Is Your Organization Ready for the HIPAA 42 CFR Part 2 Updates?

Understanding the New HIPAA 42 CFR Part 2 Changes


HIPAA has made changes to patient privacy regarding the Confidentiality of Substance Use Disorder (SUD) Patient Records, HIPAA 42 CFR Part 2. Part 2 regulations specifically address the confidentiality of SUD patient records.  

Because of their sensitive nature, SUD patient records require more protection, which can make it challenging for health care providers to share information and coordinate care. The 42 CFR Part 2 updates aim to balance patient privacy and the practical needs of health care providers to improve care coordination. 

Key information about 42 CFR Part 2

  1. The final rule revision was released on February 16, 2024. 
  2. This was released by the Substance Abuse and Mental Health Services Administration (SAMHSA) and the U.S. Department of Health and Human Services (HHS). 
  3. The rule went into effect on April 16, 2024. 
  4. Covered entities and business associates have two years to implement 42 CFR Part 2. 
  5. It will remain the same that patients’ SUD treatment records cannot be used to investigate or prosecute the patient without written consent from the patient or a court order.  
  6. It will remain the same that SUD treatment records obtained in an audit or evaluation cannot be used to investigate or prosecute patients. 
  7. For a full outline of changes please refer to the HHS fact sheet.

As a HIPAA covered entity, you may wonder how these changes will impact your practice and how to effectively manage SUD patient records within the updated regulatory framework. Continue reading to gain a better understanding. 

Updates to the Substance Use Disorder (SUD) Patient Records

  • Revised Patient Consent Requirements: This change allows a single consent for all future uses and disclosures for treatment, payment, and health care operations.  
  • Separate Permission Forms: Part 2 changes include having a separate patient consent form for the use and disclosure of SUD counseling notes. 
  • Redisclose Records: Allows HIPAA covered entities and business associates that receive records under a patient’s consent to redisclose the records in accordance with the HIPAA regulations, enabling easier sharing of information for treatment, payment, and healthcare operations while maintaining privacy protections. However, every time you disclose information with patient consent, a copy of the consent – or a clear explanation of the consent – is included with the disclosed records. 
  • Other Uses and Disclosures: Now permits disclosure of records without patient consent to public health authorities as long as the disclosed records are de-identified according to the established standards outlined in the HIPAA Privacy Rule. Refer to the HHS guidance for de-identification of PHI to learn more.
  • Restrictions of Uses and Disclosures: The updates now restrict the use of records and testimony in civil, criminal, administrative, and legislative proceedings against patients, absent patient consent or a court order.  
  • SUD Counseling Notes: Part 2 now has special rules for SUD clinicians’ notes. SUD counseling session notes are kept separately from the rest of the patient’s SUD treatment and medical record. These notes need specific consent from the individual and cannot be used or disclosed with a general consent form. This is similar to how the HIPAA Privacy Rule defines notes from psychotherapy sessions.
  • Safe Harbor: Part 2 includes a “Safe Harbor” definition that encourages investigative agencies to take diligent and reasonable steps to determine if a provider is covered by Part 2 before requesting patient records during an investigation. 

42 CFR Part 2 Alignments with HIPAA Privacy Rule

  • Breach Notification Requirements: It is crucial to note that the requirements of HIPAA’s Breach Notification Rule apply to breaches of records in Part 2. 
  • Notice of Privacy Practices (NPP): The new requirements in Part 2 have been updated to address the NPP uses and disclosures of Part 2 records and individual rights concerning those records. 
  • Patient Complaints: Part 2 now allows patients to file complaints if they think their privacy has been violated. They can complain directly to the Secretary of Health, and at the same time, they can also complain to the program that handled their records.  

Learn More

Check out our latest blog post for more information about the HIPAA updates on Final Rule to Support Reproductive Health Care Privacy.

It is important for your organization to adapt to the updated 42 CFR Part 2 changes. Ensuring compliance is vital for providing excellent patient care and safeguarding patient privacy. 

Let us guide you through updating your Notice of Privacy Practices or other policies and procedures to reflect the current changes. Our dedicated team of associates is here to support you every step of the way. Contact us anytime with questions! 

Related Posts

What’s On Your Website?

The partnership combines PrivaPlan’s industry-leading guidance with Cyndelos’ AI technology to pinpoint website vulnerability and uphold website compliance.

Learn More +

Access PrivaPlan Toolkit

Access CMA-PrivaPlan Toolkit

Sign up for updates

Sign up. Learn about Compliance

Subscribe now for up-to-date information about privacy & security compliance! You’ll receive emails regarding news about compliance & alerts for new blog posts.