HIPAA and 42 CFR Part 2 Confidentiality Rules in Drug Rehab
Two overlapping federal frameworks govern the privacy of substance use disorder records in the United States: the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and 42 CFR Part 2, a specialized regulation that applies specifically to federally assisted drug and alcohol treatment programs. Understanding how these frameworks interact, where they diverge, and which applies in a given clinical context is essential for patients, providers, and facilities navigating patient rights in drug rehab. Both frameworks carry enforceable penalties and shape the flow of sensitive health information across every stage of addiction treatment.
Definition and Scope
HIPAA — administered by the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) — establishes baseline protections for "protected health information" (PHI) held by covered entities: health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically (45 CFR §§ 160, 164). HIPAA permits disclosure of PHI for treatment, payment, and healthcare operations (TPO) without patient authorization in most circumstances.
42 CFR Part 2 — administered by the Substance Abuse and Mental Health Services Administration (SAMHSA) — imposes a stricter, separate standard on records of patients treated at programs that are federally assisted and that hold themselves out as providing substance use disorder diagnosis, treatment, or referral (42 CFR § 2.11). "Federally assisted" includes programs that receive federal funding, are authorized to conduct methadone treatment, or are operated by a federal agency. This definition captures the majority of licensed methadone treatment clinics and programs operating under SAMHSA-certified treatment program authority.
The critical distinction: HIPAA permits TPO disclosures without consent; 42 CFR Part 2 historically required written patient consent for nearly all disclosures, including those made for treatment purposes to outside providers. A 2024 final rule issued by SAMHSA aligned Part 2 more closely with HIPAA by allowing disclosures for TPO purposes with a single general consent, but Part 2 still imposes requirements that exceed HIPAA's baseline in several areas, including restrictions on use of records in criminal proceedings.
How It Works
The operational structure of both frameworks follows a tiered consent and disclosure model:
- Patient consent or authorization obtained — Under the revised 42 CFR Part 2 (effective 2024), a patient may sign a single written consent that permits the treating program to disclose Part 2 records to identified entities for TPO purposes. This replaces the prior requirement for a separate consent per disclosure.
- Covered disclosures without consent — Both HIPAA and Part 2 allow disclosure without consent in defined emergencies (imminent danger to the patient or another person), as required by mandatory child abuse reporting laws, and pursuant to a valid court order that meets specific statutory standards.
- Prohibition on re-disclosure — Any entity receiving Part 2 records is prohibited from re-disclosing those records to a third party without the patient's consent or another applicable exception. Recipients must be notified of this prohibition in writing at the time of disclosure (42 CFR § 2.32).
- Criminal justice restrictions — Records covered by Part 2 cannot be used to initiate or substantiate criminal charges against the patient without a court order meeting the criteria of 42 CFR § 2.65. HIPAA does not contain an equivalent restriction, making Part 2 the more protective framework in legal proceedings.
- Breach notification — Under HIPAA's Breach Notification Rule (45 CFR §§ 164.400–414), covered entities must notify affected individuals, HHS, and in large breaches, the media, within 60 days of discovery. Part 2 does not contain an independent breach notification requirement but operates alongside HIPAA where both apply.
Penalty exposure under HIPAA ranges from $100 to $50,000 per violation, with an annual cap of $1.9 million per violation category (HHS OCR Civil Monetary Penalties). Violations of 42 CFR Part 2 can result in criminal fines up to $500 per violation for negligent disclosures (42 U.S.C. § 290dd-2(f)).
Common Scenarios
Scenario 1 — Referral from a primary care physician to a residential program: A primary care provider (not a Part 2 program) may share PHI with an inpatient rehab medical services facility under HIPAA's TPO exception without separate consent. Once the residential program creates its own treatment records, those records become Part 2-protected if the program qualifies as federally assisted.
Scenario 2 — Insurance billing and Medicaid coverage: A Part 2 program seeking reimbursement through Medicaid drug rehab coverage must operate within both frameworks. Under the 2024 rule, a single patient consent for TPO disclosures covers billing communications to the payer, but the payer remains bound by the re-disclosure prohibition.
Scenario 3 — Co-occurring disorder treatment: When a patient receives both psychiatric and substance use disorder services — as commonly occurs in co-occurring disorders and dual diagnosis programs — the substance use disorder records retain their Part 2 protections even when held alongside non-Part 2 mental health records. The two record sets require separate disclosure analysis.
Scenario 4 — Subpoena or law enforcement request: A court subpoena issued to a Part 2 program does not automatically authorize disclosure. The program must object and require the requesting party to obtain a court order that satisfies 42 CFR § 2.64, which mandates a finding that the public interest in disclosure outweighs the patient's privacy interest.
Decision Boundaries
The threshold question for any disclosure decision is whether the records at issue qualify as "Part 2 records" — if the program is federally assisted and specializes in SUD treatment, the stricter standard applies. HIPAA functions as the floor; Part 2 operates as a ceiling that prevents HIPAA's more permissive exceptions from applying.
Four classification boundaries determine which framework controls:
| Factor | HIPAA Only | HIPAA + 42 CFR Part 2 |
|---|---|---|
| Program type | General medical provider | Federally assisted SUD-specialized program |
| Record type | General PHI | SUD diagnosis/treatment records |
| Consent for TPO | Not required | Single written consent (post-2024 rule) |
| Criminal use restriction | Not present | Requires separate court order |
Facilities holding rehab accreditation and licensing through bodies such as The Joint Commission or CARF must demonstrate compliance with both frameworks as part of their standards review. Accreditation bodies do not substitute for federal regulatory compliance, but their standards incorporate federal privacy requirements by reference.
The interaction between Part 2 and opioid treatment program regulations creates an additional compliance layer for programs dispensing methadone or buprenorphine under DEA registration, since those programs are almost universally federally assisted and thus Part 2-covered by definition.
Patients enrolled in medication-assisted treatment programs should understand that their treatment records receive the dual-framework protections described above — and that even their treating physicians outside the program cannot receive those records without a valid consent form or applicable exception.
References
- U.S. Department of Health and Human Services — HIPAA for Professionals (HHS OCR)
- 42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records (eCFR)
- 45 CFR Part 164 — Security and Privacy (HIPAA) (eCFR)
- SAMHSA — 42 CFR Part 2 Final Rule (2024)
- HHS OCR — HIPAA Civil Monetary Penalties
- 42 U.S.C. § 290dd-2 — Confidentiality of Records (U.S. House Office of Law Revision Counsel)
- SAMHSA — Substance Abuse and Mental Health Services Administration