Substance Abuse Records Privacy: What 42 CFR Part 2 and HIPAA Mean for You

Overview of 42 CFR Part 2

42 CFR Part 2 sets strict rules for the confidentiality of substance use disorder records. It applies to federally assisted substance use programs that diagnose, treat, or refer for treatment and, in many cases, to lawful holders of Part 2 records such as other providers, health plans, and qualified service organizations. The goal is to reduce stigma and deter discrimination so more people feel safe seeking care. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Part 2 defines key terms like “Part 2 program,” “lawful holder,” and “business associate,” and makes clear that records identifying a patient as having or having had a substance use disorder generally cannot be disclosed without the patient’s written consent or a qualifying court order. ([ecfr.gov](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-B/section-2.11))

Key Provisions of HIPAA Privacy Rule

HIPAA’s Privacy Rule protects all protected health information (PHI) held by covered entities and business associates. It permits use and disclosure without authorization for treatment, payment, and health care operations (TPO), requires the “minimum necessary” standard, mandates a Notice of Privacy Practices, and grants rights to access, amendment, restrictions, and confidential communications. HIPAA is implemented and enforced by the HHS Office for Civil Rights (OCR). ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?WHB=1&campaign_name__c=PR_Media&channel=PR_Media))

While HIPAA allows broad TPO sharing, it still requires policies, workforce training, mitigation of harmful effects, and documentation to show compliance—expectations that become especially important when PHI includes Part 2–protected information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?WHB=1&campaign_name__c=PR_Media&channel=PR_Media))

Impact of CARES Act Amendments

The CARES Act (Section 3221) directed HHS to align aspects of Part 2 with HIPAA and the HITECH Act. Results include allowing a single patient consent for TPO, enabling HIPAA-covered entities and business associates to redisclose Part 2 records as HIPAA permits (with important limits), adding breach notification requirements, and aligning certain enforcement provisions and patient rights with HIPAA/HITECH. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Even with this alignment, Part 2 continues to impose unique guardrails—for example, stricter limits on using SUD records in legal proceedings against a patient—preserving heightened confidentiality where the risk of harm from disclosure is acute. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Details of the 2024 Part 2 Final Rule

The 2024 Final Rule implements the CARES Act changes and modernizes Part 2. Notable updates include: single TPO consent for future uses and disclosures; permission for HIPAA covered entities and business associates to redisclose records under HIPAA; application of HIPAA’s Breach Notification Rule to Part 2 records; alignment of penalties with HIPAA’s civil and criminal enforcement framework; new patient rights (accounting of disclosures and the right to request restrictions); a new definition and heightened protection for SUD counseling notes (separate consent required); clarification that segregating Part 2 data is not required; a safe harbor for investigative agencies; and a right to file complaints directly with HHS. The rule took effect April 16, 2024, and required compliance by February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Enforcement and Penalties for Violations

OCR enforces both HIPAA and, as delegated by the Secretary, Part 2. OCR investigates complaints, conducts compliance reviews, and can impose civil money penalties or require corrective action to resolve violations. For Part 2, OCR’s enforcement leverages the HIPAA Enforcement Rule processes at 45 CFR part 160 (Subparts C, D, and E). ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

Penalties now align with HIPAA: civil money penalties can apply for noncompliance, and separate criminal penalties under 42 U.S.C. § 1320d‑6 may apply for wrongful obtaining or disclosure of individually identifiable health information. Entities should expect OCR to prioritize voluntary compliance but be prepared for enforcement if deficiencies persist. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Patient Rights and Consent Requirements

Under Part 2, you can provide a single consent authorizing TPO uses and disclosures; each disclosure made under consent must include a copy or clear description of the consent’s scope. SUD counseling notes require a separate consent and cannot be disclosed under a broad TPO consent. Patients gain the ability to request restrictions and, once HIPAA’s companion rule is finalized, to receive an accounting of disclosures under Part 2. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Under HIPAA, you have rights to access your PHI, request amendments, request restrictions, and seek confidential communications. Covered entities must provide a Notice of Privacy Practices explaining these rights and how information is used and disclosed. These HIPAA rights apply when HIPAA‑regulated entities handle Part 2 records, subject to Part 2’s additional protections. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?WHB=1&campaign_name__c=PR_Media&channel=PR_Media))

Breach Notification and Compliance Procedures

Part 2 now applies HIPAA’s Breach Notification Rule to breaches of unsecured Part 2 records. That means you must assess incidents using HIPAA’s four-factor risk assessment, determine whether PHI/Part 2 data were “unsecured,” and, if a reportable breach occurred, notify affected individuals without unreasonable delay and no later than 60 days, notify HHS (immediately for breaches affecting 500+ individuals or annually for fewer), and notify the media if 500+ residents of a state or jurisdiction are affected. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Compliance checklist (practical steps)

• Contain and investigate the incident; preserve evidence; coordinate with business associates and lawful holders.
• Complete the HIPAA four-factor risk assessment and document your determination and notifications.
• Issue timely notices to individuals (and, if applicable, HHS and media); maintain proof of all actions.
• Encrypt or destroy data at rest and in transit to avoid “unsecured PHI” exposures going forward.
• Update policies, consent forms (including separate SUD counseling notes consent), BA/QSO agreements, and workforce training; test incident response plans periodically.

Part 2 also codifies “Security for records and notification of breaches,” reinforcing the expectation that programs protect records and follow breach procedures consistent with HIPAA. ([ecfr.gov](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2?toc=1))

Conclusion

In short, HIPAA sets the baseline for health privacy, while Part 2 adds heightened protections for substance use information. The CARES Act and the 2024 Final Rule make the two frameworks work together: streamlined patient consent for TPO, aligned breach notification, and unified enforcement—without weakening the special safeguards that protect you from legal and social harms tied to SUD disclosures. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

FAQs.

What protections does 42 CFR Part 2 provide for substance abuse records?

Part 2 strictly limits when records identifying you as having, or having had, a substance use disorder can be disclosed. In general, a federally assisted SUD program cannot disclose without your written consent or a qualifying court order, and your records cannot be used in legal proceedings against you without consent. ([hhs.gov](https://www.hhs.gov/hipaa/part-2/index.html))

How does HIPAA privacy rule differ from 42 CFR Part 2?

HIPAA broadly protects PHI and allows TPO sharing without authorization; Part 2 is narrower in scope but stricter, covering SUD records from federally assisted programs with tighter disclosure and redisclosure limits—particularly for legal proceedings—while still permitting a single TPO consent under the 2024 rule. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html?WHB=1&campaign_name__c=PR_Media&channel=PR_Media))

What changes did the CARES Act introduce to substance abuse records privacy?

It directed HHS to align Part 2 with HIPAA/HITECH, enabling a single TPO consent, allowing HIPAA-regulated redisclosures (with limits), adding breach notification requirements, aligning enforcement, and extending certain patient rights consistent with HITECH. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

When will compliance with the 2024 Part 2 Final Rule be mandatory?

Compliance was required by February 16, 2026; the rule itself became effective on April 16, 2024. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))