HHS Makes Changes to 42 CFR Part Substance Use Disorder Privacy Provisions

The Department of Health and Human Services Substance Abuse and Mental Health Administration (SAMHSA) has announced that certain proposed provisions related to the sharing of records of patients that are receiving treatment through federally assisted substance use disorder programs have now been changed.

Confidentiality of Substance Use Disorder Patient Records regulation, 42 CFR Part 2, was promulgated in 1975 and was intended to protect patients’ privacy and shield them from any stigma associated with substance use disorder. 42 CFR Part 2 treats substance use disorder diagnoses and treatment information differently to other health information.

Information related to substance use disorder is not included as a part of a patient’s viewable medical records and restrictions are placed on the use and sharing of that information. Generally, a federally assisted substance use disorder program is only permitted to disclose personally identifiable information if consent is obtained from a patient in writing or if a court order is received that requires the patient’s information to be disclosed without consent. Without 42 CFR Part 2, patients may be deterred from seeking treatment for substance use disorder. 42 CFR Part 2 makes sure that patients seeking treatment for substance use disorder are not treated differently to patients who do not seek treatment.

For many years there have been calls from industry stakeholders and trade associations to change the ‘outdated’ 42 CFR Part 2 regulation, which can put patient safety at risk. A treating physician would not be able to see that a patient has a history of substance use disorder and could prescribe opiates for instance. If that information was available, a different treatment regimen could be prescribed instead.

The Health Insurance Portability and Accountability Act (HIPAA) has rules that limit the sharing of protected health information and healthcare industry leaders have been pressing the HHS to align 42 CFR Part 2 more closely with HIPAA to improve patient safety and reduce the compliance burden on physicians. Treating substance use disorder records differently from other types of protected health information also contributes to the stigmatization of mental and behavioral health conditions.

Around a year ago, the HHS announced that changes were being considered to 42 CFR Part 2 and comment was sought from industry stakeholders. The feedback has been considered and, as part of the HHS Regulatory Sprint to Coordinated Care, some of the proposed changes have now been adopted. According to the HHS, the changes “advance the integration of healthcare for individuals with substance use disorders while maintaining critical privacy and confidentiality protections.”


Simple Guidelines
Immediate PDF Download

Immediate Access

Privacy Policy

The basic framework of 42 CFR Part 2 remains in place and it is still necessary for written consent to be obtained from patients before their records can be shared. The HHS confirmed that “federally assisted substance use disorder program may only disclose patient identifying information with the individual’s written consent, as part of a court order, or under a few limited exceptions.” Those exceptions have been clarified as cases of a bone fide medical emergency, for scientific research, and if required for an audit or program evaluation. Substance abuse disorder records can still not be used by law enforcement in criminal prosecutions against patients, unless a court order is obtained.

This reform will help make it easier for Americans to discuss substance use disorders with their doctors, seek treatment, and find the road to recovery,” said HHS Secretary Alex Azar“Thanks to the valuable input of stakeholders, our final rule will make it easier for Americans to seek and receive treatment while lifting burdens on providers and maintaining important privacy protections.”


Changes to 42 CFR Part 2

The changes to 42 CFR Part 2 are detailed in a fact sheet published by the HHS, which has been reproduced below:

Provision What Changed? Why Was This Changed?
Applicability and Re-Disclosure Treatment records created by non-Part 2 providers based on their own patient encounter(s) are explicitly not covered by Part 2, unless any SUD records previously received from a Part 2 program are incorporated into such records. Segmentation or holding a part of any Part 2 patient record previously received can be used to ensure that new records created by non-Part 2 providers will not become subject to Part 2. To facilitate coordination of care activities by non-part-2 providers.
Disposition of Records When an SUD patient sends an incidental message to the personal device of an employee of a Part 2 program, the employee will be able to fulfill the Part 2 requirement for “sanitizing” the device by deleting that message. To ensure that the personal devices of employees will not need to be confiscated or destroyed, in order to sanitize in compliance with Part 2.
Consent Requirements An SUD patient may consent to disclosure of the patient’s Part 2 treatment records to an entity (e.g., the Social Security Administration), without naming a specific person as the recipient for the disclosure. To allow patients to apply for benefits and resources more easily, for example, when using online applications that do not identify a specific person as the recipient for a disclosure of Part 2 records.
Disclosures Permitted w/ Written Consent Disclosures for the purpose of “payment and health care operations” are permitted with written consent, in connection with an illustrative list of 18 activities that constitute payment and health care operations now specified under the regulatory provision. In order to resolve lingering confusion under Part 2 about what activities count as “payment and health care operations,” the list of examples has been moved into the regulation text from the preamble, and expanded to include care coordination and case management activities.
Disclosures to Central Registries and PDMPs Non-OTP (opioid treatment program) and non-central registry treating providers are now eligible to query a central registry, in order to determine whether their patients are already receiving opioid treatment through a member program.

OTPs are permitted to enroll in a state prescription drug monitoring program (PDMP), and permitted to report data into the PDMP when prescribing or dispensing medications on Schedules II to V, consistent with applicable state law.

To prevent duplicative enrollments in SUD care, duplicative prescriptions for SUD treatment, and adverse drug events related to SUD treatment.
Medical Emergencies Declared emergencies resulting from natural disasters (e.g., hurricanes) that disrupt treatment facilities and services are considered a “bona fide medical emergency,” for the purpose of disclosing SUD records without patient consent under Part 2. To ensure clinically appropriate communications and access to SUD care, in the context of declared emergencies resulting from natural disasters.
Research Disclosures for research under Part 2 are permitted by a HIPAA-covered entity or business associate to individuals and organizations who are neither HIPAA covered entities, nor subject to the Common Rule (re: Research on Human Subjects). To facilitate appropriate disclosures for research, by streamlining overlapping requirements under Part 2, the HIPAA Privacy Rule and the Common Rule.
Audit and Evaluation Clarifies specific situations that fall within the scope of permissible disclosures for audits and/or program evaluation purposes. To resolve current ambiguity under Part 2 about what activities are covered by the audit and evaluation provision.
Undercover Agents and Informants Court-ordered placement of an undercover agent or informant within a Part 2 program is extended to a period of 12 months, and courts are authorized to further extend the period of placement through a new court order. To address law enforcement concerns that the current policy is overly restrictive to some ongoing investigations of Part 2 programs.
About Liam Johnson
Liam Johnson has produced articles about HIPAA for several years. He has extensive experience in healthcare privacy and security. With a deep understanding of the complex legal and regulatory landscape surrounding patient data protection, Liam has dedicated his career to helping organizations navigate the intricacies of HIPAA compliance. Liam focusses on the challenges faced by healthcare providers, insurance companies, and business associates in complying with HIPAA regulations. Liam has been published in leading healthcare publications, including The HIPAA Journal. Liam was appointed Editor-in-Chief of The HIPAA Guide in 2023. Contact Liam via LinkedIn: https://www.linkedin.com/in/liamhipaa/