What Is 42 CFR Part 2 and Does It Apply to Your Clinic?
42 CFR Part 2 protects substance use disorder treatment records with rules stricter than HIPAA. Learn whether Part 2 applies to your practice and what compliance requires.
Most healthcare providers are familiar with HIPAA as the governing privacy framework. Fewer are aware that a separate — and in some ways stricter — federal regulation governs the privacy of substance use disorder (SUD) treatment records. 42 CFR Part 2 creates compliance obligations that go beyond HIPAA.
Does Part 2 Apply to Your Practice?
Part 2 applies to programs that are "federally assisted" and that hold themselves out as providing alcohol or drug abuse diagnosis, treatment, or referral for treatment. "Federally assisted" includes programs that receive any federal funding — including Medicare and Medicaid reimbursement. If your practice prescribes buprenorphine (Suboxone) for opioid use disorder and accepts Medicare or Medicaid, Part 2 likely applies to those treatment records.
Key Differences: Part 2 vs. HIPAA
Consent Requirements
Under HIPAA, providers can share PHI for treatment, payment, and healthcare operations without patient authorization. Under Part 2, disclosure of Part 2 records generally requires patient written consent for each disclosure — including disclosures to other healthcare providers for treatment purposes.
Re-Disclosure Prohibition
When you disclose Part 2 records with patient consent, the recipient is also bound by Part 2 restrictions and cannot re-disclose the information without separate authorization. HIPAA has no equivalent restriction.
Law Enforcement Restrictions
Part 2 provides significantly stronger protections against law enforcement access than HIPAA. Part 2 records cannot be disclosed to law enforcement without patient consent even in response to a subpoena.
Common misconception: HIPAA compliance does not equal Part 2 compliance. If Part 2 applies to any portion of your practice, you need a separate compliance framework for those records.
Part 2 Compliance Requirements for Covered Programs
- Patient notice requirements — informing patients of Part 2 protections at intake
- Part 2-compliant written consent for each disclosure
- Prohibition on re-disclosure notices — informing recipients of their own Part 2 obligations
- Record segregation or technical access controls
- Staff training on Part 2 requirements specifically
- Audit trail — documenting all Part 2 disclosures and the consent on which they were based
Stay audit-ready without the headache.
AuditVault automates HIPAA documentation, OIG exclusion screening, and compliance risk tracking for small and mid-size medical practices. Launching January 2028.