Texas Substance Abuse Treatment Record Privacy Laws Explained: HIPAA, 42 CFR Part 2, and State Rules

Texas substance abuse treatment record privacy laws sit at the intersection of HIPAA, 42 CFR Part 2, and state-specific rules. This guide explains how these frameworks work together to protect the Confidentiality of Substance Abuse Records, when disclosures are allowed, and what you and your organization must do to stay compliant.

HIPAA Privacy Protections

What counts as Protected Health Information (PHI)

HIPAA protects “Protected Health Information,” which includes any individually identifiable health data created or received by a provider, health plan, or clearinghouse. Substance use disorder (SUD) treatment details are PHI, and HIPAA’s baseline protections apply even when 42 CFR Part 2 adds stricter controls.

Permitted uses, disclosures, and Record Disclosure Limitations

Without signed authorization, HIPAA permits disclosures mainly for treatment, payment, and health care operations, as well as certain public health and oversight purposes. Outside those purposes, you must obtain written authorization and follow the minimum necessary standard to limit what you share.

Individual rights under HIPAA

Patients can access and obtain copies of their records, request amendments, receive an accounting of certain disclosures, and ask for restrictions or confidential communications. You must provide a Notice of Privacy Practices that explains these rights and how PHI may be used or disclosed.

Safeguards and breaches

HIPAA requires administrative, physical, and technical safeguards, workforce training, and Business Associate Agreements. If a breach compromises unsecured PHI, you must evaluate risk and provide breach notifications within required timelines.

42 CFR Part 2 Confidentiality Standards

Who is covered: Federally Assisted Programs

42 CFR Part 2 covers any program that provides SUD diagnosis, treatment, or referral and is “federally assisted,” which commonly includes facilities receiving Medicaid or Medicare funds, federal tax benefits, or federal licensing or registration. For these programs, Part 2 supplements HIPAA with stricter confidentiality rules.

Consent-first framework and redisclosure limits

Part 2 generally prohibits disclosing patient-identifying SUD information without the patient’s written consent. Patient Consent Forms must specify who may disclose, who may receive, the purpose, what information will be shared, and when consent expires. Recipients are bound by a prohibition on redisclosure unless the patient authorizes it or an exception applies.

Narrow exceptions to consent

Disclosures without consent are limited to medical emergencies, research, audit and evaluation, qualified court orders that meet Part 2 criteria, mandated child abuse reports, and crimes on program premises or against staff. Even when another law would permit disclosure, Part 2’s stricter rule controls for covered programs.

Alignment with HIPAA for TPO (as permitted)

Recent updates allow, in defined circumstances, a single consent that permits HIPAA-like use and redisclosure for treatment, payment, and health care operations. Programs should ensure their policies, EHR segmentation, and redisclosure notices reflect these changes while preserving Part 2’s core protections.

Texas State Substance Abuse Laws

Texas Medical Privacy Act (TMPA)

Texas extends privacy protections through the Texas Medical Privacy Act, which applies broadly to entities handling PHI in the state. TMPA often mirrors HIPAA but can be stricter, including shorter response timelines for patient access requests and additional training and documentation expectations.

Licensing and program rules for SUD facilities

Texas licensing standards for facilities treating SUD require strong confidentiality, staff training, and compliance processes that account for HIPAA and 42 CFR Part 2. Programs must document policies, safeguard records, and implement clear Record Disclosure Limitations across clinical, billing, and support functions.

Mental health record rules relevant to SUD care

Texas mental health record confidentiality laws add protections to counseling and therapy notes often involved in SUD treatment. These rules may affect who can access integrated behavioral health records and how such records are shared with other providers.

Minor Consent Provisions

Texas law allows minors in certain situations to consent to diagnosis or treatment for chemical dependency or to receive counseling. When a minor legally consents, the minor generally controls consent to disclose those records, though providers may involve a parent or guardian when permitted or required by law to protect the minor’s safety.

Disclosure Consent Requirements

HIPAA-compliant authorizations

For non-routine uses, HIPAA requires signed authorization that describes the information to be disclosed, the purpose, the recipient, an expiration date or event, the right to revoke, and the potential for redisclosure by recipients. Authorizations must be written in plain language and kept on file.

Part 2 consent elements and notices

Part 2 Patient Consent Forms must meet detailed content requirements and include a prohibition on redisclosure notice. If your EHR integrates SUD and general medical data, segment Part 2–protected information so routine HIPAA disclosures do not inadvertently include Part 2 records.

Texas-specific considerations

Texas accepts HIPAA-compliant authorizations, but where Part 2 applies, you must use Part 2–compliant forms and workflows. Electronic signatures are generally acceptable if you can authenticate the signer and preserve the integrity of the record.

Special cases: minors and personal representatives

When a minor validly consents under Texas law, the minor typically decides whether to disclose those SUD records. If a parent or guardian consented to the treatment, they usually act as the personal representative and may authorize disclosure unless Part 2 or safety considerations limit access.

Law Enforcement Access Rules

HIPAA: process-driven disclosures

HIPAA permits disclosures to law enforcement with a warrant, court order, or certain Law Enforcement Subpoenas that meet specified safeguards. You should limit the information to what is legally requested and apply the minimum necessary standard when applicable.

Part 2: special court orders and strict limits

Part 2 generally forbids using SUD records to investigate or prosecute a patient. Law enforcement access requires a Part 2–compliant court order that shows good cause, limits the scope, and protects the public interest. Routine subpoenas or general warrants are not sufficient for Part 2–protected records.

Texas interplay and practical response

Texas subpoenas and court processes do not override Part 2. Create a written protocol to promptly route requests to counsel, verify which records are Part 2–protected, and respond only with legally permissible, narrowly tailored disclosures.

Patient Rights and Record Access

Access timelines, formats, and fees

Under HIPAA, you generally must provide access within 30 days; Texas law often requires a faster response, commonly 15 business days. Provide copies in the format the patient requests if readily producible and charge only reasonable, cost-based fees.

Amendments, restrictions, and confidential communications

Patients may request amendments to correct inaccuracies, ask for restrictions on certain disclosures, and direct you to communicate by alternative means or at alternative locations. Document decisions and honor granted restrictions in all downstream workflows.

Segmentation and redisclosure controls

Use EHR segmentation or data tagging to wall off Part 2 records from routine HIPAA disclosures. Train staff to recognize Part 2 content, apply redisclosure warnings, and uphold Record Disclosure Limitations in health information exchanges.

Breach notification duties

If a breach exposes PHI or Part 2 information, follow HIPAA breach notification rules and any stricter Texas notice requirements. Maintain incident response plans, document investigations, and implement corrective actions to prevent recurrence.

Compliance and Enforcement

Oversight and penalties

HIPAA is enforced by federal regulators and can carry significant civil and criminal penalties. Texas authorities can also bring actions for violations of state medical privacy laws. Part 2 violations may trigger federal enforcement, with penalties aligned to HIPAA for certain provisions.

Program governance essentials

• Maintain written policies mapping HIPAA, Part 2, and Texas rules to your workflows.
• Train staff on Patient Consent Forms, redisclosure warnings, and Law Enforcement Subpoenas handling.
• Implement EHR segmentation, access controls, and audit trails for Part 2 data.
• Run regular risk analyses and tabletop exercises for emergencies and legal requests.

Conclusion

In Texas, HIPAA sets the baseline for PHI, 42 CFR Part 2 adds heightened protections for SUD programs, and state law tightens timelines and operational expectations. When in doubt, follow the most protective rule, document your decisions, and design systems that default to privacy.

FAQs.

What are the main differences between HIPAA and 42 CFR Part 2?

HIPAA permits many disclosures for treatment, payment, and operations without patient authorization, subject to minimum necessary limits. Part 2 generally requires written patient consent before releasing SUD records and strictly limits redisclosure, with narrow exceptions such as medical emergencies, research, audits, and special court orders.

How does Texas law enhance substance abuse record privacy?

Texas strengthens privacy by applying rules broadly to entities handling PHI in the state, shortening response timelines for patient access, and layering additional confidentiality for mental health and counseling records. These state requirements operate alongside HIPAA and Part 2, and the most protective rule typically controls.

When can law enforcement access substance abuse treatment records?

Under HIPAA, disclosures may occur with proper legal process such as a warrant or qualifying subpoena. For Part 2 records, law enforcement generally needs a Part 2–compliant court order that shows good cause and narrowly limits what is released; routine subpoenas are not enough.

What rights do patients have to access and restrict their records?

Patients can access and obtain copies of their records, request amendments, seek restrictions on certain disclosures, and ask for confidential communications. In Texas, access deadlines are often shorter than HIPAA’s, and when Part 2 applies, patients control most disclosures of their SUD records through written consent.