HHS’ Final Rule on Confidentiality of Alcohol and Drug Abuse Patient Records Regulations

In February 2016, the Department of Health and Human Services proposed changes to the Confidentiality of Alcohol and Drug Abuse Patient Records regulations, (42 CFR Part 2), to improve health information exchange. Part 2 of the proposed changes was finalized by the HHS after a considerable review of public feedback, as mentioned in a press release issued by the Substance Abuse and Mental Health Services Administration (SAMHSA).

In 1975, the introduction of the Confidentiality of Alcohol and Drug Abuse Patient Records regulations made sure that the privacy of patients getting treatment for substance abuse and mental health problems was protected and patient data was secured. There was concern that the exposure of patients’ identities would potentially stop individuals from seeking treatment.

The healthcare system has changed a great deal in the last 40 years and the Part 2 regulations are now in need of modernization. Although patient privacy is still of major importance, data sharing will support health integration and there are considerable benefits of information exchange with research organizations.

As stated by Kana Enomoto, HHS Deputy Assistant Secretary, the Part 2 changes are going to further improve health research, quality assurance, integrated treatment, health data exchange activities, and safeguard the privacy rights of individuals getting treatment for substance abuse and mental health problems. These initiatives pave the way for integrated health care models in the hopes of providing a better, more affordable health care system that enables people to make important choices regarding their health care.

A few new provisions were have been included in the HHS Final Rule:

  • Any authorized holder of patient identifying information can share Part 2 identifying information with authorized persons for reasons of scientific research, as long as the research satisfies specific regulatory specifications. The sharing of information will allow organizations to complete important research on substance use issues. SAMHSA will likewise allow information linkages between data sets and data repositories keeping Part 2 information and ensure that regulatory requirements are satisfied.
  • In a number of instances, patients are going to be allowed to use standard designations, for example “My Treatment Providers” when giving permission to disclose personal data. Patients do not need to say yes to sharing of their personal data although, by doing so, they would benefit from integrated healthcare systems. In case patients do make use of the general disclosure designation, they could request a listing of persons and entities with whom their information may be shared.
  • Changes were made that describe audit/evaluation processes required to satisfy the demands of CMS-regulated accountable care organization and different CMS-regulated institutions. The changes add financial and quality assurance capabilities, which are essential for ACOs and other healthcare institutions.
  • Part 2 updates cover physical and electronic records
  • SAMHSA will create more sub-regulatory guidance regarding the completed provisions and will monitor enforcement of the Final Rule.

HHS has issued a Supplemental Notice of Proposed Rulemaking (SNPRM) and is asking for input and feedback from the public on further annotations and suggestions on the following new provisions:


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

  • Clarifying and restricting the instances where contractors, subcontractors and legitimate representatives of authorized holders of Part 2 information can obtain details for payment and healthcare treatment activities.
  • An abbreviated alternate statement for the notification to go with disclosure.
  • Use of contractors, sub-contractors, and legitimate representatives by entities governed by CMS to perform audit and review activities required to satisfy the demands of a CMS-controlled program.
About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/