On February 8th, the U.S. Department of Health and Human Services (HHS) through the Office for Civil Rights (OCR), and in conjunction with the Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule revising the confidentiality of substance use disorder (SUD) patients’ records, under 42 CFR part 2, more commonly known as simply Part 2. 

What is Part 2? 

Part 2, a legislative provision originating in the early 1970s, safeguards the privacy of individuals undergoing treatment for substance use disorders (SUD). Its primary objective is to shield SUD patients from adverse consequences that may arise from seeking or receiving treatment. Over time, Part 2 has undergone revisions to adapt to evolving healthcare practices and technological advancements. The recent final rule seeks to align Part 2 more closely with the privacy standards outlined in the Health Insurance Portability and Accountability Act (HIPAA). 

Who does Part 2 apply to? 

Part 2 specifically provides protections for patients seeking or obtaining treatment for SUD through a “federally funded program.” A straightforward example of a federally funded or assisted program includes participating providers in the Medicare program. This ensures that the confidentiality protections extend throughout the chain of information sharing. That extends to any programs or entities that collect information related to SUD must also abide by Part 2, including state or local health departments, research institutions, employee assistance programs (EAP) and managed care organizations (MCO) that cover SUD treatment services. Additionally, Business Associates (BA), such as billing and coding companies and electronic health record (EHR) vendors must comply with Part 2 regulations. Law enforcement agencies and entities involved in legal proceedings related to SUD also fall under this umbrella. Overall, any organization or entity that handles patient records related to SUD, either directly or indirectly, is required to abide by the regulations outlined in Part 2.  

How does Part 2 work today? 

The current framework of Part 2 generally requires written patient consent prior to any disclosure of SUD records, prohibits redisclosure, and limits disclosures to law enforcement. Part 2 protections ensure a patient’s SUD records cannot be used against them by law enforcement, requiring disclosures to law enforcement only with a court order.  

What’s included in the New Part 2 Rule? 

Revisions to Part 2 include, but are not limited to: 

• Part 2 will allow a single consent for future uses and disclosures, for the purposes of treatment, payment, and/or healthcare operations (commonly known as TPO). And Part 2 will now include a list of 18 common activities that constitute TPO disclosures, providing more clarity and including activities such as care coordination and case management. 

• Business associates and their covered entities who receive records under this consent will be allowed to redisclose them in accordance with HIPAA’s redisclosure requirements. 

• Part 2 records will now be permitted for disclosure to public health authorities without patient consent, provided the records are de-identified, per the HIPAA Privacy Rule requirements. 

• The current criminal penalties under Part 2 will be replaced with civil and criminal enforcement set forth by HIPAA. 

• SUD Counseling Notes will now be afforded the same extra protections as psychotherapy notes under HIPAA. 

The OCR also announced its intent to finalize changes to the HIPAA Notice of Privacy Practices (NPP) in an upcoming final rule modifying the HIPAA Privacy Rule. This is of particular note because it signals we can expect additional updates!  

What’s next? 

• Read the full Part 2 Final Rule on the Federal Register here: https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records  
• Continue to monitor other regulatory initiatives from the OIG here: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html  

• Review and update your current use and disclosure policies related to SUD records to ensure compliance. The Final Part 2 effective date is April 16, 2024, and full compliance with the Final Rule is required as of February 16, 2026. 

What if I need more help? 

Haugen Consulting Group has experts in healthcare privacy who can assist you with assessing your current use and disclosure policies and procedures to identify gaps, efficiencies, etc. Contact us here to learn how Haugen can help!