Tennessee Substance Abuse Record Privacy Laws Explained: HIPAA, 42 CFR Part 2, and State Protections

Federal HIPAA Regulations

HIPAA sets a nationwide baseline for protecting health data, known as protected health information. It applies to covered entities—healthcare providers, health plans, and clearinghouses—and their business associates that create, receive, maintain, or transmit PHI. You must safeguard PHI in any form, from clinic notes to EHR data and patient portals.

The HIPAA Privacy Rule governs who may use or disclose PHI and for what purposes. Without patient authorization, you may use or disclose PHI for treatment, payment, and healthcare operations disclosure, and for certain public-interest exceptions. The Security Rule requires administrative, physical, and technical safeguards for electronic PHI, and the Breach Notification Rule mandates notifying affected individuals and regulators after certain security incidents.

Patients hold important rights under HIPAA. They can access and obtain copies of their records, request amendments, and receive an accounting of certain disclosures. They may also request reasonable restrictions on uses and disclosures and select confidential communication channels. You must honor these rights while observing the minimum necessary standard for non-treatment disclosures.

Key HIPAA concepts you will apply

• Consent requirement vs. permitted uses: HIPAA permits many uses without authorization, but marketing, most research, and many non-routine purposes require patient authorization.
• De-identification: You can remove identifiers or use expert determination to transform data so it is no longer PHI.
• Business associates: Vendors handling PHI must sign agreements to meet HIPAA’s safeguards and breach duties.

42 CFR Part 2 Confidentiality Rules

42 CFR Part 2 creates stricter substance use disorder confidentiality standards for federally assisted SUD programs and lawful holders of Part 2 records. If your organization provides SUD diagnosis, treatment, or referral and meets the rule’s definitions, Part 2 likely applies in addition to HIPAA. When both apply, you must follow the most protective rule.

Part 2 generally requires written patient consent for most disclosures. A major modernization aligned many requirements with HIPAA: after a patient gives a single, written consent, Part 2 records may be used and redisclosed for treatment, payment, and healthcare operations in accordance with HIPAA. As of February 16, 2026, compliance with these updated provisions is required nationwide, so you should ensure your consent and redisclosure workflows reflect the current rule.

Part 2 disclosures without patient consent

• Medical emergencies where immediate disclosure is needed to treat the patient.
• Qualified research, audit, and evaluation under specified safeguards.
• Court orders that meet stringent Part 2 criteria.
• Crimes committed on program premises or against program personnel, reported to law enforcement.
• Suspected child abuse or neglect reported to appropriate authorities.

Part 2 sharply limits using SUD records in civil, criminal, administrative, or legislative proceedings. Absent a proper court order and, in many situations, patient consent, such records cannot be used against the patient. The updated rule also aligns breach notification and penalties with HIPAA and calls for clear patient notices about how Part 2 information is protected.

Tennessee State Privacy Provisions

Tennessee’s state health privacy statutes complement federal law by adding requirements for how providers create, maintain, and release medical records. In practice, HIPAA sets the federal floor, 42 CFR Part 2 imposes heightened confidentiality for SUD records, and Tennessee law may be more protective in specific areas. When laws conflict, you follow the rule that offers the strongest privacy protection.

In Tennessee, medical and behavioral health records are confidential and generally require written consent for disclosure unless a legal exception applies. Licensed facilities, clinics, and professionals must maintain secure records, disclose only as permitted, and document releases. Public records laws in Tennessee also exclude identifiable patient health information, reinforcing confidentiality outside the healthcare setting.

Topics Tennessee providers routinely encounter

• Mental and behavioral health: State rules reinforce confidentiality for therapy and substance use treatment records and often layer procedures on top of HIPAA and Part 2.
• Record requests: Tennessee law outlines what constitutes a valid written request, reasonable response times, and documentation practices for disclosures.
• Prescription data: The state’s controlled substance monitoring processes are confidential and available only to defined users for patient care and oversight.
• Adolescents: Tennessee law defines when minors may consent to certain care and how parental access intersects with confidentiality; you should verify the current statute before releasing SUD-related records involving minors.

Patient Consent Rights

Consent is central to substance use disorder confidentiality. Under Part 2, most disclosures require the patient’s written consent unless a narrow exception applies. Under HIPAA, many routine healthcare uses are permitted without authorization, but you still need patient authorization for non-routine purposes like most marketing or many non-treatment research activities.

What a valid consent or authorization includes

• What information may be disclosed, to whom, and for what purpose.
• Expiration date or event and the patient’s signature and date.
• Notice of the patient’s right to revoke in writing and the limits of revocation.

Patients can revoke consent at any time, which stops future disclosures based on that consent. They retain HIPAA rights to access their own records, request amendments, and obtain an accounting of certain disclosures. Your EHR should support segmentation so Part 2 data is not disclosed when a consent has not been granted or has been revoked.

Exceptions and Disclosures

Understanding legal exceptions to disclosure helps you respond quickly yet lawfully when time is critical. HIPAA permits, and sometimes requires, disclosures without authorization for specified purposes. Part 2 allows fewer exceptions and applies stricter conditions.

HIPAA disclosures without authorization

• Treatment, payment, and healthcare operations disclosure.
• Public health reporting, health oversight, and certain law enforcement requests.
• To avert a serious and imminent threat to health or safety.
• Judicial and administrative proceedings with appropriate process.
• Workers’ compensation and other uses required by law.

Part 2 disclosures without consent

• Medical emergencies to treat the patient.
• Qualified research or audit/evaluation with safeguards.
• Crimes on program premises or against staff.
• By court order that meets Part 2’s heightened standards.
• Mandatory child abuse or neglect reports.

Using data that is not identifiable

De-identified information is not subject to HIPAA, and properly anonymized datasets are outside Part 2. Limited data sets can be shared under a data use agreement for research and public health purposes. When in doubt, apply the minimum necessary principle and document your rationale.

Enforcement and Compliance

HIPAA is enforced by the U.S. Department of Health and Human Services’ Office for Civil Rights, which investigates complaints, audits organizations, and levies civil penalties. The updated Part 2 framework aligns penalties with HIPAA, creating a familiar enforcement landscape across both regimes. Violations can also prompt contractual, accreditation, and licensure consequences.

What Tennessee providers should do now

• Map where Part 2 records live and who the lawful holders are across your organization and vendors.
• Update consent templates and workflows to reflect single-consent TPO rules and redisclosure limits.
• Segment SUD data in the EHR using role-based access and tagging to prevent unintended disclosures.
• Refresh notices, policies, and training to cover HIPAA, Part 2, and state health privacy statutes.
• Execute and track business associate and qualified service organization agreements.
• Test breach response plans and maintain an accounting of disclosures where required.

As of February 16, 2026, you are expected to operate under the modernized 42 CFR Part 2 framework. Bringing HIPAA and state requirements into a single, auditable privacy program will reduce risk and speed appropriate care coordination.

Impact on Healthcare Providers

For integrated behavioral health and hospital systems, the rules shape daily workflows. Intake teams must identify when a program is subject to Part 2, obtain proper consent up front, and tag records accordingly. Care managers and billing teams need guardrails so patient authorization is obtained when required and disclosures track the stated purpose and recipients.

Payers and health information exchanges benefit from the modernization, but you still must prevent over-sharing. After a valid initial consent, SUD information may flow for TPO like other PHI, yet redisclosure for non-TPO or for legal proceedings remains restricted. You should verify that downstream partners can honor data use limits before releasing any Part 2 material.

Technology choices matter. Configure your EHR to support selective sharing, mask notes that include SUD content when consent is absent, and log disclosures. Use standardized data segmentation so only the minimum necessary leaves your system, and ensure portals display SUD information consistent with the patient’s choices.

Key takeaways

• HIPAA provides a broad PHI framework; Part 2 adds stricter substance use disorder confidentiality.
• Tennessee law reinforces confidentiality and may be more protective in specific scenarios.
• As of February 16, 2026, modernized Part 2 rules require updated consents, segmentation, and notices.
• Strong workflows and EHR controls let you share what’s needed for care while honoring every consent requirement.

FAQs

What federal laws protect substance abuse records in Tennessee?

Two federal regimes apply: HIPAA, which protects protected health information across the healthcare system, and 42 CFR Part 2, which imposes additional confidentiality for substance use disorder records from federally assisted SUD programs and lawful holders. In Tennessee, you must apply both, following the most protective rule for each situation.

How does 42 CFR Part 2 differ from HIPAA?

Part 2 is stricter. It generally requires written patient authorization for disclosures and tightly limits use in legal proceedings. Following recent updates, a single consent can allow use and redisclosure for treatment, payment, and healthcare operations consistent with HIPAA, but non-TPO uses remain restricted. HIPAA, by contrast, permits many routine uses without authorization and focuses on the minimum necessary standard and patient rights.

Are there Tennessee-specific privacy laws for substance abuse records?

Yes. Tennessee’s state health privacy statutes reinforce confidentiality for medical, behavioral health, and SUD treatment records, require appropriate written consent for most disclosures, and define specific exceptions. Public records laws exclude identifiable patient information, and additional rules govern how licensed facilities maintain, release, and document records.

When can substance abuse records be disclosed without patient consent?

Under HIPAA, disclosures without authorization are allowed for treatment, payment, and healthcare operations and for defined public-interest purposes. Under Part 2, the exceptions are narrower, such as medical emergencies, qualified research or audits, certain court orders, crimes on program premises, and child abuse reporting. De-identified data may be shared outside these regimes when properly anonymized.