Opioid Addiction Patient Data Privacy: HIPAA, 42 CFR Part 2, and Your Rights
Overview of HIPAA Privacy Standards
HIPAA creates the baseline federal privacy framework for your protected health information (PHI). It applies to covered entities—health care providers, health plans, and clearinghouses—and their business associates. Under HIPAA, your information can be used or disclosed without your authorization for treatment, payment, and health care operations (TPO), subject to the “minimum necessary” standard and other health information privacy safeguards.
For opioid addiction care, HIPAA supports behavioral health integration by letting teams coordinate services while requiring risk-based safeguards, staff training, and breach response plans. You have rights to access your records, request amendments, receive a notice of privacy practices, request confidential communications, and ask for certain restrictions. These federal privacy regulations set the floor; 42 CFR Part 2 adds stricter substance use disorder confidentiality rules in specific settings.
Key Provisions of 42 CFR Part 2
42 CFR Part 2 protects the confidentiality of records created by federally assisted programs that diagnose, treat, or refer for substance use disorders (SUD), as well as “lawful holders” that receive those SUD records. In general, SUD record disclosures require your written consent, with narrow exceptions such as medical emergencies, scientific research under defined controls, audits/evaluations, and court orders that meet strict criteria. ([ecfr.gov](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2))
Part 2 has distinctive patient consent requirements and historically limited redisclosure, making it more protective than HIPAA for SUD record disclosures. It also restricts the use of SUD records and related testimony in civil, criminal, administrative, and legislative proceedings against you unless you consent or a court order is obtained. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Programs may contract with Qualified Service Organizations (QSOs) for services like data processing. A QSO agreement (QSOA) is similar to a HIPAA business associate agreement but remains a distinct Part 2 instrument, and—after 2024 updates—QSOs can include HIPAA business associates when criteria are met. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Recent 2024 Regulatory Updates
On February 16, 2024, HHS issued a sweeping final rule to align key elements of Part 2 with HIPAA, effective April 16, 2024, with a compliance date of February 16, 2026. Entities could voluntarily adopt changes any time after the effective date. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Single consent for TPO and controlled redisclosure
The rule allows you to sign one consent that covers all future TPO uses and disclosures. When a HIPAA covered entity or business associate receives Part 2 records under that consent, it may redisclose them as HIPAA permits—except they cannot use or disclose those records in legal proceedings against you without your separate consent or a qualifying court order. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
No mandatory segmentation for recipients
To improve treatment coordination, recipients that are Part 2 programs, HIPAA covered entities, or business associates are not required to segregate or segment Part 2 data received under a TPO consent—though many organizations still implement technical controls to honor limits on legal-use redisclosures. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Breach notification and penalties now aligned with HIPAA
Part 2 now incorporates HIPAA’s Breach Notification Rule for “unsecured” records and applies HIPAA’s civil and criminal enforcement framework to Part 2 noncompliance—bringing clearer, stronger enforcement of data breach penalties. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Expanded rights and notices
You have new rights under Part 2 to request restrictions and to obtain an accounting of disclosures; the accounting obligation is tolled until HHS finalizes related HIPAA rule changes. Part 2 programs must provide an updated patient notice by the first service date after the compliance date. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Additional protections
The rule creates SUD counseling notes—treated like HIPAA psychotherapy notes—that require separate, specific consent, and establishes a safe harbor for certain investigative agencies that exercise reasonable diligence before seeking records. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))
Patient Rights to Access and Control Data
You can request copies of your records (including SUD records held by your providers), usually within HIPAA’s standard timeframes. You control SUD record disclosures through Part 2 consent forms—now streamlined via a single TPO consent—and you can revoke consent at any time. You may also request restrictions on certain disclosures and confidential communications.
If you believe your rights were violated, you can file a complaint with the provider and directly with HHS. Under the 2024 final rule, HHS may receive and investigate complaints alleging Part 2 violations by Part 2 programs, covered entities, business associates, QSOs, and other lawful holders. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
For transparency, Part 2’s new accounting of disclosures right will become operational once HHS finalizes the related HIPAA accounting standard; until then, entities must be ready to meet this requirement when that HIPAA update takes effect. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
Compliance Requirements for Healthcare Providers
Determine whether you are a Part 2 program or a lawful holder of SUD records and map data flows across EHRs, HIEs, and downstream intermediaries. Update consent workflows to support the single TPO consent and separate consent for SUD counseling notes, and ensure every disclosure with consent includes a copy or clear explanation of scope.
Provide the updated Part 2 patient notice by the first date of service after the compliance date; train care teams on patient consent requirements, redisclosure limits in legal proceedings, and SUD record disclosures in mixed records. Document relationships with QSOs and business associates, and ensure QSOAs and BAAs reflect Part 2 expectations. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Strengthen health information privacy safeguards: conduct risk analyses, implement role-based access, and prepare incident response plans that follow HIPAA-aligned breach notification steps for unsecured Part 2 records. Maintain processes to accept and track patient requests for restrictions and, when finalized, accountings of disclosures. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Differences Between HIPAA and 42 CFR Part 2
Scope and baseline: HIPAA broadly governs PHI held by covered entities and business associates; Part 2 targets SUD confidentiality in federally assisted SUD programs and lawful holders of SUD records, adding stricter patient consent requirements for SUD record disclosures. ([ecfr.gov](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2))
Redisclosure and legal protections: HIPAA allows many redisclosures under TPO; Part 2, after 2024’s alignment, permits HIPAA-based redisclosures when records are received under a TPO consent but continues to prohibit using those records in proceedings against you without separate consent or an appropriate court order. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Data handling: Recipients under a TPO consent are not required to segment SUD data, reducing barriers to behavioral health integration. Enforcement and breach response for Part 2 now mirror HIPAA, strengthening the enforcement of data breach penalties. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Impact on Treatment Coordination and Data Sharing
The single TPO consent and removal of mandatory segmentation for recipients help integrate SUD information into care pathways, closing long-standing gaps between primary care, pain management, mental health, and specialty addiction treatment. That enables safer medication management and more complete care plans while respecting your patient consent requirements. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
At the same time, Part 2 preserves core protections—especially the bar on using your SUD records against you in legal proceedings absent your consent or a qualifying court order—which continues to reduce stigma and encourage people to seek treatment. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Key takeaways
- HIPAA sets the floor; Part 2 adds focused substance use disorder confidentiality that you control through consent.
- As of February 16, 2026, providers must comply with the 2024 updates, including single TPO consent, HIPAA-aligned breach notification, and enhanced enforcement. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
- Recipients under a TPO consent are not required to segment SUD data, easing behavioral health integration while legal-use limits still apply. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
FAQs
What protections does 42 CFR Part 2 provide beyond HIPAA?
Part 2 requires consent for most SUD record disclosures, strictly limits redisclosures, and uniquely prohibits using SUD records and related testimony in legal proceedings against you without your consent or a court order. It also adds focused rules for SUD counseling notes and specialized agreements with service partners (QSOAs). ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
How can patients exercise their rights under these regulations?
Ask your providers for copies of your records, decide who may receive SUD record disclosures with the single TPO consent (or a more granular consent), and revoke consent at any time. You may request restrictions and confidential communications. If you suspect a violation, file a complaint with your provider and with HHS, which now accepts Part 2 complaints from patients. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
What are the penalties for violations of opioid addiction data privacy?
Part 2 now adopts HIPAA’s civil and criminal enforcement framework. Depending on the facts, HHS can seek corrective action, monetary settlements, civil money penalties, and—in egregious cases—refer matters for criminal enforcement. Breach notification obligations for unsecured Part 2 records also track HIPAA’s rule. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
How do the 2024 updates affect consent for data sharing?
You can give one consent covering all future treatment, payment, and health care operations uses/disclosures. Covered entities and business associates that receive your SUD records under that consent may redisclose as HIPAA permits, but not for legal proceedings against you without a separate consent or proper court order; recipients are not required to segment SUD data. ([federalregister.gov](https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records))
Table of Contents
Ready to simplify HIPAA compliance?
Join thousands of organizations that trust Accountable to manage their compliance needs.
