.jpg)
Mira Gwehn Revilla
Core 42 CFR Part 2 requirements include written patient consent for most disclosures, a redisclosure notice on every record release, and HIPAA-level breach reporting. Day-to-day 42 CFR Part 2 compliance means using Part 2-specific patient consent forms, training staff on release of information steps, and tracking every SUD records disclosure. Violations now carry civil penalties up to $2.1 million per year, enforced by HHS Office for Civil Rights (OCR).
42 CFR Part 2 is a federal rule that protects substance use disorder (SUD) treatment records. It applies to federally assisted SUD programs and goes beyond HIPAA in key areas.
The 2024 Part 2 final rule aligned many parts of the rule with HIPAA, with a compliance deadline of February 16, 2026. Enforcement is now active through HHS Office for Civil Rights (OCR), and tools like Curogram's Opus EHR integration are built for Part 2 workflows.
So why do many behavioral health operators still feel stuck with this rule? Part of it is overlap. Part 2 and HIPAA share a lot of ground, but Part 2 goes further in specific ways. Consent rules are stricter, and redisclosure notices are required.
Staff who only know HIPAA often miss these extra steps. Routine sharing with primary care providers is not allowed by default under Part 2. Text messages about SUD topics need extra care. Even a business associate agreement needs tweaks for SUD programs.
The stakes got higher this year. HIPAA-level penalties now apply to Part 2 violations, with civil fines ranging from $141 to $2.1 million per year. Woods Rogers OCR confirmed on February 13, 2026, that it will now accept Part 2 complaints and enforce breach notification violations. HIPAA Journal That shift alone should push most SUD programs to re-check their policies.
This guide breaks down what 42 CFR Part 2 compliance really means day to day. We will cover the rule's scope, the real gaps in 42 CFR Part 2 vs HIPAA, what the 2024 final rule changed, and how Part 2 touches intake, care coordination, and patient messaging. This article is not legal advice — please work with compliance counsel for your practice's specific questions.
What is 42 CFR Part 2?
42 CFR Part 2 is the federal rule that sets strict SUD confidentiality rules for treatment records. It dates back to 1975 and was built to remove the fear of stigma that kept people from seeking SUD care.
Today, Part 2 sits alongside HIPAA but uses its own consent, disclosure, and audit framework. Understanding the rule's roots and scope is step one for any compliance plan.
The Rule's Origin and Intent
Congress passed the original Part 2 law in 1972. The goal was simple but powerful: protect people who seek help for SUD from having those records used against them. At the time, SUD carried heavy social and legal risk. A record shared with the wrong person could cost someone a job, custody of their kids, or their freedom.
The rule has been updated many times since. The 2020 CARES Act set the stage for closer alignment with HIPAA. That change became real with the 2024 Part 2 final rule, which HHS issued on February 8, 2024. The final rule has been effective since April 16, 2024, and compliance was required by February 16, 2026.
Even with the new alignment, the core mission has not changed. Part 2 SUD confidentiality still gives patients more control over their records than HIPAA alone. That extra layer is a trust signal, not a burden.
Who It Applies To (And Who It Doesn't)
Part 2 applies to "Part 2 programs." A Part 2 program is a federally assisted entity that holds itself out as providing SUD diagnosis, treatment, or referral for treatment. Federal assistance is broad: Medicare, Medicaid, federal tax exemption, DEA registration, and SAMHSA grants all count.
A general hospital with a specialty SUD unit is covered for that unit. A primary care practice that only prescribes buprenorphine in passing, without holding itself out as an SUD program, is usually not. The test is how you present your services, not just what you treat.
Part 2 does not cover peer support groups, most employee assistance programs, or informal referrals between general providers. When in doubt, check with counsel before assuming you are outside the rule.
42 CFR Part 2 vs. HIPAA — The Practical Differences
Many teams think HIPAA covers everything. For SUD records, it does not. The 42 CFR Part 2 vs HIPAA gap shows up most in three areas: consent, redisclosure, and audit tracking. The table below gives a quick side-by-side view before we dig into each area.
|
Element |
42 CFR Part 2 |
HIPAA Privacy Rule |
|
Consent |
Written consent required for most disclosures, including treatment |
Consent not required for treatment, payment, or operations |
|
Redisclosure |
Required notice barring further redisclosure without new consent |
No redisclosure notice required |
|
Scope |
Federally assisted SUD programs only |
All covered entities and business associates |
|
Enforcement |
HHS OCR; HIPAA-tier civil penalties up to $2.1M/year |
HHS OCR; same penalty tiers |
Consent and Disclosure
Under HIPAA, a provider can share records for treatment, payment, and operations without written consent. Part 2 flips that default. In most cases, SUD records cannot leave a Part 2 program without written 42 CFR Part 2 consent from the patient.
The consent form itself has strict content rules. It must name the patient, the party getting the records, the purpose, the amount of data shared, and an expiration date or event. The 2024 final rule now allows a single consent that covers future treatment, payment, and operations. Before that, each disclosure often needed its own patient consent forms.
One miss here can void the whole disclosure. Teams that use generic HIPAA authorizations often find out too late that the form fails Part 2.
Redisclosure Restrictions
Part 2 adds a rule HIPAA does not have: once someone gets SUD records, they cannot pass them along. The sender must include a redisclosure notice with every release. That notice states the records are protected and may not be shared further without new patient consent.
This rule matters a lot when a Part 2 program sends records to a non-Part 2 provider. The receiving provider now holds protected records and must treat them with Part 2 care. Under the 2024 rule, a HIPAA covered entity that gets the records under a general consent can redisclose them under HIPAA rules, which is a meaningful shift.
Even so, the redisclosure notice stays required. Skipping it is one of the most common Part 2 compliance errors.
Audit and Accounting Requirements
Part 2 programs must track every SUD records disclosure. Patients have the right to request a full accounting of who got their records and why. This is similar to HIPAA's accounting right but applies more broadly.
Practices that rely on paper logs or scattered spreadsheets struggle with this. A modern EHR or messaging platform with a built-in audit trail makes this step far easier. Curogram client data from clinical settings shows that teams with automated logs cut audit prep time from days to hours.
What Changed With the 2024 Final Rule
The 2024 Part 2 final rule was the biggest update in decades. It was built to bring Part 2 closer to HIPAA without removing the extra safeguards patients rely on. Compliance kicked in on February 16, 2026, and enforcement is now live. Here are the three shifts that matter most for daily operations.
Alignment with HIPAA
The new rule lines up Part 2 with HIPAA in several key spots. The final rule allows a single consent for all future uses and disclosures for treatment, payment, and health care operations. That change alone removes a big paperwork burden for ongoing care.
The rule also lets HIPAA covered entities and business associates redisclose Part 2 records under HIPAA rules once they receive them under the new consent. Breach notification now follows the HIPAA Breach Notification Rule, with patient notice required within 60 days. Penalties, as noted, now match HIPAA tiers.
This alignment is a real win for care coordination. It does not erase Part 2, but it removes a lot of the friction that made integrated care hard.
New Patient Consent Models
The single-consent model is the headline change for 42 CFR Part 2 consent. A patient can now sign one form that covers future care events, rather than a new form every time. The form must still meet Part 2's strict content rules.
Patients also gained new rights. They can request an accounting of disclosures and ask for restrictions on certain disclosures, much like HIPAA. They can also revoke consent in writing at any time, and the program must honor that revocation going forward.
This flexibility helps clinics with complex care journeys. A patient moving from detox to outpatient to long-term recovery can give one consent that carries through, instead of signing new forms at each step.
What Still Remains Stricter Than HIPAA
Alignment does not mean sameness. Part 2 still bars the use of SUD records in civil, criminal, or administrative proceedings without patient consent or a special court order. That protection is unique to Part 2 and was kept in the 2024 rule.
Part 2 also keeps its focus on patient control. Routine sharing for care coordination still needs a valid consent, even if HIPAA would allow it. And the redisclosure notice is still required on every outbound release, even under the new single-consent model.
These guardrails are the heart of Part 2 SUD confidentiality. They are why SUD operators cannot simply copy a HIPAA program and call it done.
Day-to-Day Part 2 in a Real SUD Practice
Rules on paper are one thing. Running them in a clinic is another. Here is how Part 2 touches a typical day for staff, from check-in to records requests. These are the moments where 42 CFR Part 2 compliance either holds up or breaks down.
Intake and Initial Consent
The front desk is the first Part 2 checkpoint. Every new patient should sign a Part 2-compliant consent form before any records leave the program. That form needs to cover treatment, payment, and operations if you plan to use the new single-consent model.
Staff also need to give the patient the updated Notice of Privacy Practices (NPP). The 2024 rule requires the NPP to include Part 2-specific elements. A generic HIPAA NPP no longer meets the bar.
Best practice: digital patient consent forms tied to your EHR, with time-stamped signatures and a clear revocation path. That single step cuts downstream risk by a large margin.
Coordinating With Outside Providers
Sharing with a primary care provider, specialist, or hospital is where many programs slip. Under Part 2, you cannot assume care coordination is allowed. You need a valid consent that names the recipient and purpose, or you need to fit one of the narrow exceptions in the rule.
Medical emergencies are one such exception. So are de-identified disclosures to public health authorities, which the 2024 rule now allows without consent. Beyond those, plan for consent first.
When you do share, attach the redisclosure notice every time. Train the receiving provider's team on what the notice means. Curogram's platform supports consent-aware messaging workflows that flag SUD-related records and keep the notice attached by default.
Communication With Patients by Text and Email
Texting SUD patients is a minefield without the right setup. A text that says "See you Thursday for your methadone dose" is a disclosure if a family member picks up the phone. Even generic reminders can hint at SUD care if the clinic's name signals specialty treatment.
The safer path is patient-initiated consent and neutral language. Let the patient choose to opt in to texts, in writing, and keep messages free of any treatment details. The rule also requires clinics to respect the patient's chosen communication channel.
Curogram client data from clinical settings shows that patient-led messaging cuts privacy complaints while keeping confirmation rates high. The point is that good 42 CFR Part 2 compliance and good patient service can coexist.
Handling Records Requests
Every release of information request gets a compliance review. Staff should check the consent form's content, scope, and expiration before releasing anything. A valid Part 2 consent that is six months old for a one-time purpose may no longer be usable.
Log every release, including the recipient, date, records shared, and the basis for the release. That log is what you hand over if a patient asks for an accounting or if OCR comes calling. Paper logs are risky; built-in EHR audit trails are safer.
When you release, stamp the redisclosure notice on every page or attachment. It is the one step that most often gets missed in a rush.
The 8 Most Common Part 2 Compliance Mistakes
Even well-run SUD programs trip on Part 2. Most errors are process gaps, not bad intent. Here are the eight mistakes our team sees most often when auditing behavioral health clinics. Fix these, and you close most of the gap to full 42 CFR Part 2 compliance.
1. Using Generic HIPAA Consent Forms
A HIPAA authorization is not a Part 2 consent. Part 2 has strict rules on what the form must say, including the specific purpose, the named recipient, and a valid expiration. Using a generic form voids the disclosure and creates legal exposure.
2. Missing the Redisclosure Notice
The redisclosure notice must ride with every outbound SUD records disclosure. Many programs build it into the cover sheet and then forget to include it on faxed attachments or emailed PDFs. Automate the notice at the platform level so staff cannot leave it off.
3. Loose Identity Verification for Disclosures
Staff sometimes release records to anyone who sounds official on the phone. Part 2 requires real identity checks on the requester and the patient before a release. Build a scripted verification step into every records workflow.
4. Texting About SUD Topics Without Patient-Initiated Consent
A reminder text that names the clinic, medication, or service can out a patient. Require patient opt-in for all messaging, keep message content generic, and flag SUD-related templates for extra review. A consent-aware messaging tool helps here.
5. Sharing Records with Primary Care by Default
HIPAA allows routine sharing for treatment. Part 2 does not. Staff trained on HIPAA often send SUD records to a primary care provider as a reflex. Lock this down with a consent check built into the release process.
6. Inadequate BAA Scope
A standard HIPAA business associate agreement does not cover Part 2 obligations. Your BAA for SUD vendors must flow down Part 2 duties, including redisclosure limits and breach reporting. Review every vendor contract and update where gaps exist.
7. Undocumented Consent Revocations
Patients can revoke consent at any time. If a revocation is not logged and acted on fast, you may keep sharing records you are no longer allowed to share. Set up a revocation intake path that hits every relevant system on the same day.
8. Staff Training Gaps
Part 2 training cannot be a one-time slide deck. Staff turnover, rule changes, and new workflows all demand fresh training. Schedule at least yearly Part 2 refreshers, plus onboarding for every new hire, and track completion like you track HIPAA training.
Conclusion
42 CFR Part 2 compliance is more than a legal checkbox. It is a signal to every patient that the clinic values their privacy enough to do the extra work. In a field built on trust, that signal matters.
The 2024 Part 2 final rule made compliance more workable, but it did not make the rule easier to ignore. With HHS OCR now enforcing Part 2 using HIPAA-tier penalties, the cost of drift is higher than ever. Clinics that leaned on HIPAA-only policies need to revisit their forms, training, and vendor contracts now.
The good news is that most gaps are fixable. Start with three moves: audit your patient consent forms, automate the redisclosure notice on every outbound release, and make sure your BAA for SUD vendors flows down Part 2 duties. Those three steps alone close most of the risk surface.
From there, focus on the patient experience. Part 2 rules should feel invisible to patients, not like extra friction. A consent-aware messaging platform, a clean intake flow, and trained staff can make compliance feel like care. That is what turns a rule book into a trust win.
If your team is rethinking how Part 2 fits into everyday workflows, we can help. See how Curogram serves behavioral health clinics with consent-aware messaging, Part 2-ready workflows, and integrated EHR support. Your patients deserve a practice that takes their privacy as seriously as their recovery.
Stop juggling separate consent logs, redaction checklists, and audit prep every time a record request hits your desk. Schedule a demo and see how Part 2-aligned workflows protect your patients and your license in one platform.
Frequently Asked Questions