Washington State Substance Abuse Record Privacy Laws: What Patients and Providers Should Know

Protecting substance use treatment information in Washington requires tracking both federal rules and state-specific statutes. This guide clarifies when you can share, when you must withhold, and how to align day‑to‑day workflows with the strictest standard that applies to your setting.

Federal Confidentiality Regulations

Core laws and scope

Federal law 42 U.S.C. § 290dd-2 and its implementing regulations (42 CFR Part 2) strictly protect records that identify someone as having a substance use disorder or receiving related services. HIPAA also applies to most providers, but when Part 2 and HIPAA conflict, you follow the rule that is more protective of the patient.

Consent, redisclosure, and minimum necessary

Except for narrow exceptions, you may disclose Part 2 records only with valid substance use disorder patient consent. Modern rules support a single, written consent that permits sharing for treatment, payment, and health care operations, while still requiring that recipients honor Part 2’s prohibition on unauthorized redisclosure. Always limit shared information to what is necessary for the stated purpose.

Privacy notice requirements and accountability

Providers should give clear notices that explain how Part 2 and HIPAA protect patient information, describe patient rights, and outline complaint options. Maintain disclosure logs, train staff annually, and ensure business partners and qualified service organizations contractually agree to safeguard Part 2 data and follow breach and incident response obligations that apply to your organization.

Washington State Confidentiality Laws

Uniform Health Care Information Act and related rules

Washington’s Uniform Health Care Information Act (RCW 70.02) governs how providers collect, use, and disclose health information, including stricter rules for minors and sensitive services. When RCW 70.02 and federal rules overlap, apply the stricter standard. Programs historically referenced RCW 70.96A.150 for chemical dependency confidentiality; today, integrated behavioral health rules and RCW 70.02 carry much of the operational detail used by providers.

Public agencies and records requests

If a public agency holds treatment information, the Washington Public Records Act exemptions protect health records and certain investigative materials from disclosure. Agencies must evaluate each request, apply exemptions, and redact or withhold records as required while preserving patient privacy.

Agency processes and authorizations

Some state processes and forms still reference legacy terminology (for example, WAC-388-01-150 authorization). In practice, agencies and providers should confirm the current citation, use up‑to‑date forms, and ensure every release aligns with RCW 70.02 and 42 CFR Part 2 before disclosing any identifiable information.

Disclosure Without Consent

Both federal and Washington law recognize limited situations where disclosure is allowed or required without patient authorization. Always document the legal basis before you release anything.

• Medical emergencies: Share only what is necessary to treat an immediate threat to health or safety, and document the emergency and recipient.
• Audits and evaluations: Government oversight and accrediting bodies may review records under strict safeguards that prohibit redisclosure.
• Research: Allowed if an approved board authorizes access and privacy protections are in place; direct identifiers should be minimized.
• Suspected child abuse or neglect: You may report to child protective services consistent with state law; ongoing case details generally require consent or a court order.
• Court orders: A subpoena alone is not enough for Part 2 records. A specific court order with required findings and limits is necessary.
• Crimes on program premises or against staff: Limited identifying information about the suspected crime may be disclosed to law enforcement.
• De-identified information: You may share data stripped of direct and indirect identifiers that could reasonably identify a patient.

Record Sharing with Child Welfare

Providers must promptly report suspected abuse or neglect to the Department of Children Youth and Families (DCYF). That initial report may include minimal facts necessary to make the report. Beyond that, detailed treatment information for case planning or court proceedings typically requires substance use disorder patient consent or a qualifying court order under 42 CFR Part 2.

When DCYF is coordinating services, use specific, time‑limited releases that name the program, records, and purpose of disclosure. Share the minimum necessary, avoid blanket releases, and segment Part 2 data in the record so that non‑Part‑2 information can flow for care coordination without exposing protected SUD details.

Third-Party Access to Records

Payers, care managers, and integrated networks

Health plans and care managers often need limited data for eligibility, payment, or utilization review. For SUD information covered by Part 2, obtain explicit consent that authorizes these purposes, or rely on a valid single consent that permits treatment, payment, and health care operations where applicable.

Vendors and data infrastructure

Electronic health record vendors, billing companies, labs, and other service partners must sign written agreements that bind them to Part 2 and HIPAA safeguards. Use qualified service organization agreements or business associate agreements, restrict access on a need‑to‑know basis, and maintain an auditable trail of disclosures.

Courts, law enforcement, employers, and schools

Except for the narrow exceptions described above, these third parties cannot access SUD treatment records without patient consent. If records are sought for litigation, require a proper Part 2 court order and verify scope before producing anything. Employers and schools should be directed to the patient for an authorization rather than the provider disclosing directly without consent.

Special Protections for Sensitive Records

• Substance use disorder records: 42 CFR Part 2 requires written consent, robust redisclosure limits, and careful segmentation inside EHRs.
• Mental health psychotherapy notes: Keep separate from the general record; they require specific authorization beyond standard releases.
• HIV/STD information and reproductive health: Washington law adds heightened protections; use narrowly tailored authorizations and consider separate releases.
• Adolescents: Washington law gives minors strong control over certain behavioral health records; verify who may consent or access before any disclosure.
• Victims of violence: Safety planning may require additional caution to avoid inadvertently revealing location or treatment details.

Record Retention Requirements

Set a written retention schedule that satisfies the longest applicable requirement. Keep clinical records secure for a defined period, then destroy them in a manner that prevents reconstruction.

• Clinical records: A prudent baseline is at least six years after the last service for adults; for minors, keep at least until age 21 and no less than six years after the last visit, whichever is longer.
• Privacy and compliance records: Retain HIPAA/Part 2 policies, authorizations, notices, disclosure logs, and training attestations for at least six years from their creation or last effective date.
• Payer and program requirements: Medicare, Medicaid, grants, and contracts may require up to 10 years; adopt the longest applicable period across your payers.
• Behavioral health agency standards: Follow Washington licensing rules for documentation content and retention, and reconcile them with federal obligations before destruction.

Conclusion

In Washington, the safest path is to apply the strictest rule at every decision point: validate the legal basis, obtain precise authorizations, share only what is necessary, and document each disclosure. Building workflows around 42 U.S.C. § 290dd-2, RCW 70.02, and Washington Public Records Act exemptions helps protect patients while supporting coordinated, lawful care.

FAQs.

What are the federal confidentiality regulations for substance abuse records?

Two frameworks apply. 42 U.S.C. § 290dd-2 and 42 CFR Part 2 tightly control any record that identifies a person as having a substance use disorder or receiving related services, generally requiring written consent for disclosure. HIPAA overlays additional privacy and security rules for covered entities, but when the two differ, you follow the more protective standard.

When can substance abuse records be disclosed without patient consent?

Only in narrow circumstances: medical emergencies; approved audits, evaluations, or research with safeguards; mandated child abuse or neglect reports; limited crime‑on‑premises alerts; court‑ordered disclosures that meet Part 2 criteria; and sharing of properly de‑identified data. A subpoena alone is not enough for Part 2 records.

How does Washington law protect sensitive health information in treatment records?

Washington’s RCW 70.02 sets strong consent rules, adds special protections for minors and sensitive services, and works alongside federal Part 2 safeguards. Public agencies must also apply Washington Public Records Act exemptions when handling requests for records that contain health or investigative information.

What are the record retention requirements for substance abuse treatment providers?

Adopt the longest applicable rule. Keep adult clinical records at least six years after the last service, and minor records at least until age 21 and six years after the last visit. Retain privacy policies, authorizations, notices, and disclosure logs for at least six years, and honor any longer payer or grant requirements before securely destroying records.