. Coordinate state-law notifications with HIPAA/Part 2 steps so your messaging is accurate, timely, and protective of patient privacy.

Enforcement and Penalties

The HHS Office for Civil Rights enforces HIPAA through investigations, corrective action plans, and tiered civil monetary penalties. Under the modernized framework, 42 CFR Part 2 violations can also trigger federal enforcement, and egregious misconduct may lead to criminal liability under federal law.

In Michigan, regulators and licensing bodies may impose sanctions, require remedial training, or restrict operations for noncompliance. Beyond regulatory action, breaches can cause reputational harm, contractual fallout, and costly remediation obligations.

Practical compliance roadmap for Michigan providers

• Map your data flows and clearly identify Part 2 records; implement EHR segmentation and role-based access.
• Adopt a unified consent form that satisfies Part 2 and supports HIPAA-compliant sharing where appropriate.
• Execute QSOAs/BAAs with vendors; verify downstream safeguards and the prohibition on redisclosure.
• Train your workforce on exceptions, SUD Patient Consent handling, and minimum necessary practices.
• Test your incident response plan for HIPAA/Part 2 Breach Notification Compliance and Michigan notice duties.

Conclusion

For Michigan providers, the safest path is to apply HIPAA fundamentals while honoring 42 CFR Part 2’s stricter consent and redisclosure limits. Build integrated policies, precise consents, segmented EHR access, and a tested breach plan so you protect patients and operate confidently within federal and state requirements.

FAQs

What protections does 42 CFR Part 2 provide for substance abuse records?

Part 2 strictly limits disclosure of SUD-identifying information from Federally Assisted SUD Programs. It requires explicit patient consent for most sharing, recognizes only narrow exceptions (such as emergencies, research, audits, certain court orders), and mandates a prohibition-on-redisclosure notice to prevent downstream sharing without authorization.

How do Michigan laws complement federal privacy regulations?

Michigan reinforces federal protections by requiring state-licensed programs to maintain confidentiality policies, obtain written consent before disclosures, and ensure secure handling of SUD records. State medical records rules, patient access expectations, and licensure standards work alongside HIPAA and Part 2 to create a comprehensive privacy framework.

When is patient consent required for disclosing SUD records?

Under Part 2, consent is required for nearly all disclosures that identify a person as having or having had an SUD, unless a specific exception applies. Even if HIPAA would allow a TPO disclosure, you still need Part 2-compliant consent when the information originates from a Part 2 program, unless you rely on a valid Part 2 exception or aligned rule.

What are the penalties for violating substance abuse record privacy laws?

Violations can lead to federal enforcement actions, including corrective action plans and civil monetary penalties, and serious cases may involve criminal liability. In Michigan, noncompliance can also trigger licensure sanctions and contractual or reputational consequences, along with the costs of breach response and remediation.