New Hampshire Substance Abuse Record Privacy Laws: A Practical Guide to HIPAA, 42 CFR Part 2, and State Rules

Overview of HIPAA Privacy Rule

HIPAA sets the national baseline for protecting identifiable health information, including substance use disorder (SUD) data, when held by covered entities and business associates. It defines protected health information (PHI), outlines permitted uses and disclosures, and gives you rights to access, amend, and receive an accounting of disclosures.

Under HIPAA, you may use or disclose PHI for treatment, payment, and health care operations, and in specific circumstances such as public health or when required by law. The “minimum necessary” standard requires you to limit disclosures to what is reasonably needed for the task at hand.

HITECH Act Integration

The HITECH Act strengthens HIPAA by expanding breach notification duties, increasing civil enforcement, and extending many obligations to business associates. In practice, this integration means you must maintain audit-ready logs, implement risk analyses, and train your workforce on electronic record safeguards and breach response.

When HIPAA Meets Part 2 and State Law

For SUD information, HIPAA is not the only rule. 42 CFR Part 2 and New Hampshire statutes may be stricter; in those cases you follow the more protective rule. Building policies that recognize layered protections helps you avoid unauthorized disclosures and penalties.

Key Provisions of 42 CFR Part 2

42 CFR Part 2 provides heightened confidentiality for records that identify an individual as having or having had a SUD, when created or maintained by a federally assisted SUD program or certain integrated settings. Its protections apply to diagnosis, treatment, and referral information that could reveal SUD status.

Consent as the Default Gatekeeper

Part 2 generally requires patient consent before disclosure. A valid consent must be “specific” and include core elements such as the patient’s name, a description of the information, the purpose, the recipient(s), an expiration date or event, the right to revoke, and the patient’s signature. Broad “general consent” that is acceptable under HIPAA will usually not suffice for Part 2 unless it specifically meets Part 2’s elements.

Narrow Exceptions

Limited disclosures may occur without consent for medical emergencies, research under approved protocols, audits and evaluations, certain court orders, mandated child abuse reporting, and crimes on program premises or against staff. Each exception is narrowly construed and should be documented carefully.

Prohibition on Redisclosure

Information disclosed under Part 2 must carry a prohibition-on-redisclosure notice. Recipients are barred from further sharing the information unless the patient consents again or a Part 2 exception applies. This protection follows the data, even outside health care settings.

New Hampshire State Confidentiality Laws

New Hampshire adds protections that can be more stringent than federal rules. When state law is stricter, you must follow it. The following statutes frequently intersect with SUD privacy workflows:

• RSA 332-I:1: Establishes core principles for medical records in New Hampshire, including confidentiality and patient access considerations relevant to SUD documentation.
• RSA 318-B:12-a: Governs the state’s prescription drug monitoring program (PDMP), including confidentiality, access controls, and restrictions on redisclosure of controlled substance dispensing data.
• RSA 330-A:32: Addresses confidentiality and privilege obligations for licensed mental health practitioners, which can apply when counseling overlaps with SUD services.
• RSA 330-C:26: Sets standards for alcohol and other drug use professionals, including confidentiality and record-keeping duties for SUD treatment information.
• RSA 135-C:19-a: Covers confidentiality of mental health records and conditions for release, often relevant when SUD and mental health treatment are integrated.

Aligning federal and state rules means mapping your data flows. Identify where SUD records reside, what programs qualify under Part 2, and which state statutes add tighter limits so your policies reflect the strictest applicable rule.

Consent Requirements and Procedures

General Consent vs Specific Consent

General Consent can authorize routine HIPAA disclosures for treatment, payment, and operations, but it does not automatically satisfy Part 2. For SUD records, a Specific Consent that meets 42 CFR Part 2 elements is typically required before you disclose to outside parties such as courts, schools, or non-treating providers.

Building a Part 2–Compliant Consent

• Precisely describe the SUD information to be disclosed and the purpose of the disclosure.
• Name the individual or organization authorized to receive the information (or a class of recipients, if permitted).
• State an expiration date or event and the patient’s right to revoke consent in writing.
• Include the required prohibition-on-redisclosure statement with each disclosure.

Operational Tips

• Maintain separate or segmented SUD records in the EHR so you can honor Part 2 controls without disrupting general HIPAA workflows.
• Use layered forms: a HIPAA acknowledgment plus a Part 2–specific consent when applicable.
• Document all disclosures in an accounting log and retain copies of signed consents for your records.

Restrictions on Redisclosure

Part 2 requires that each disclosure carry a prohibition-on-redisclosure notice, and recipients generally cannot pass the information along without a new consent or an applicable exception. This rule applies whether the recipient is a provider, an insurer, an attorney, or a social service agency.

Under HIPAA, you also apply the minimum necessary standard to non-treatment disclosures. In New Hampshire, RSA 318-B:12-a imposes additional redisclosure limits for PDMP data, and professional practice statutes such as RSA 330-A:32 and RSA 330-C:26 reinforce client confidentiality within their respective disciplines.

Enforcement and Penalties

HIPAA is enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights, which can impose Civil Penalties for violations and refer egregious cases for Criminal Penalties. The HITECH Act increased penalty tiers and encouraged corrective action plans and monitoring.

Violations of 42 CFR Part 2 can trigger Criminal Penalties for knowingly disclosing SUD records in violation of the regulations. In addition, state authorities may pursue actions for unauthorized disclosures or professional misconduct under statutes including RSA 332-I:1, RSA 330-A:32, and RSA 330-C:26. Civil liability may also arise under state tort theories for privacy breaches.

Common risk areas include overbroad subpoenas, blanket releases that lack Part 2 elements, PDMP misuse contrary to RSA 318-B:12-a, and EHR configurations that fail to segregate Part 2 data. Addressing these proactively reduces enforcement exposure.

Compliance Training and Best Practices

• Policy framework: Write integrated policies that cross-reference HIPAA, 42 CFR Part 2, and New Hampshire statutes such as RSA 318-B:12-a, RSA 332-I:1, RSA 330-A:32, RSA 330-C:26, and RSA 135-C:19-a.
• Consent management: Use separate templates for General Consent (HIPAA) and Specific Consent (Part 2). Automate expiration tracking and revocations.
• Data segmentation: Configure EHRs and document repositories to tag and restrict SUD records; attach the prohibition-on-redisclosure notice to outbound disclosures.
• Role-based training: Provide onboarding and annual refreshers on HIPAA, Part 2, and PDMP rules, with scenario drills on subpoenas, emergencies, and care coordination.
• Vendor oversight: Execute business associate agreements when required and ensure downstream service providers honor Part 2 restrictions.
• Incident readiness: Maintain a breach response plan reflecting HITECH Act breach notification steps; test and refine through tabletop exercises.
• Audit and improvement: Conduct periodic access audits, reconcile disclosure logs, and remediate gaps with targeted training and technical fixes.

Conclusion

For New Hampshire substance abuse record privacy, you must layer HIPAA’s baseline, 42 CFR Part 2’s heightened protections, and state statutes. By using precise consents, limiting redisclosure, and training your team, you can protect patients and keep your organization compliant.

FAQs.

What protections does 42 CFR Part 2 provide for substance abuse records?

Part 2 shields records that identify someone as having or having had a SUD. It generally requires specific, written patient consent for disclosures, mandates a prohibition-on-redisclosure notice, and permits only narrow exceptions such as medical emergencies, research, audits, and certain court orders.

How do New Hampshire laws complement federal substance abuse privacy laws?

New Hampshire statutes reinforce confidentiality and can be stricter than federal rules. For example, RSA 318-B:12-a limits PDMP data use and redisclosure, while RSA 332-I:1, RSA 330-A:32, RSA 330-C:26, and RSA 135-C:19-a add record, privilege, and professional standards that often tighten protection alongside HIPAA and Part 2.

What are the consent requirements for disclosing substance abuse records?

HIPAA may allow disclosure under a general consent for treatment, payment, and operations, but SUD records covered by Part 2 usually need a specific, detailed consent naming the recipient, the purpose, the information to be shared, an expiration, and the right to revoke. Each disclosure should include the prohibition-on-redisclosure statement.

What penalties exist for unauthorized disclosures under 42 CFR Part 2?

Unauthorized disclosures can lead to criminal penalties under Part 2. Related violations can also trigger HIPAA civil penalties and, under New Hampshire law, professional discipline or civil liability depending on the circumstances and statutes involved.