North Carolina Substance Abuse Record Privacy Laws Explained: HIPAA, 42 CFR Part 2, and State Rules

Substance use treatment information is protected by overlapping federal and state privacy frameworks. In North Carolina, you must harmonize HIPAA’s rules for Protected Health Information, 42 CFR Part 2’s heightened Confidentiality Protections for Substance Use Disorder Treatment Records, and state statutes and administrative rules that add their own requirements. This guide explains where each law applies, how they differ, and what practical steps ensure Privacy Compliance.

HIPAA Privacy Protections

Scope and key definitions

HIPAA applies to covered entities and business associates that create, receive, maintain, or transmit Protected Health Information (PHI). PHI includes any individually identifiable health data related to a person’s health status, treatment, or payment. HIPAA sets national standards for uses and disclosures and establishes patient rights you must honor.

Permitted uses and disclosures

Without Patient Authorization, HIPAA permits—but does not require—use and disclosure of PHI for treatment, payment, and health care operations. Other disclosures may be allowed or required (for example, certain public health or law enforcement purposes), and entities must apply the minimum necessary standard where it applies. Disclosures outside these purposes generally require written authorization with specific content elements.

Individual rights under HIPAA

• Right of access to records, with limited exceptions and defined response timelines.
• Right to request amendments to inaccurate or incomplete PHI.
• Right to request restrictions and to receive confidential communications.
• Right to an accounting of certain disclosures not related to treatment, payment, or operations.

HIPAA’s preemption rule allows more stringent state laws to control where they provide greater privacy protections or rights.

42 CFR Part 2 Confidentiality Requirements

Who Part 2 covers

Part 2 protects identifiable Substance Use Disorder Treatment Records held by “federally assisted” programs and lawful holders. Federally Assisted Programs broadly include most SUD treatment providers that receive federal funding, participate in Medicare/Medicaid, hold DEA registrations for medication-assisted treatment, or have federal tax-exempt status.

Core confidentiality protections

• Written consent is the default rule for disclosures that identify a person as having or having had a substance use disorder.
• Disclosures without consent are narrowly limited (for example, certain medical emergencies, audits/evaluations, qualified research, or specialized court orders).
• A prohibition on redisclosure notice must accompany releases; recipients generally may not further disclose Part 2 records unless expressly permitted.
• Use of Part 2 records against a patient in legal proceedings is barred absent the patient’s consent or a compliant court order.

Recent updates to align with HIPAA

HHS finalized substantive updates effective April 16, 2024, with a general compliance date of February 16, 2026. Key changes include allowing a single consent for future treatment, payment, and health care operations disclosures; permitting HIPAA-governed redisclosure by covered entities and any business associate consistent with HIPAA (still excluding use against the patient in legal proceedings); aligning penalties and breach notification with HIPAA; adding rights to request restrictions and an accounting of disclosures; and creating special protections for SUD counseling notes maintained separately from the medical record.

North Carolina State Substance Abuse Laws

Core statutes (G.S. 122C-52 through 122C-56)

• Right to confidentiality: Client information held by facilities providing mental health, developmental disability, and substance abuse services is confidential and not a public record.
• Disclosures with consent: A facility may disclose confidential information with the client’s written consent. Clients generally have access to their records, subject to limited “injurious information” exceptions.
• Disclosures without consent: Specific exceptions allow disclosure in tightly defined circumstances (for example, court orders, emergencies, reports of abuse/neglect, imminent danger, certain care coordination within designated state/area systems, and coordination with prisons or jails).
• Federal law controls when stricter: If federal statutes or regulations (such as 42 CFR Part 2) prohibit release, state-law exceptions do not apply.
• Penalties: Unauthorized disclosure may constitute a Class 3 misdemeanor with a statutory fine; facilities and personnel also face administrative and employment consequences.

Administrative rules (10A NCAC 26B)

• State rules adopt 42 CFR Part 2 by reference for “substance abusers” and require affirmative measures to safeguard records.
• Redisclosure warning: When releasing confidential information, facilities must inform recipients that further disclosure is prohibited without client consent; stamps or similar notices are permitted.
• Documentation and delegation: Releases and disclosures must be documented, and only authorized personnel may disclose records.

Minors’ consent and confidentiality (G.S. 90-21.5; G.S. 90-21.4(b))

• Any minor may consent to prevention, diagnosis, and treatment for substance abuse. When a minor lawfully consents, providers generally may not notify parents or guardians without the minor’s permission, subject to narrow safety exceptions.
• Under Part 2, if state law lets a minor consent to SUD treatment, only the minor can authorize disclosures of those SUD records unless a limited exception applies.

Consent and Disclosure Procedures

Step 1: Determine which laws apply

• Identify whether you are a HIPAA covered entity/business associate, a Part 2 program or lawful holder, and/or a North Carolina facility subject to Chapter 122C and 10A NCAC 26B.
• When multiple laws apply, follow the most protective rule for the specific record and purpose.

Step 2: Use the correct consent or authorization

• HIPAA: Obtain a Patient Authorization for uses/disclosures outside treatment, payment, or operations. Ensure all required elements are present.
• Part 2: Use a Part 2-compliant consent that clearly identifies the patient, what information will be disclosed, the purpose, the recipient(s), revocation rights, and expiration. You may use a single consent for future treatment, payment, and operations disclosures.
• Minors: When the minor consented to SUD services under state law, obtain the minor’s own consent for any disclosure of those records.

Step 3: Attach required notices and limit redisclosure

• Include the Part 2 prohibition-on-redisclosure notice with every disclosure of SUD records.
• For North Carolina facility records, add the NCAC redisclosure warning and document each release or disclosure as required.

Step 4: Handle exceptions carefully

• Emergencies: Disclose only the minimum necessary; promptly document who received the information, by whom, when, and why.
• Court orders: Verify that the order satisfies Part 2 and state-law standards before releasing SUD records; consider seeking legal counsel.
• Public health and de-identified data: Part 2 permits certain de-identified disclosures; HIPAA has its own de-identification standards.

Differences Between Federal and State Laws

• Default standard: HIPAA permits TPO disclosures without authorization; 42 CFR Part 2 generally requires consent but now allows a single TPO consent. North Carolina’s Chapter 122C lists specific exceptions for facility records, some narrower than HIPAA’s general TPO framework.
• Redisclosure: HIPAA allows redisclosure consistent with its rules; Part 2 tightly restricts redisclosure and requires a prohibition notice; NCAC rules independently require a redisclosure warning for state-facility records.
• Legal proceedings: HIPAA allows certain disclosures under law; Part 2 forbids using SUD records against the patient without consent or a qualifying court order; state courts must honor those federal limits.
• Preemption: More stringent federal or state rules govern the specific record and purpose. North Carolina statutes explicitly defer to stricter federal protections.
• Minors: North Carolina gives minors the right to consent to substance abuse services and restricts parental notification; Part 2 then requires the minor’s own consent for disclosures of those SUD records.

Compliance and Enforcement

• HIPAA: Enforced by HHS Office for Civil Rights; violations can lead to civil monetary penalties and corrective action plans.
• Part 2: Modernized enforcement aligns with HIPAA penalties and breach notification; compliance with the 2024 final rule is required by February 16, 2026.
• North Carolina: Unauthorized disclosures can trigger a Class 3 misdemeanor and administrative or employment discipline; licensing boards may impose professional sanctions.
• Operational safeguards: Maintain policies, training, and role-based access; tag or otherwise identify Part 2 records; standardize consent workflows; and document all releases and exceptions.

Patient Rights and Remedies

Your rights under HIPAA

• Access: You may request copies of your records; providers must respond within set timelines and explain any permissible denials.
• Amend: You may ask to correct or amend information; denials must include the reason and how to submit a statement of disagreement.
• Restrictions and confidential communications: You may request additional limits on disclosures and ask that providers contact you in specific ways.
• Complaints: You may file a complaint with the provider or with federal regulators if you believe your rights were violated.

Your rights under 42 CFR Part 2

• Consent control: You decide who can receive your Substance Use Disorder Treatment Records and may revoke consent.
• New rights: Alignment with HIPAA adds the right to request restrictions and to receive an accounting of certain disclosures (subject to implementation timing).
• Protection in legal matters: Your SUD records cannot be used against you in court without your consent or a qualifying court order.

Your rights under North Carolina law

• Confidentiality: Facility records are confidential by default; limited exceptions apply.
• Access and “injurious information”: You may review your records; if disclosure is deemed injurious, the information can be sent to a physician or psychologist you choose.
• Minors: If you consented to your own substance abuse services, you control who can see those records, with narrow safety exceptions.

Bottom line: Treat HIPAA as the baseline, apply Part 2’s stricter rules to SUD records, and layer in North Carolina’s statutes and rules. When in doubt, follow the most protective pathway, document your rationale, and seek legal counsel for court orders or complex disclosures.

FAQs

What records are protected under North Carolina substance abuse privacy laws?

North Carolina law makes records held by facilities that provide mental health, developmental disability, and substance abuse services confidential and not public records. These protections cover identifying information, clinical notes, diagnoses, treatment plans, and similar content. If the records also fall under 42 CFR Part 2 (for example, SUD services from a federally assisted program), the federal Part 2 protections apply in addition to HIPAA and state law.

How does 42 CFR Part 2 differ from HIPAA?

HIPAA generally permits disclosures for treatment, payment, and operations without written authorization. Part 2 is stricter: it typically requires patient consent for disclosures that identify someone as having a substance use disorder. Under the 2024 final rule, patients may give a single consent for future TPO disclosures, but Part 2 still bars using SUD records against a patient in legal proceedings without consent or a qualifying court order and imposes tight redisclosure limits and required notices.

What additional privacy protections does North Carolina state law provide?

North Carolina statutes add specific disclosure limits and procedures for facility records, require redisclosure warnings, and allow patients to route “injurious” information to a chosen clinician. Unauthorized disclosures can result in a misdemeanor fine and administrative or professional discipline. State rules also adopt 42 CFR Part 2 by reference and provide special protections for minors who consent to their own substance abuse services.

How can patients request access or correction of their substance abuse records?

Submit a written request to the provider’s health information or medical records department asking for access or amendment. Under HIPAA, providers must respond within defined timelines and explain any lawful denials. For North Carolina facility records, if disclosure is deemed injurious, you may direct the information to a physician or psychologist you choose. For Part 2 records, you may revoke prior consents and request an accounting of certain disclosures as the new provisions take effect.