Wisconsin Substance Abuse Record Privacy Laws: A Practical Guide to HIPAA, 42 CFR Part 2, and State Rules

Overview of 42 CFR Part 2

Who is covered and what is protected

42 CFR Part 2 is the federal framework for Substance Use Disorder Confidentiality. It protects records that identify a person as having, having had, or seeking treatment for a substance use disorder when those records are created or maintained by Federally Assisted Substance Abuse Programs (for example, programs receiving federal funds, holding DEA registrations for medication treatment, participating in Medicare/Medicaid, or operating under federal tax-exempt status). The protections apply to diagnosis, treatment, and referral records, and extend to “lawful holders” that receive Part 2 information.

Core rule: the Patient Consent Requirement

As a default, Part 2 prohibits disclosures without the patient’s written consent, unless a specific exception applies (such as a medical emergency, certain audits/evaluations, limited research, or a court order that meets Part 2 criteria). Disclosures made with consent must include a Prohibited Redisclosure Notice informing recipients that further sharing is restricted.

Use in legal proceedings

Part 2 strictly limits using SUD records or testimony about them in civil, criminal, administrative, or legislative proceedings against the patient. Even when HIPAA might otherwise allow a disclosure, Part 2’s litigation bar still applies unless the patient consents or a qualifying court order authorizes it.

Amendments from the CARES Act

Why the law changed

Section 3221 of the CARES Act (enacted March 27, 2020) directed HHS to align key aspects of Part 2 with HIPAA and the HITECH Act. The goals: enable integrated care, reduce confusion for providers handling mixed records, and maintain strong substance abuse privacy protections.

What the CARES Act required

• Allow a single, patient-signed consent for all future Treatment, Payment, and Health Care Operations (TPO) uses and disclosures.
• Apply HIPAA’s Breach Notification Obligations to Part 2 records.
• Align Civil and Criminal Penalties for Part 2 violations with HIPAA’s enforcement scheme.
• Incorporate HIPAA-style individual rights, such as an accounting of disclosures (timing tied to future HIPAA updates) and the ability to request restrictions on certain disclosures.

Key Provisions of the 2024 Part 2 Final Rule

Effective and compliance dates

The Final Rule was published on February 16, 2024, took effect on April 16, 2024, and has a general compliance date of February 16, 2026. You may adopt provisions earlier, but by February 16, 2026, compliance is required.

Modernized consent and downstream sharing

• Single TPO consent: You may obtain one patient consent covering future TPO uses/disclosures. A HIPAA covered entity or business associate that receives Part 2 records under this consent may redisclose them as HIPAA allows—except they still cannot use or disclose the records in proceedings against the patient without consent or a qualifying court order.
• SUD counseling notes: Newly defined and given enhanced protections. They require a separate, dedicated consent and cannot be disclosed based solely on a broad TPO consent.
• No required data segmentation: The rule clarifies that segmenting Part 2 data is not mandated, though prudent tagging and access controls remain best practice.

Expanded patient rights and notices

• Right to request restrictions: Patients can ask you to limit certain TPO disclosures and, if they pay in full out of pocket for an item/service, you must restrict disclosures to health plans for that fully paid item/service.
• Accounting of disclosures: Patients gain a right to an accounting of certain disclosures with consent; compliance is synchronized with future HIPAA updates.
• Patient Notice alignment: Part 2 programs must provide a HIPAA-like notice describing privacy practices and complaint options (including filing directly with HHS).

Public health and safety alignment

Part 2 permits disclosures to public health authorities when the data are de-identified under HIPAA’s standard. The rule also reinforces the prohibition on using Part 2 records to investigate or prosecute patients absent consent or a compliant court order, and creates a reasonable-diligence safe harbor for investigative agencies that take specified steps before requesting records.

Wisconsin State Confidentiality Laws

Wis. Stat. § 51.30 and Wisconsin Administrative Code DHS 92

Wisconsin’s primary mental health and substance abuse confidentiality statute is Wis. Stat. § 51.30, implemented in part through Wisconsin Administrative Code DHS 92. These authorities protect “treatment records” for mental illness, developmental disability, alcoholism, and drug dependence. As a rule, disclosure requires informed, written consent unless a statutory exception applies.

Key Wisconsin-specific rules you should know

• Wisconsin Administrative Code DHS 92.04 outlines disclosures without informed consent and emphasizes strict limits. For example, a subpoena that is not signed by a judge of a court of record is not sufficient to authorize disclosure of treatment records.
• DHS 92.05 ensures patient access to treatment records, with narrow redactions to protect other individuals’ confidentiality.
• Minors: Under Wis. Stat. § 51.47, minors 12 years or older may consent to outpatient or detoxification services for alcohol or other drug abuse without parental consent; confidentiality for those services generally follows the minor’s consent unless an exception applies.

Interaction rule: the most protective standard applies

When HIPAA, Part 2, and Wisconsin law intersect, you apply the rule that is most protective of patient privacy. In practice, that often means following Part 2’s Patient Consent Requirement and litigation restrictions first, overlayed with Wisconsin’s DHS 92 procedural safeguards and HIPAA’s baseline standards.

HIPAA Privacy Rule Compliance

HIPAA basics for Wisconsin providers

Most Wisconsin SUD providers and health systems are HIPAA covered entities. HIPAA allows TPO disclosures without patient authorization; enforces the minimum necessary standard for most non-treatment uses; requires Business Associate Agreements; and guarantees individual rights to access and amend records and receive a Notice of Privacy Practices.

How HIPAA now works with Part 2

• When you receive Part 2 records under a TPO consent and you are a HIPAA covered entity or business associate, you may further use or disclose the records as HIPAA permits—except you cannot use or disclose them in legal proceedings against the patient without consent or a compliant court order.
• Honor Part 2-specific limits that exceed HIPAA, such as the Prohibited Redisclosure Notice requirement and counseling-notes protections.
• If a patient pays in full, you must restrict disclosures to health plans for that fully paid item/service, mirroring HIPAA’s restriction right.

Patient Rights and Protections in Wisconsin

Your rights under federal law

• Access: You may inspect and obtain copies of your records, subject to limited exceptions.
• Restrictions: You can request limits on certain TPO disclosures; providers must honor restrictions for items/services you pay in full out of pocket.
• Accounting and complaints: You gain a right to an accounting of specified disclosures (implementation tied to future HIPAA updates) and may file complaints directly with your provider and with HHS.

Your rights under Wisconsin law

Wisconsin Administrative Code DHS 92 requires programs to inform you of confidentiality and access rights at admission when feasible. You are entitled to review your treatment records, with limited redactions to protect others’ privacy, and to expect that any disclosure without consent strictly follows statutory allowances.

Breach Notification and Redisclosure Restrictions

Breach Notification Obligations

• Part 2 now incorporates HIPAA’s breach framework. If unsecured SUD records are breached, notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For larger breaches, additional notifications may be required (for example, to HHS and, for incidents affecting 500 or more residents of a state or jurisdiction, to prominent media).
• Maintain incident response plans, risk assessments, and documentation. “Unsecured” generally means not secured consistent with accepted encryption or destruction standards.

Prohibited Redisclosure Notice: what must accompany disclosures

• Every disclosure made with patient consent must include a Prohibited Redisclosure Notice. The 2024 rule provides a short form (“42 CFR part 2 prohibits unauthorized use or disclosure of these records”) and a longer statement that also explains the bar on using records or testimony in legal proceedings against the patient and when limited redisclosures are permitted.
• You must also include a copy of the consent (or a clear explanation of its scope) with each disclosure made under that consent.

Practical safeguards for Wisconsin programs

• Standardize your Part 2 consent, redisclosure notice, and HIPAA Notice of Privacy Practices language.
• Flag fully paid items/services to ensure required restrictions to health plans are enforced.
• Maintain access controls and audit trails; while data “segregation” is not required, prudent tagging helps you prevent impermissible redisclosures and litigation use.

Conclusion

For Wisconsin providers, the compliance path is straightforward: start with Part 2’s stringent Substance Use Disorder Confidentiality rules (including the Patient Consent Requirement and litigation bar), align daily operations with HIPAA, and layer in state-specific safeguards from Wisconsin Administrative Code DHS 92 and Wis. Stat. § 51.30. Build breach readiness, attach the Prohibited Redisclosure Notice to every consented disclosure, and honor patient rights—including requests to restrict disclosures and, when applicable, minors’ consent-based confidentiality.

FAQs.

What protections does 42 CFR Part 2 provide for substance abuse records?

Part 2 strictly limits disclosures of records that identify a person as receiving substance use treatment. Disclosures generally require written patient consent, and recipients receive a Prohibited Redisclosure Notice. Even when a disclosure is permitted, Part 2 bars using the records or related testimony in legal proceedings against the patient unless the patient consents or a court order that meets Part 2 standards authorizes it.

How does Wisconsin law complement federal substance abuse privacy regulations?

Wis. Stat. § 51.30 and Wisconsin Administrative Code DHS 92 reinforce confidentiality for treatment records and set clear procedural safeguards, such as informed written consent requirements, defined exceptions, and patient access rules. In any conflict among Part 2, HIPAA, and Wisconsin law, the rule most protective of patient privacy governs—often Part 2, backed by Wisconsin’s strict disclosure and access provisions.

What are the penalties for unauthorized disclosure of substance abuse records?

Under the 2024 alignment, Part 2 violations are subject to HIPAA-style Civil and Criminal Penalties, including civil monetary penalties and, in some cases, criminal liability. Wisconsin law independently imposes remedies and penalties for wrongful disclosures of patient health care or treatment records, including damages, injunctions, and potential fines or imprisonment depending on severity and intent.

When must breaches of substance abuse records be reported?

If unsecured Part 2 records are breached, you must follow HIPAA’s Breach Notification Obligations: notify affected individuals without unreasonable delay and no later than 60 days after discovery, and make any additional required notifications (such as to HHS and, for larger incidents, to the media). Maintaining encryption and robust safeguards can reduce the likelihood that an incident qualifies as a reportable breach.