What Is 42 CFR Part 2?
42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) is a federal regulation that imposes strict privacy protections on records relating to the identity, diagnosis, prognosis, or treatment of patients with substance use disorders. It is significantly more restrictive than HIPAA for covered records — requiring specific patient consent for most disclosures, prohibiting redisclosure by recipients, and severely limiting law enforcement access.
Does 42 CFR Part 2 Apply to Your Practice?
Part 2 applies to "Part 2 programs" — individuals or entities that hold themselves out as providing SUD diagnosis, treatment, or referral and receive federal assistance. Federal assistance is defined broadly to include Medicare or Medicaid certification, 501(c)(3) tax exemption, and federal licensure or certification. This means most practices that provide any SUD-related services and bill Medicare or Medicaid are likely subject to Part 2.
Common practice types subject to Part 2:
- Primary care physicians who prescribe buprenorphine for opioid use disorder
- Practices that screen and treat alcohol use disorder
- Behavioral health providers treating substance use disorders
- Practices that make referrals to SUD treatment programs
Key Differences from HIPAA
- Patient consent required for most disclosures — Unlike HIPAA, which allows disclosure for treatment, payment, and operations without consent, Part 2 requires specific written patient consent for most disclosures of SUD records
- Redisclosure prohibition — Recipients of Part 2 records cannot further disclose without additional consent; records must be marked with a prohibition notice
- Law enforcement restrictions — SUD records generally cannot be disclosed to law enforcement even with a subpoena; a specialized court order is required
- Criminal proceedings — Part 2 records cannot be used to initiate or substantiate charges against a patient without an additional court order
2024 Part 2 Amendments
Significant amendments effective in 2024 aligned Part 2 more closely with HIPAA while maintaining core protections. Key changes: patients can now provide a single general consent for treatment, payment, and healthcare operations disclosures; public health disclosure provisions similar to HIPAA now apply; breach notification requirements similar to HIPAA were added. The prohibition on use of Part 2 records in criminal and civil proceedings without patient consent remains in effect.
Documentation Requirements
- Part 2-compliant patient consent forms for each disclosure category
- Prohibition on redisclosure notice included with each disclosed record
- Written security policies specific to Part 2 records
- Staff training records documenting Part 2-specific training
AuditVault and 42 CFR Part 2
AuditVault includes 42 CFR Part 2 compliance documentation controls as a built-in module — consent form tracking, disclosure logs, staff training records, and security policies specific to SUD records. For practices subject to both HIPAA and Part 2, AuditVault manages both compliance frameworks in a single platform.
Learn more: What Is 42 CFR Part 2 and Does It Apply to Your Clinic?