HIPAA and 42 CFR Part 2 Confidentiality Rules in Drug Rehab

Two distinct federal frameworks govern the privacy of substance use disorder records — and the fact that they overlap without being identical has caused real confusion for patients, families, and providers alike. HIPAA sets the floor for most medical privacy in the United States, but 42 CFR Part 2 adds a second, stricter layer that applies specifically to records from federally assisted drug and alcohol treatment programs. Understanding where one ends and the other begins matters significantly when deciding who can see treatment records, under what circumstances, and with whose permission.

Definition and scope

HIPAA — the Health Insurance Portability and Accountability Act of 1996 — establishes national standards for protecting identifiable health information. The Department of Health and Human Services (HHS) enforces it through the Privacy Rule (45 CFR Parts 160 and 164), which permits a range of disclosures for treatment, payment, and healthcare operations without patient authorization.

42 CFR Part 2 is a separate federal regulation, maintained by the Substance Abuse and Mental Health Services Administration (SAMHSA), that applies exclusively to records created by federally assisted substance use disorder treatment programs — meaning programs that receive federal funds, hold a federal tax exemption, or are authorized by a federal agency (42 CFR § 2.12). The rule covers patient-identifying information about any person who has applied for or received substance use disorder diagnosis, treatment, or referral.

The scope difference is significant: HIPAA applies broadly to covered entities, while Part 2 applies narrowly to programs dealing specifically with addiction. A hospital treating a broken arm operates under HIPAA alone. A federally assisted outpatient addiction clinic operates under both — and where they conflict, Part 2's stricter standard generally controls.

How it works

Under HIPAA, covered entities may share protected health information for treatment coordination, billing, and public health activities without patient consent. Part 2 removes that flexibility for substance use disorder records. Disclosure under Part 2 requires written patient consent for nearly every release, with limited exceptions.

The exceptions built into Part 2 include:

  1. Medical emergencies — when the patient's life is at risk, records may be disclosed to medical personnel, though the program must document the disclosure.
  2. Court orders — not a subpoena alone, but a specific court order issued under the criteria set out in § 2.61–2.67, which includes a showing that the public interest substantially outweighs the patient's privacy interest.
  3. Research, audit, and evaluation — permitted under agreements that limit re-disclosure and protect identities.
  4. Internal program communications — staff within the treating program may share information without separate consent.
  5. Reports of child abuse or neglect — Part 2 does not prevent initial reporting under state mandatory reporting laws, though it limits further disclosure afterward.

SAMHSA updated Part 2 in 2024 to align it more closely with HIPAA while preserving its core protections. The update permits patients to give a single, general consent for disclosure to treating providers and health plans — an adjustment that reduces paperwork friction without eliminating the consent requirement itself.

Common scenarios

A family member calls asking for updates. Under both HIPAA and Part 2, a patient's family has no automatic right to treatment information. Disclosure requires either written consent naming that person, or — in HIPAA's framework — an emergency determination. Part 2 does not have a "family exception."

A criminal court requests records. This is where Part 2's teeth show. A standard subpoena is not sufficient to compel disclosure of Part 2-protected records. A prosecutor or defense attorney must obtain a court order meeting the specific statutory threshold, which includes notifying the patient and the program. This protection was specifically designed to prevent law enforcement from using the treatment relationship as an intelligence source — a concern that has shaped how the scope of drug rehab programs are structured.

An employer contacts the program. Without a valid, signed consent form that specifically names the employer, no disclosure is lawful under Part 2 — regardless of what HIPAA might otherwise allow.

A patient wants their own records. Both frameworks give patients the right to access their records. HIPAA codifies this under 45 CFR § 164.524. Part 2 does not override that right.

Decision boundaries

The governing question is which framework controls a given disclosure. A structured breakdown:

The practical implication is that patients seeking help at a federally assisted program have notably stronger privacy protections than they would at a general medical provider. That asymmetry is intentional. The legislative history of Part 2, as reviewed in frequently asked questions about drug rehab, reflects Congress's determination that fear of disclosure is itself a barrier to treatment-seeking. The regulation is, in a sense, designed to make asking for help feel safer. For anyone navigating how to get help for drug rehab, knowing that the law actively limits who can see treatment records is not a minor footnote — it is part of the foundation that makes the whole system function.

References

📜 1 regulatory citation referenced  ·   · 

Read Next

Drug Rehab: Frequently Asked Questions ANA › Life Services Authority › National Drugrehab Drug Rehab: Frequently Asked Questions Drug rehabilitation is one of those subjects... How to Get Help for Drug Rehab ANA › Life Services Authority › National Drugrehab How to Get Help for Drug Rehab Reaching out for drug rehabilitation support is one of... DEA Drug Scheduling and Its Impact on Addiction Treatment Options ANA › Life Services Authority › National Drugrehab DEA Drug Scheduling and Its Impact on Addiction Treatment Options The federal drug...