Substance Use Disorder Treatment Confidentiality Explained: Your Privacy Rights Under HIPAA and 42 CFR Part 2

Overview of HIPAA and 42 CFR Part 2

When you receive substance use disorder (SUD) care, two federal privacy frameworks may protect your records: HIPAA’s Privacy, Security, and Breach Notification Rules and the specialized confidentiality rules at 42 CFR Part 2. HIPAA sets nationwide baseline safeguards for Protected Health Information, while Part 2 adds tighter disclosure restrictions to reduce stigma and deter legal risks that might keep people from seeking treatment.

If a provider is subject to both laws, it must follow Part 2 wherever it is more protective and still comply with HIPAA. In emergencies, HIPAA permits certain disclosures, but entities that are also Part 2 Programs must honor Part 2’s stricter standards when applicable. This means you benefit from the strongest rule at any given moment. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/3005/how-does-hipaa-interact-federal-confidentiality-rules-substance-use-disorder-treatment-information-in-emergency/index.html))

Scope of 42 CFR Part 2 Programs

Part 2 applies to “Part 2 Programs,” which are federally assisted programs that provide SUD diagnosis, treatment, or referral for treatment. This can include a standalone SUD clinic, an identified SUD unit within a general hospital, or dedicated SUD personnel inside a broader facility. The rule also binds certain “lawful holders” who receive Part 2 records from a program.

“Federally assisted” is defined broadly (for example, participation in federal health programs or receipt of federal funds). The definitions in the regulation clarify that records protected by Part 2 encompass any medium and extend to recipients that obtain them under a valid consent or applicable exception. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.11))

Patient Consent and Disclosure Rules

Part 2 presumes confidentiality. As a result, most sharing of SUD treatment records requires your written permission that meets specific Patient Consent Requirements (for example, identifying the information to be disclosed and the purpose). These Disclosure Restrictions are stricter than HIPAA’s default permissions.

Following 2024 updates, you may authorize a single consent for all future uses and disclosures for treatment, payment, and health care operations (TPO). If a HIPAA-covered entity or its business associate receives your Part 2 records under that consent, it may redisclose them as HIPAA allows—except they still cannot be used against you in legal proceedings without your consent or a qualifying court order. Disclosures made with consent must now include a copy of the consent or a clear explanation of its scope. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Recent 2024 Regulatory Updates

In 2024, HHS (through SAMHSA and the Office for Civil Rights) finalized major changes that implement Section 3221 of the CARES Act and align Part 2 with HIPAA and the Health Information Technology for Economic and Clinical Health Act. Highlights include:

• A single, future-looking TPO consent and HIPAA-consistent re-disclosure rules, while preserving Part 2’s bar on using records against a patient absent consent or a court order.
• Application of HIPAA’s Breach Notification framework to Part 2 records and alignment of penalties and enforcement mechanisms with HIPAA.
• New or clarified rights and safeguards, including the ability to request restrictions on certain disclosures, and a forthcoming right to receive an accounting of disclosures for electronic records (timing tied to parallel HIPAA updates).
• Safe harbor steps for investigative agencies, recognition of SUD counseling notes with heightened protections, and clarification that segregating Part 2 data is not required. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Key dates: the final rule was published in the Federal Register on February 16, 2024; it took effect on April 16, 2024; and full compliance is required by February 16, 2026. ([ahima.org](https://www.ahima.org/media/k2rdajw3/42-cfr-part-2-hipaa-alignment-final-rule-faq.pdf))

Emergency Disclosure Exceptions

Part 2 permits limited disclosures without consent to protect life and safety. In a bona fide medical emergency—when you cannot consent and information is needed to treat you—programs may share only what is necessary with emergency personnel, and must document the disclosure afterward. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.51?utm_source=openai))

Other narrow exceptions include reporting suspected child abuse or neglect, addressing crimes or threats on program premises or against staff, responding to certain audits/evaluations and approved research, and complying with a Part 2–compliant court order. These carve-outs are specific and do not open the door to broad sharing. ([law.cornell.edu](https://www.law.cornell.edu/cfr/text/42/2.12?utm_source=openai))

Patient Rights and Breach Notifications

You retain HIPAA-aligned rights with respect to your SUD records, including the right to access your information and request amendments or certain restrictions. Part 2 now also recognizes a right to an accounting of disclosures for electronic records, with the compliance date to be set in tandem with a future HIPAA Privacy Rule update. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Breach Notification Obligations for Part 2 records now track HIPAA and HITECH: if unsecured SUD information is compromised, entities must evaluate the incident and, when required, notify you and other parties within prescribed timelines. This unified approach ensures your SUD records receive the same breach protections as other Protected Health Information. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

Enforcement and Penalties

Enforcement of privacy rules affecting your SUD records is now harmonized. Part 2 penalties are aligned with HIPAA’s civil and criminal authorities, and the Office for Civil Rights Enforcement toolbox—investigations, corrective action, resolution agreements, and civil money penalties—applies to violations once the rule’s compliance date arrives on February 16, 2026. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

The bottom line: you gain clearer, more consistent protections across your care journey. The updated framework supports care coordination while preserving strong confidentiality guardrails—especially the prohibition on using SUD treatment records against you without consent or a court order that meets Part 2 standards. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

FAQs.

What protections does 42 CFR Part 2 provide for SUD treatment records?

Part 2 strictly limits when SUD records can be disclosed, generally requiring your written consent. Even when your records are shared for care coordination under a TPO consent, they cannot be used against you in civil, criminal, administrative, or legislative proceedings without your consent or a qualifying court order. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

How does HIPAA interact with 42 CFR Part 2 in emergencies?

HIPAA allows disclosures for treatment and to prevent serious, imminent harm. If a provider is also a Part 2 Program, it must follow Part 2’s narrower emergency pathway—sharing only what is necessary to address a bona fide medical emergency and documenting the disclosure—while remaining consistent with HIPAA’s minimum standards. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/faq/3005/how-does-hipaa-interact-federal-confidentiality-rules-substance-use-disorder-treatment-information-in-emergency/index.html))

What are patient rights regarding disclosure accounting?

Part 2 now recognizes a right to an accounting of disclosures for electronic records, aligned with HIPAA’s approach. The compliance date for this specific right will be set when HHS updates the analogous provision in the HIPAA Privacy Rule; until then, programs should prepare their systems and processes to support this transparency. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))

What penalties exist for violations of Part 2 confidentiality?

Penalties are aligned with HIPAA’s tiered civil money penalties and criminal provisions, and OCR may investigate and resolve violations using tools familiar from HIPAA enforcement. This alignment replaces Part 2’s prior criminal-only focus and provides stronger, more predictable remedies for breaches of SUD confidentiality. ([hhs.gov](https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html))