West Virginia Substance Abuse Record Privacy Laws: HIPAA & 42 CFR Part 2 Explained

HIPAA and 42 CFR Part 2 Overview

West Virginia providers who diagnose, treat, or refer patients for substance use must navigate two overlapping federal regimes: HIPAA and 42 CFR Part 2. HIPAA sets broad national standards for privacy, security, and breach notification across most health information, while Part 2 adds heightened Substance Use Disorder Confidentiality protections for records that would identify someone as seeking or receiving SUD treatment.

Part 2 historically restricted disclosures far more than HIPAA. Following the CARES Act Privacy Provisions, HHS finalized major reforms in 2024 to better align Part 2 with HIPAA while preserving core safeguards against stigma and misuse. Most of these updates became enforceable in 2026, which means you should now treat Part 2 programs and their “lawful holders” as subject to HIPAA-like rules in many scenarios, with special limits where legal proceedings are involved.

Applicability of 42 CFR Part 2

Who is covered

Part 2 applies to any “program” that holds itself out as providing SUD diagnosis, treatment, or referral, and that is federally assisted. It also follows the records to any “lawful holder,” such as a downstream provider, health plan, or vendor that legitimately receives Part 2 information.

What “federally assisted” means

Federally assisted status is broad. It typically includes programs that receive federal grants or reimbursements (for example, Medicaid), are licensed or certified by the federal government, are conducted by a federal agency, or are registered to dispense controlled substances for SUD treatment.

Federally Assisted Programs Compliance

If you operate a covered program in West Virginia, Federally Assisted Programs Compliance requires you to identify Part 2 records in your systems, train your workforce, execute the right contractor agreements, and segment or otherwise manage access so only those with a need-to-know can view SUD data.

Consent Requirements for Disclosure

Written Patient Consent

Outside narrow exceptions, Part 2 disclosures require Written Patient Consent. A valid consent should identify the patient; the program permitted to disclose; who may receive the information (by name or class); the purpose; what information may be shared; an expiration; the patient’s signature and date; and a statement of the right to revoke.

Single consent for TPO and Redisclosure Restrictions

Under the updated framework, a single consent can authorize use and disclosure for treatment, payment, and health care operations by HIPAA covered entities and their business associates. Once disclosed with consent, recipients may further share the information as HIPAA permits, but strong Redisclosure Restrictions still apply for legal proceedings and other prohibited uses. Your disclosures must include the required Part 2 notice to alert recipients that special rules govern further sharing.

Emergency Disclosure Limitations and other exceptions

Disclosures without consent remain tightly limited. You may disclose the minimum necessary information in a bona fide medical emergency when the patient’s prior informed consent cannot be obtained, and you must document the circumstances. Additional exceptions include court orders meeting strict Part 2 standards, mandated reports of child abuse or neglect, crimes on program premises or against staff, qualified service organization disclosures for essential services, and certain research, audit, or evaluation activities.

Alignment of Part 2 with HIPAA

The CARES Act Privacy Provisions brought key areas of alignment. After a valid consent, HIPAA covered entities and business associates may use and share Part 2 records for TPO much like other protected health information. Part 2 programs must now follow HIPAA-style breach notification, adopt familiar administrative safeguards, and update patient-facing notices so people understand how SUD information can be used and the limits that remain—especially the continued bar on using SUD records in civil, criminal, administrative, or legislative proceedings without a proper court order.

Enforcement and Penalties

Part 2 now incorporates HIPAA’s enforcement structure. The HHS Office for Civil Rights can investigate, require corrective action, and impose tiered civil monetary penalties for noncompliance, with exposure increasing when violations are willful or uncorrected. Criminal penalties may apply to intentional wrongful disclosures. Beyond federal Civil and Criminal Penalties, organizations face contractual liability, potential state disciplinary action, and reputational harm from breaches involving SUD records.

West Virginia State Regulations

West Virginia law generally operates alongside federal privacy rules. State statutes protect behavioral health and medical records, authorize disclosures required by other laws (such as certain public health or abuse-and-neglect reports), and recognize patient access rights that track HIPAA’s baseline. Where state law is stricter—such as added confidentiality for mental health information—you must follow the more protective rule. Where West Virginia law conflicts with Part 2, the federal SUD rule controls.

For West Virginia providers participating in health information exchange or working with state agencies, confirm that your data sharing workflows respect Part 2 tagging/segmentation, consent capture, Redisclosure Restrictions, and Emergency Disclosure Limitations. When in doubt, limit the dataset, document your rationale, and seek legal counsel.

Patient Rights and Record Access

Your core rights

• Access and copies: You can access and obtain copies of your SUD and medical records; if your provider is a HIPAA covered entity, the usual 30-day baseline and reasonable, cost-based fee rules apply.
• Format: You may request electronic copies when records are maintained electronically, and you can direct a copy to a third party you designate.
• Amendments and restrictions: You can ask providers to amend inaccurate information and request additional limits on how your information is used or shared.
• Consent control: Under Part 2, you choose whether to authorize most disclosures; you may revoke consent prospectively at any time.
• Complaints: You can file a complaint with your provider or with federal authorities if you believe your privacy rights were violated, without fear of retaliation.

Practical tips

• Ask whether your provider is a Part 2 program or a lawful holder of Part 2 records; this determines which rules apply to each part of your chart.
• When you sign a consent, specify who may receive your information and for what purpose. Keep a copy and note the expiration.
• In emergencies, expect narrow, need-to-know sharing focused on your immediate care, with follow-up documentation by the provider.

Conclusion

In West Virginia, HIPAA supplies the general privacy framework, and 42 CFR Part 2 adds specialized protections for SUD information. Post-CARES Act alignment simplifies TPO sharing with a single consent while preserving critical safeguards against legal misuse. Patients keep strong control over disclosures, and programs must maintain rigorous compliance, documentation, and training to honor both the letter and spirit of SUD confidentiality.

FAQs.

What records are protected under 42 CFR Part 2?

Part 2 protects any information that would identify a person as having sought or received SUD diagnosis, treatment, or referral from a Part 2 program. This includes clinical notes, lab results, intake and billing data, appointment records, and care coordination documents. Protections follow the data to lawful holders; de-identified information is not subject to Part 2.

How does West Virginia law align with federal privacy laws?

West Virginia law generally complements HIPAA and Part 2. State rules safeguard behavioral health records, permit disclosures required by law (such as certain safety or public health reports), and recognize patient access rights. If a state requirement is stricter, follow it; if it conflicts with Part 2’s SUD protections, the federal rule prevails.

When can substance abuse records be disclosed without patient consent?

Disclosures without consent are narrow: bona fide medical emergencies (with documentation and minimum necessary sharing), court orders that meet Part 2’s heightened standards, mandated reports of child abuse or neglect, crimes on program premises or against personnel, qualified service organization services (for functions like data processing or billing), and specified research, audit, or evaluation activities. Routine treatment, payment, and operations require patient consent under Part 2.

What are the penalties for violating substance use record privacy laws?

Violations can trigger HIPAA-style civil monetary penalties, corrective action, and monitoring by federal regulators, along with possible criminal liability for intentional wrongful disclosures. Organizations may also face contractual damages, state disciplinary action, and reputational harm. Robust policies, workforce training, and prompt breach response reduce enforcement risk.