Skip to main content
BlackSheep
Stricter than HIPAA for SUD records

42 CFR Part 2: substance use disorder records demand extra protection

42 CFR Part 2 imposes stricter privacy protections than HIPAA for substance use disorder treatment records. Consent before disclosure, prohibition on re-disclosure, and data segmentation requirements that most EHR systems struggle with. BlackSheep tracks every Part 2 control and keeps your compliance evidence organized.

Start Free Trial See the requirements

$249/month · All frameworks included · No credit card to start

8

Controls tracked

4

Requirement categories

Stricter

Than HIPAA for SUD data

2024

CARES Act alignment

Four categories of Part 2 requirements

Part 2 organizes protections around consent, security, qualified service organizations, and workforce training.

Consent & Disclosure

3 controls tracked

  • Written consent requirements
  • Prohibition on re-disclosure
  • Revocation of consent procedures
  • Disclosure tracking & accounting

Security & Access Controls

2 controls tracked

  • Data segmentation in EHR systems
  • Role-based access to SUD records
  • Audit trail requirements
  • Encryption of SUD data

Qualified Service Organizations

1 controls tracked

  • QSO agreement requirements
  • Permitted disclosures to QSOs
  • QSO compliance monitoring

Training & Compliance

2 controls tracked

  • Workforce training on Part 2
  • Compliance program oversight
  • Breach reporting procedures
  • Patient rights documentation

Does 42 CFR Part 2 apply to your organization?

SUD Treatment Programs

Federally assisted programs that hold themselves out as providing — and actually provide — substance use disorder diagnosis, treatment, or referral for treatment. This includes both inpatient and outpatient facilities.

  • Residential treatment facilities
  • Outpatient SUD programs
  • Detoxification centers
  • Halfway houses
  • Employee assistance programs with SUD services

Hospitals with SUD Units

General hospitals and medical facilities that have identified SUD treatment units or programs. Even if the broader hospital follows HIPAA, the SUD-specific unit must comply with the stricter Part 2 requirements.

  • Hospital SUD units
  • Emergency departments treating SUD
  • Psychiatric facilities with SUD programs
  • Integrated behavioral health centers
  • Veterans Affairs medical centers

Opioid Treatment Programs

Programs certified by SAMHSA to provide medication-assisted treatment for opioid use disorder, including methadone clinics and buprenorphine prescribers operating as part of an OTP.

  • Methadone clinics
  • Buprenorphine treatment programs
  • SAMHSA-certified OTPs
  • Mobile medication units
  • Hub-and-spoke OTP networks

Common questions about 42 CFR Part 2

How does 42 CFR Part 2 differ from HIPAA?

Part 2 is stricter than HIPAA in several key areas. It generally requires written patient consent before any disclosure of SUD treatment information, even for treatment, payment, or healthcare operations — situations where HIPAA permits disclosure without consent. Part 2 also prohibits re-disclosure by recipients, requires specific consent elements beyond HIPAA authorization, and protects against use of records in criminal proceedings.

What are the consent requirements under Part 2?

Part 2 consent must include specific elements: the patient's name, the purpose of the disclosure, the amount and kind of information to be disclosed, the recipient, the right to revoke, an expiration date or condition, and the patient's signature. A blanket authorization is not sufficient. Under the 2024 CARES Act changes, a single consent can now cover treatment, payment, and healthcare operations.

What changed with the 2024 CARES Act alignment?

The 2024 final rule brought major changes: Part 2 records can now be disclosed for treatment, payment, and healthcare operations with a single prior consent. HIPAA breach notification requirements now apply to Part 2 records. HIPAA civil and criminal penalties extend to Part 2 violations. However, the prohibition on using Part 2 records in criminal, civil, or administrative proceedings against patients remains intact.

How should EHR systems handle Part 2 data segmentation?

EHR systems need granular data segmentation capabilities to separate Part 2-protected SUD records from general health information. This includes role-based access controls specific to SUD data, flags that prevent unauthorized disclosure or re-disclosure, detailed audit trails tracking every access to Part 2 records, and consent management workflows that enforce Part 2 requirements before data is shared.

What are the penalties for Part 2 violations?

Following the 2024 CARES Act alignment, Part 2 violations carry HIPAA-level penalties: civil monetary penalties from $100 to $50,000 per violation, up to $1.5 million per year for identical violations. Criminal penalties can include fines up to $250,000 and imprisonment up to 10 years. Prior to alignment, Part 2 had its own penalty structure with fines up to $500 for a first offense and $5,000 for subsequent offenses.

Related frameworks

HIPAA Security Rule

Part 2 builds on HIPAA with stricter consent and disclosure requirements for SUD records.

HITECH Act

HITECH breach notification requirements now apply to Part 2 records under the 2024 CARES Act alignment.

Part 2 compliance is too important to track in spreadsheets

Track consent requirements, data segmentation controls, and QSO agreements. BlackSheep maps every Part 2 requirement so your SUD program stays compliant and audit-ready.

Start Free Trial

$249/month. 30-day money-back guarantee.