South Carolina Substance Abuse Record Privacy Laws Explained: HIPAA and 42 CFR Part 2

HIPAA Privacy and Security Rules

What HIPAA protects

HIPAA safeguards Protected Health Information (PHI) held by covered entities and business associates. PHI includes any individually identifiable health information, whether paper, electronic, or oral. Substance Use Disorder Records are PHI under HIPAA, but—when Part 2 applies—they receive additional, stricter protections.

Permitted uses and disclosures

Under HIPAA’s Privacy Rule, you may use or disclose PHI without a patient authorization for treatment, payment, and health care operations (TPO). Outside TPO (or where another exception does not apply), Patient Authorization Requirements govern—meaning a valid, written authorization is needed before disclosure.

Security and breach response

• Security Rule: implement administrative, physical, and technical safeguards (for example, risk analysis, access controls, audit logs, encryption where reasonable).
• Breach Notification Obligations: if unsecured PHI is breached, notify affected individuals without unreasonable delay (no later than 60 days after discovery), notify HHS, and, for larger incidents, notify prominent media.

HIPAA sets the baseline. When records are Part 2–protected, Part 2 controls if it is more protective.

42 CFR Part 2 Confidentiality Protections

Who Part 2 covers and what counts as a “record”

Part 2 applies to federally assisted programs that provide SUD diagnosis, treatment, or referral for treatment, and to others who receive Part 2 information as “lawful holders.” Protected Substance Use Disorder Records include identity, diagnosis, prognosis, or treatment information maintained in connection with such a program.

Core rules you must know

• Written consent is the default: most disclosures require patient consent that meets Part 2 content rules.
• Redisclosure Prohibition: recipients generally may not redisclose Part 2 records unless the original consent permits it or an exception applies. (HIPAA-covered entities that receive records under a Part 2 TPO consent may redisclose in line with HIPAA—details below.)
• Stronger protection in legal matters: Part 2 records and testimony cannot be used against a patient in civil, criminal, administrative, or legislative proceedings without the patient’s consent or a Part 2 court order.

Disclosures without consent (narrow and specific)

• Medical emergencies to treat an immediate threat to health, with required documentation after the fact.
• Audits and evaluations by regulators, payers, or their agents.
• Scientific research under defined safeguards (for example, IRB approval where required).
• Public health reporting when information is de-identified to HIPAA standards.
• Crimes on program premises or against program personnel (limited information to law enforcement).
• Mandated child abuse or neglect reporting under state law (original Part 2 records still cannot be used against the patient without consent or a Part 2 court order).

Qualified Service Organizations (QSOs)

Programs may share Part 2 information with Qualified Service Organizations that provide services like data processing, billing, legal, laboratory, or population health management under a QSO agreement. A QSOA functions similarly to a HIPAA business associate agreement but is specific to Part 2.

CARES Act and 2024 Part 2 Final Rule Updates

Timeline

• CARES Act enacted: March 27, 2020, directing alignment of Part 2 with HIPAA/HITECH.
• Final rule announced: February 8, 2024; published: February 16, 2024.
• Compliance date: February 16, 2026.

Key changes you must implement

• Single TPO consent: patients may give one consent covering future uses and disclosures for treatment, payment, and health care operations.
• Redisclosure under HIPAA: HIPAA-covered entities and business associates that receive Part 2 records under a TPO consent may redisclose them as HIPAA permits (but records still cannot be used in proceedings against the patient absent consent or a proper court order).
• Breach alignment: HIPAA Breach Notification Obligations now apply to Part 2 records.
• Penalties alignment: Civil Monetary Penalties and criminal penalties apply under HIPAA’s enforcement framework.
• Patient rights: new right to request restrictions and to receive an accounting of disclosures (with an implementation timeline tied to the forthcoming HIPAA accounting update).
• Patient notice: Part 2 Patient Notice aligns with the HIPAA Notice of Privacy Practices.
• SUD counseling notes: newly defined; require separate consent and cannot be used or disclosed based on a broad TPO consent.
• No segmentation mandate: the rule clarifies that segregating Part 2 data is not required; however, you must still ensure improper disclosures do not occur.
• Public health: de-identified disclosures permitted to public health authorities.
• Investigations: a safe harbor limits liability for investigative agencies that act with defined diligence before requesting records.

Enforcement and Penalties Under Part 2

Violations of Part 2 are now enforced using HIPAA’s framework. That includes Civil Monetary Penalties that scale by culpability (for example, reasonable cause versus willful neglect) with annual caps adjusted for inflation, and potential criminal penalties for knowing wrongful disclosures. The HIPAA Breach Notification Rule also applies to breaches of unsecured Part 2 records, triggering required notices to individuals, HHS, and, when applicable, the media.

Patients may file complaints directly with HHS. Programs should expect OCR-style investigations, corrective action plans, and settlement agreements where warranted.

State-Specific Requirements in South Carolina

Confidentiality and penalties under South Carolina law

South Carolina’s Section 44-22-100 makes records identifying a mentally ill or alcohol and drug abuse patient confidential, with limited exceptions (for example, patient consent, certain court-directed disclosures, specified cooperation with agencies). Unlawful disclosures are a misdemeanor, punishable by a fine (up to $500), imprisonment (up to one year), or both.

Access and authorizations

Under the Physicians’ Patient Records Act (Title 44, Chapter 115), patients (or their legal representatives) have a right to copies of their medical records or to have records transferred to another physician upon written authorization. This state right operates alongside HIPAA access rights and Part 2’s specific consent rules.

Prescription monitoring and confidentiality

South Carolina’s prescription drug monitoring program (SCRIPTS) has strict confidentiality provisions and enumerated recipients for disclosures (for example, certain law enforcement engaged in a bona fide drug-related investigation). When the information originates as Part 2 records, patient consent is required before reporting Part 2 data to a PDMP.

Mandatory reporting

South Carolina mandates child abuse and neglect reporting by a wide range of professionals, including substance abuse treatment staff. Making a mandated report is allowed; however, original Part 2 records generally remain protected from use against the patient unless a Part 2 court order or patient consent permits it.

Patient Rights and Consent Provisions

HIPAA rights

• Access, copy, and, in some cases, request amendments to PHI.
• Receive a Notice of Privacy Practices explaining uses, disclosures, and rights.
• Authorize or decline disclosures outside HIPAA’s permitted purposes.

Part 2 rights and consent mechanics

• Single TPO consent is permitted; outside TPO, Part 2 requires detailed written consent specifying, among other elements, the patient, the information to be disclosed, the purpose, recipient(s), expiration, and revocation terms.
• Each disclosure made with consent must carry a copy of the consent or a clear explanation of its scope, and the Redisclosure Prohibition notice when required.
• SUD counseling notes need a separate, specific consent.
• Patients can request restrictions and will receive an accounting of disclosures once the HIPAA accounting update takes effect.

Compliance Strategies for Providers

Operational steps to take now

• Confirm Part 2 applicability: identify which services, units, or data sets are subject to Part 2 and who becomes a “lawful holder.”
• Update forms and notices: adopt a Part 2–compliant single TPO consent, create a separate SUD counseling notes consent, and align your Part 2 Patient Notice with your HIPAA Notice of Privacy Practices.
• Tighten agreements: execute Qualified Service Organization agreements for vendors supporting your Part 2 program; maintain HIPAA business associate agreements where applicable.
• Configure systems: while segmentation is not required, use role-based access, labeling, and workflow “hard stops” to prevent unauthorized releases; ensure every disclosure decision is logged.
• Train your workforce: emphasize differences between HIPAA and Part 2, the Redisclosure Prohibition, PDMP consent nuances, and how mandated reporting interacts with Part 2.
• Test incident response: incorporate Part 2 into breach response plans to meet HIPAA-aligned Breach Notification Obligations.
• Map South Carolina law: integrate SC-specific confidentiality, access, and misdemeanor penalty provisions into policies; align with SCRIPTS rules.
• Set a countdown: target full compliance by February 16, 2026, with interim milestones for policy, training, and EHR updates.

Conclusion

HIPAA sets the floor; 42 CFR Part 2 sets a higher bar for Substance Use Disorder Records. With the CARES Act and 2024 final rule, the frameworks are more aligned—single TPO consent, HIPAA-style breaches and penalties—yet Part 2’s core privacy pillars remain. By updating consents and notices, tightening agreements and controls, and embedding South Carolina–specific rules, you can protect patients and reduce enforcement risk.

FAQs

What records are protected under South Carolina substance abuse privacy laws?

Part 2 protects records identifying a patient’s SUD diagnosis, treatment, or referral created or maintained by a federally assisted SUD program. South Carolina law (Section 44-22-100) also makes records identifying alcohol and drug abuse patients confidential, subject to limited statutory exceptions. When both apply, you follow the most protective rule.

How does 42 CFR Part 2 differ from HIPAA?

HIPAA allows broad TPO sharing without authorization; Part 2 generally requires specific written consent, even for many routine disclosures. The 2024 rule permits a single TPO consent and HIPAA-governed redisclosure by HIPAA entities, but Part 2 still bars using records against a patient in legal proceedings absent consent or a Part 2 court order and continues to require Redisclosure Prohibition notices in many contexts.

When can substance abuse records be disclosed without patient consent?

Part 2 allows narrow disclosures without consent for medical emergencies, qualified audits/evaluations, approved research, de-identified public health reporting, crimes on program premises or against staff, and mandated child abuse or neglect reports. Otherwise, obtain a Part 2–compliant consent. HIPAA’s permissions do not override stricter Part 2 limits.

What penalties exist for violations of substance abuse record privacy laws?

Federally, Part 2 violations use HIPAA’s enforcement model: Civil Monetary Penalties that scale by culpability (with annual caps adjusted for inflation) and potential criminal penalties for knowing wrongful disclosures, plus breach notification duties. In South Carolina, unlawful disclosures of certain behavioral health records can also be prosecuted as misdemeanors under Section 44-22-100.