North Dakota Substance Abuse Record Privacy Laws: A Guide to HIPAA, 42 CFR Part 2, and State Requirements

If you manage Patient Health Information in North Dakota, you face overlapping rules. This guide clarifies how HIPAA, 42 CFR Part 2, and state confidentiality protections interact for Substance Use Disorder Records, when Written Consent is required, how Federally Assisted Programs are treated, and what Legal Proceedings Restrictions apply—especially for minors.

HIPAA Privacy Rule Overview

Scope and key definitions

HIPAA applies to covered entities (health plans, most providers, clearinghouses) and their business associates. It protects identifiable Patient Health Information (PHI) in any format. You must implement administrative, physical, and technical safeguards and apply the minimum-necessary standard for routine disclosures.

Permitted uses and disclosures

Without an authorization, you may generally use or disclose PHI for treatment, payment, and health care operations. Other permitted disclosures include those required by law, certain public health activities, and narrowly tailored responses to court orders. For anything outside these pathways, obtain a HIPAA-compliant authorization.

Authorizations and de-identification

A HIPAA authorization must specify who may disclose and receive, the information to be disclosed, purpose, expiration, and the individual’s signature with notice of the right to revoke. When appropriate, consider de-identified data or a limited data set with a data use agreement to reduce privacy risk.

HIPAA and state law

HIPAA sets a baseline. If a North Dakota rule is more protective of privacy than HIPAA, the stricter state requirement controls. You should harmonize policies so staff understand when state law or federal law is the governing standard.

42 CFR Part 2 Confidentiality Protections

Who is covered and what is protected

42 CFR Part 2 applies to Substance Use Disorder programs that are Federally Assisted Programs (for example, those receiving federal funding or participating in federal benefit programs). It protects any patient-identifying information that reveals a person has sought or received SUD diagnosis, treatment, or referral.

Written Consent as the default

Part 2 generally requires the patient’s Written Consent before disclosure. A valid consent clearly identifies the patient, the specific Part 2 program, the recipient(s), the purpose, what information may be shared, expiration, revocability, and the patient’s signature (including compliant electronic signatures).

Narrow exceptions to consent

• Medical emergencies to address an immediate threat to health or safety.
• Program audits or evaluations and qualifying research with required safeguards.
• Court orders that meet heightened Part 2 standards and are strictly limited.
• Crimes on program premises or against program personnel (limited facts only).

Prohibition on redisclosure and notices

Disclosures made under Part 2 must carry a prohibition on redisclosure notice. Recipients may not pass along SUD information unless the patient gives new consent or another Part 2 exception applies.

Coordination with HIPAA

Part 2 is more protective than HIPAA. Where both apply, follow the stricter rule. Care coordination can occur with appropriate consent, qualified service organization agreements, and role-based access controls to uphold these Confidentiality Protections.

North Dakota State Confidentiality Requirements

State-law overlay

North Dakota law generally requires health care providers to keep medical records confidential and to disclose only with patient authorization or as expressly allowed by law. When state rules are more protective than HIPAA, follow the North Dakota rule.

Common state-authorized disclosures

• Mandatory reports (for example, certain public health, abuse, or neglect reports).
• Disclosures compelled by a valid court order that complies with privacy safeguards.
• Disclosures necessary to avert serious, imminent harm, consistent with professional judgment.

Operational expectations in North Dakota

• Verify identity and authority before any release of Substance Use Disorder Records.
• Train staff to recognize Part 2 versus HIPAA pathways and to apply minimum necessary.
• Maintain secure retention and destruction practices consistent with medical-records rules.
• Follow breach-notification duties under HIPAA; state consumer notification obligations may also apply to certain incidents involving personal information.

Consent and Authorization Procedures

Building valid HIPAA authorizations

• Describe the information to be disclosed with sufficient specificity.
• Name or describe the disclosing party and authorized recipient(s).
• State the purpose (or “at the request of the individual”).
• Include an expiration date or event and the individual’s signature and date.
• Explain the right to revoke and the potential for redisclosure under HIPAA.

Creating Part 2-compliant Written Consent

• Identify the patient and the specific SUD program.
• Identify the recipient(s) or class of recipients.
• State the purpose and describe the SUD information to be disclosed.
• Include expiration, revocation language, and the patient’s signature/date.
• Attach or embed the prohibition on redisclosure notice to every Part 2 disclosure.

Execution, storage, and revocation

Accept electronic signatures that meet applicable e-signature laws. Store consents in the designated record set so they are easy to retrieve and audit. Track revocations promptly; once revoked, you may not disclose under that consent except as already relied upon.

Minor Patient Disclosure Rules

HIPAA’s personal representative framework

Under HIPAA, a parent or guardian typically acts as a minor’s personal representative. However, access may be limited when the minor is allowed by law to consent to care, when a court has appointed another decision-maker, or when disclosure could endanger the minor.

Part 2 overlay and Minor Consent Requirements

For SUD care, Part 2 defers to state law on whether a minor can consent to treatment. If North Dakota law allows a minor to consent, the minor generally controls disclosures, and parental access requires the minor’s Written Consent unless a narrow exception applies. If state law requires parental consent for SUD treatment, the parent or guardian typically authorizes disclosure.

Practical steps with families and payers

• Clarify at intake who can receive information and document preferences.
• Use separate consents for SUD content to respect redisclosure limits.
• Offer confidential communications (for example, alternate addresses) when permitted to reduce inadvertent disclosures through billing.

Legal Limitations on Record Use

Part 2’s Legal Proceedings Restrictions

Part 2 bars using patient SUD records to initiate or substantiate criminal charges against a patient. Courts may authorize limited disclosures only through specialized Part 2 court orders that meet strict necessity and minimization findings.

Responding to subpoenas and court orders

A subpoena alone is usually insufficient for Part 2 records; require patient consent or a qualifying court order. For non-Part 2 PHI, HIPAA permits disclosures in response to a valid subpoena if specific safeguards are met, but you should still seek protective orders and disclose only the minimum necessary.

Employment, education, and law enforcement

Employers, schools, and law enforcement may receive SUD information only through patient consent or a qualifying exception. Workplace drug-testing records are typically not Part 2 records unless generated by a covered SUD program; confirm the record’s origin before disclosing.

Patient Rights and Notification

Core HIPAA rights

• Access and obtain copies of records in the requested reasonable format.
• Request amendments to correct or clarify information.
• Receive an accounting of certain disclosures.
• Request restrictions and confidential communications.
• Receive a clear Notice of Privacy Practices describing uses, rights, and contacts for questions and complaints.

Part 2 notices and redisclosure warnings

Programs must give patients a plain-language explanation of Part 2 Confidentiality Protections. When you disclose SUD information as allowed, include the prohibition on redisclosure notice so downstream recipients understand the limits.

Summary

In North Dakota, manage Substance Use Disorder Records by starting with HIPAA’s baseline, layering on 42 CFR Part 2’s stricter requirements, and honoring any more protective state rules. Use precise Written Consent, limit disclosures, document decisions, and give patients clear notices. Doing so protects privacy while enabling safe, lawful care coordination.

FAQs.

What protections does HIPAA offer for substance abuse records?

HIPAA protects Patient Health Information, including SUD information, by restricting use and disclosure to defined purposes such as treatment, payment, and operations or as otherwise permitted by law. It requires minimum-necessary use, individual authorizations for most nonroutine disclosures, safeguards, breach notification, and patient rights to access, amend, and receive an accounting of disclosures.

How does 42 CFR Part 2 regulate disclosure of treatment information?

Part 2 covers Federally Assisted Programs that provide SUD services and protects any patient-identifying SUD information. Disclosures generally require the patient’s Written Consent, carry a prohibition on redisclosure, and are allowed without consent only for narrow exceptions like medical emergencies, audits, qualifying research, or specialized court orders meeting strict findings.

What specific privacy laws apply in North Dakota for substance abuse records?

North Dakota requires confidentiality of medical records and permits disclosures only with authorization or specific legal allowances. When a disclosure involves SUD content, you must also satisfy 42 CFR Part 2. If a state rule offers stronger Confidentiality Protections than HIPAA, the North Dakota rule controls.

Can substance abuse records of minors be disclosed without consent?

Usually no. For SUD records, whether a parent or the minor must consent depends on state Minor Consent Requirements. If the minor is permitted to consent to SUD treatment, the minor typically controls disclosure under Part 2. Limited exceptions—such as medical emergencies or mandated reporting—may allow disclosure without consent.

What legal limitations exist on using substance abuse records in court?

Part 2 imposes strong Legal Proceedings Restrictions: SUD records cannot be used to investigate or prosecute a patient, and courts can authorize only narrowly tailored disclosures via special Part 2 orders. For non-Part 2 PHI, HIPAA allows certain disclosures in response to legal process with appropriate safeguards and minimization.