Listen to this post

The U.S. Department of Health and Human Services (HHS) and the Substance Abuse and Mental Health Services Administration (SAMHSA) recently released the long anticipated Final Rule to revise the Confidentiality of Substance Use Disorder (SUD) Patient Records regulations at 42 C.F.R. Part 2 (Part 2).

In March 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act § 3221 called for the alignment of certain Part 2 confidentiality protocols with HIPAA and HITECH Act requirements. The Final Rule implements these standardizations with the goals of improving care coordination and decreasing the burden on covered entities and business associates, while safeguarding the confidentiality of SUD records.

As a quick refresher, Part 2 serves to protect SUD records created by federally assisted programs.[1] These confidentiality protections were initially enacted to help address concerns around the use of SUD information in criminal proceedings, employment and housing discriminatory practices, child custody hearings, and other administrative matters. Providers subject to Part 2 are generally prohibited from disclosing any information that would identify a person as having or having had a SUD without the person’s consent.

Because Part 2 regulations were implemented in 1975, over two decades before the implementation of HIPAA, providers have historically struggled to comply with both laws. Specifically, providers subject to HIPAA were also required to comply with Part 2 for SUD records, which forced those providers to comply with often inconsistent standards for different types of health information. Naturally, the presence of two competing standards caused confusion, increased administrative burdens, and often obstructed provider access to patient information. The Final Rule includes several changes to align Part 2 more closely with HIPAA and to reduce those administrative burdens, as summarized below:

  • Patient Consent. Patients can now provide a single consent to authorize all future uses and disclosures related to treatment, payment, and health care operations (TPO), instead of requiring a new consent for each disclosure. A consent will remain effective unless it is revoked by the patient.
  • Enhanced Protections for Counseling Session Notes. Parallel to HIPAA protections for psychotherapists’ notes, clinicians’ notes from SUD counseling sessions must be maintained separately from other patient records, and require specific patient consent to disclose. Thus, if a patient provides a general TPO consent, the counseling session notes will fall outside the scope of that consent and will not be disclosed.
  • Breach Notification. Breaches of Part 2 records will be subject to the same patient notification requirements of the HIPAA Breach Notification Rule. 
  • Penalties. Violations of Part 2 will now be subject to the same civil and criminal enforcement authorities that apply to HIPAA violations.
  • Patient Complaints. In addition to or in lieu of filing a complaint for an alleged violation under the Part 2 program, patients can choose to file a complaint directly with the HHS Secretary. Further, patients can request a list of all disclosures made with consent for the past 3 years.[2]
  • Public Health Authority Disclosure. De-identified records can be disclosed to public health authorities without patient consent, in accordance with the HIPAA Privacy Rule. 
  • Investigations Safe Harbor. Individuals working for investigative agencies that unlawfully obtain a confidential Part 2 record without the requisite court order will have limited civil and criminal liability, so long as the individual acted with “reasonable diligence” in evaluating whether the provider is subject to Part 2 prior to making the record request.
  • Flexibility on Redisclosures. HIPAA regulated entities may redisclose SUD records received pursuant to a TPO authorization in a manner consistent with the HIPAA Privacy Rule, reducing the need for segregating or segmenting SUD records from other PHI in daily operations.

The Final Rule takes effect on April 16, 2024 and entities must ensure full compliance by February 16, 2026. For more information on the Final Rule, see the HHS Final Rule Fact Sheet. The Fact Sheet indicates that OCR plans to finalize changes to the HIPAA Notice of Privacy Practices to address uses and disclosures of PHI that are also protected by Part 2. Additionally, HHS will be developing guidance on compliance with the new Part 2 requirements.

We encourage federally assisted programs and providers subject to Part 2 to begin reviewing and updating compliance policies and procedures, patient consents, patient notices, and contractual agreements to comply with the changes under the Final Rule. Providers with questions or seeking counsel can contact any member of our Healthcare Team for assistance.


[1] See 42 U.S.C. § 290dd-2(a).

[2] This provision is tolled until the HIPAA accounting provision at 45 C.F.R. § 164.528 is revised.