Nebraska Substance Abuse Record Privacy Laws: Your Guide to HIPAA, 42 CFR Part 2, and State Rules

Overview of HIPAA Privacy Rule Protections

What HIPAA protects

The HIPAA Privacy Rule safeguards Protected Health Information (PHI)—any individually identifiable health data held by covered entities and their business associates. HIPAA establishes baseline confidentiality protections, while allowing more stringent federal or state privacy statutes to control where they apply. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E?utm_source=openai))

Permitted uses and the minimum necessary standard

Without a patient authorization, HIPAA permits use and disclosure of PHI for treatment, payment, and health care operations (TPO). For most other disclosures, you must limit PHI to the minimum necessary to accomplish the purpose; this limit does not apply to disclosures for treatment. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E?utm_source=openai))

Patient rights and Notices of Privacy Practices

Patients have rights to access, receive an accounting of certain disclosures, request restrictions, and seek amendments to PHI. Covered entities must issue a Notice of Privacy Practices (NPP) describing how PHI is used and shared, and must update it to reflect more stringent laws such as 42 CFR Part 2 when applicable. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Google_PPC&field_insight_category_target_id=2&utm_source=openai))

Confidentiality Under 42 CFR Part 2

Who is covered and what counts as Substance Use Disorder Records

42 CFR Part 2 applies to “Part 2 programs,” meaning federally assisted programs that provide, or refer for, diagnosis, treatment, or referral for treatment of a substance use disorder. Records created or maintained by such programs are Substance Use Disorder Records and receive heightened confidentiality protections. ([ecfr.io](https://ecfr.io/Title-42/Section-2.11?utm_source=openai))

Modernized consent and HIPAA alignment

Under the 2024 final rule implementing the CARES Act, you may use a single patient consent for all future TPO uses and disclosures. HIPAA covered entities and business associates that receive Part 2 records under this consent may redisclose them in accordance with HIPAA, but not to use the records in legal proceedings against the patient. Compliance is required by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Special protections and operational changes

• SUD counseling notes now have protections analogous to HIPAA psychotherapy notes and require separate, specific consent. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Segregating or segmenting Part 2 data in your systems is not required by the final rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
• Breaches of Part 2 records trigger HIPAA Breach Notification Rule duties; Part 2 penalties are aligned with HIPAA’s civil/criminal enforcement. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Core confidentiality protections that did not change

Part 2 still prohibits using SUD records to investigate or prosecute a patient without consent or a court order that meets Part 2’s exacting standards. Ordinary subpoenas are not enough; courts must follow Subpart E procedures for any order authorizing disclosure. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.13?utm_source=openai))

Nebraska State Law Requirements

State privacy statutes and access rights

Nebraska’s medical-record statutes give patients strong access rights, with timelines: providers must furnish copies within 30 days and make records available for inspection within 10 days (or explain delays and provide access within 21 days). Unless otherwise required, an authorization without an expiration ends after 12 months. For mental health medical records, a practitioner may withhold records if release is not in the patient’s best interest unless a court orders otherwise. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=71-8403))

Facility and practitioner confidentiality obligations

Mental health practitioners must keep client information confidential, subject to narrow exceptions (such as patient consent, certain duties to warn, and other laws). Licensed facilities—including mental health/substance use treatment centers and health clinics—must maintain confidentiality of records under Nebraska’s licensure regulations. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=38-2136))

Public records exemption

Nebraska’s Public Records Act exempts medical records from disclosure, reinforcing patients’ confidentiality protections under state law. ([nebraskalegislature.gov](https://www.nebraskalegislature.gov/laws/statutes.php?statute=84-712.05&utm_source=openai))

Patient Consent and Authorization Procedures

When HIPAA authorization is required

Uses or disclosures beyond TPO generally require a valid HIPAA authorization that specifies what Protected Health Information (PHI) will be used or disclosed, by whom, to whom, for what purpose, and when it expires, plus statements on revocation and potential redisclosure. Vague “all PHI” descriptions can be insufficient—be specific or rely on the patient’s request language. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.508?utm_source=openai))

Part 2 consent mechanics

Part 2 permits a single consent for future TPO uses and disclosures, but SUD counseling notes need a separate, specific consent. Any disclosure made with consent must include a copy or a clear explanation of the consent’s scope. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Nebraska patient consent requirements

Under Nebraska law, requests and any authorizations must be in writing. If no expiration is stated, an authorization expires 12 months after signature. These rules sit alongside HIPAA and, for SUD care, Part 2’s stricter consent framework. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=71-8403))

Legal Restrictions on Record Disclosure

Law enforcement, courts, and public interest disclosures

HIPAA allows certain disclosures without authorization for public health, health oversight, and specific law enforcement situations, subject to scope and minimum necessary limits. These permissions do not override stricter laws. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.512?utm_source=openai))

Part 2’s higher bar for legal process

For SUD records, a subpoena alone is insufficient. Courts must follow Subpart E to issue narrowly tailored orders; Part 2 also bars use of SUD records to investigate or prosecute a patient absent consent or a proper court order. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/part-2/subpart-E?utm_source=openai))

Nebraska privileges and public records

Nebraska recognizes physician–patient privilege in its rules of evidence, adding another layer of confidentiality when records are sought in litigation. Separately, medical records are exempt from disclosure under the Public Records Act. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=27-504&utm_source=openai))

Compliance Responsibilities for Providers

Build a unified privacy program

Map where SUD data originates and flows, determine whether your organization is a Part 2 program or a lawful holder, and document Patient Consent Requirements. Apply HIPAA’s minimum necessary standard, maintain role-based access, and ensure vendor agreements and workflows accommodate Disclosure Restrictions and State Privacy Statutes. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-164/subpart-E?utm_source=openai))

Update notices, policies, and training

Revise your HIPAA NPP and internal policies to reflect Part 2 alignment, including the new consent structure and patient rights, and complete any required updates by February 16, 2026. Train staff on SUD counseling notes, complaint rights, and breach response that now applies to Part 2 records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Technology and documentation controls

While segmentation of Part 2 data is not required, configure your EHR and release-of-information workflows to reliably honor consents, denials, and redisclosure limits. Maintain disclosure logs where required and ensure breach notification processes meet HIPAA standards for Part 2 records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Consequences of Privacy Violations

Federal enforcement

Part 2 violations are now enforced through the HIPAA Enforcement Rule, with civil money penalties and potential criminal liability under 45 CFR part 160. Breaches of Part 2 records trigger HIPAA Breach Notification duties. Penalty tiers and amounts are set in regulation and adjusted for inflation. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Nebraska licensure and facility actions

State regulators may discipline licensed professionals for unprofessional conduct and other grounds under the Uniform Credentialing Act. Facilities can also face licensure sanctions—including fines, suspension, or revocation—under the Health Care Facility Licensure Act and implementing regulations. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=38-178&utm_source=openai))

Conclusion

In Nebraska, substance use disorder confidentiality is a layered system: HIPAA sets the baseline for PHI, 42 CFR Part 2 adds heightened Confidentiality Protections for SUD records, and Nebraska State Privacy Statutes and licensure rules supply additional duties and remedies. If you document your status, streamline consent workflows, and update notices and training by February 16, 2026, you will position your program to protect patients and meet evolving requirements. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

FAQs

What protections does HIPAA provide for substance abuse records?

HIPAA protects substance abuse information as PHI, limiting uses and disclosures and granting patient rights to access, request restrictions, and receive an NPP. When stricter laws apply—such as Part 2—HIPAA defers to those protections. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?Channel=Google_PPC&field_insight_category_target_id=2&utm_source=openai))

How does 42 CFR Part 2 regulate disclosure of substance use disorder information?

Part 2 generally requires written patient consent for disclosures, allows a single consent for future TPO uses, bars use of records in legal proceedings against the patient absent proper consent or court order, applies HIPAA breach notification to Part 2 records, and aligns penalties with HIPAA. Compliance is required by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

What additional privacy protections are offered by Nebraska state laws?

Nebraska law sets timelines and rules for accessing medical records, permits withholding certain mental health records if release could harm the patient (unless ordered by a court), requires confidentiality by licensed facilities and practitioners, and excludes medical records from public records disclosure. ([nebraskalegislature.gov](https://nebraskalegislature.gov/laws/statutes.php?statute=71-8403))

When is patient consent required for sharing substance abuse records?

Outside of HIPAA’s TPO uses, disclosures typically require a HIPAA-compliant authorization. For SUD records from a Part 2 program, consent is the default rule; TPO can be covered by a single consent, but SUD counseling notes require separate consent. Court orders must meet Part 2’s Subpart E standards. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/164.508?utm_source=openai))

What are the penalties for violating substance abuse record privacy laws in Nebraska?

Violations can trigger federal civil or criminal penalties under HIPAA’s enforcement framework (now applicable to Part 2) and state disciplinary actions against professionals or facilities, including fines and possible license suspension or revocation. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/45/part-160/subpart-D?utm_source=openai))