HealthCare ITSM

Free Consultation

We are ready to help!

Call us today at 520-201-2330 so we can review your needs or enter your email below to begin your free consultation

    FAQs About 42 CFR Part 2 Requirements

    Regulations with 42 CFR Part 2

    Substance use disorder continues to carry a stigma in the United States, but the government has done what it can to try and limit the exposure patients face by protecting their records from unauthorized eyes. While the Health Insurance Portability and Accountability Act (HIPAA) has helped to control how much medical information a caretaker can divulge, the government believed another step was needed for further protection.

    42 CFR Part 2, typically just called Part 2, is a law protecting the information of people dealing with substance use disorder to help them avoid scrutiny. Unfortunately, the law is complex and can be difficult for even SUD-related healthcare business owners to understand. This FAQ guide will answer some of the most common questions regarding Part 2 to help you better understand what the law entails and why you need the right IT solution to protect your company and patients.

    What Are Some of the Most Frequent Questions Regarding Part 2?

    The laws surrounding Part 2 are complex, and it is impossible to explore every fringe case or situation. However, you should get a basic idea of the requirements for Part 2 and how they affect your business.

    What is 42 CFR Part 2?
    42 CFR Part 2 is the set of laws that outline substance abuse confidentiality regulations. The law specifies what information a healthcare professional can disclose regarding a patient facing a substance use disorder, outlines who they can disclose the information to, and dictates when they have permission to disclose it. In essence, the law provides a general framework for consent for disclosure of records.

    There are two primary instances when a healthcare provider may disclose information about persons dealing with a substance use disorder, both with and without consent. If the patient consents to disclosure, then a healthcare professional can provide information to the appropriate parties. Additionally, the law outlines instances where a healthcare professional can reveal information without consent, such as in a medical emergency.

    Healthcare providers who provide services for patients covered under Part 2 must do everything in their power to prevent records from unauthorized view. While this can seem daunting for a healthcare business of any size, it doesn’t need to be. Hiring an IT firm that can protect you from any issues with your system, like accidental information leaks or being compromised in a cyberattack, can be extremely valuable.

    When Does Part 2 Apply to a Patient?
    When Part 2 applies to a patient

    There are two primary aspects that determine when Part 2 applies to a patient or their caretaker. First and foremost, it’s important to examine the verbiage within the law – the creators specify that it is both “federally assisted” and a “program.”

    “Federally assisted” concerns any SUD program that receives help from the federal government to provide treatment. This applies to many SUD programs, whether they have direct control and management by a federal office or receive money from the federal government.

    “Programs” are anything that provides diagnosis, treatment, or referral for people with SUD. Programs can include individuals or medical facilities so long as they provide the aforementioned services.

    Is Part 2 the Same Thing as HIPAA?
    On the surface, HIPAA and Part 2 may seem to be the same. Both laws provide an outline and guideline regarding who can share privileged medical information and when they can share it. However, HIPAA has broader protections that apply to every patient, while Part 2 only applies to patients who are dealing with SUD and seeking help through a federally assisted program.

    Part 2 provides more protections for patients than HIPAA, and healthcare businesses and their associated providers will need to know these differences and how to protect themselves. With HIPAA, once someone legally discloses medical information, the protection ends.

    Part 2’s protections, however, extend to the person or organization who learns of the information through legal means. Organizations must maintain the security regarding Part 2 records.

    Why Is Part 2 Important For Patients Dealing With Substance Use Disorder?
    Many people with SUD tend to show trepidation regarding accepting treatment, and this may partially be due to security concerns regarding their information. They may worry about the stigma society has established for people with SUD and avoid seeking help to remain anonymous. Additionally, there is considerable worry that news of a substance use disorder will lead to issues with the police, employer, legal system, or landlords.

    A study by the Substance Abuse and Mental Health Services Administration demonstrated that many people worry about maintaining confidentiality regarding their substance use disorder treatment.

    Part 2 seeks to alleviate these fears and keep information regarding SUD history and treatment separate away from the general public’s knowledge. As such, medical providers have both a legal and ethical burden to maintain confidentiality when required by Part 2. Having well-maintained and organized digital records can prevent any leaks from happening and help keep your patients’ information secure and your business from dealing with legal fallout.

    Patients also face the risk of stigma within the medical field if other entities acquire privileged Part 2 information. Some patients fear the stigma will lead to them not getting help or losing their insurance coverage.

    Can a Patient Volunteer to Disclose Information Under Part 2?
    Yes, a patient can volunteer to disclose information under Part 2. The patient must fill out the appropriate paperwork to consent to the release of the information. The party or parties who receive the medical information are also beholden to Part 2 and must avoid revealing information without proper approval.
    What Information Must be on the Disclosure Document?
    Ensuring a properly recorded disclosure document will allow you to avoid dealing with a legal case from the unauthorized spreading of information. On a disclosure form, you’ll need the names of any individuals whose records you are revealing and the names of the party or parties to whom you intend to provide documents.

    The form should state the purpose of the disclosure and how much information the healthcare provider will reveal to the entities named in the form. There must be a legitimate reason for the disclosure and the patient must approve of any information provided as well as the entities you provide the information.

    Once all the details are included, you must date the document and have the patient provide a signature. The form should also include a date when the consent will expire. As a healthcare provider, you will want to impress upon a patient the fact that they can revoke consent at any time.

    A recent amendment to the law does allow a patient to consent to disclose information to entities with whom they do not have a providing relationship. For instance, a patient may want to provide documents to the Social Security Administration. The patient can allow a healthcare provider to provide this information without having to name the specific entity.

    Additionally, the patient will not be able to provide consent orally, and you must have the proper information in writing for legal consent.

    If a Patient Consents to Disclose Information, Can They Revoke That Consent Later?
    Yes, patients maintain the right to revoke their consent to the disclosure of information under Part 2. A patient must speak with their healthcare provider and express their wishes to revoke consent to release any personal information. Patients can maintain the consent with any entities they wish but can pull out of specific consent agreements at any time.

    For healthcare providers in non-Health Information Exchange (HIE) environments, it is important to modify the consent forms on the patient’s records. A healthcare provider with an HIE environment should communicate with the health information organization and provide notes on the patients’ records.

    Can Patients Opt Out of the Consent Process?
    Can patients opt out?

    Unlike HIPAA, Part 2 does not allow patients to opt out of the consent process. If a healthcare provider wants to share information with another relevant agency or party, they will have to seek consent each time. A patient cannot give a blanket waiver of their rights to privacy under Part 2.

    Does Part 2 Apply to Armed Forces Members’ SUD Records?
    Members of the military experience different protections and regulations for their medical records compared to civilians. While HIPAA and Part 2 both apply in some instances, there are others where neither comes into effect regarding the treatment of a member or former member of the United States Armed Forces.

    Any information or records the Armed Forces acquire while a patient is subject to the Uniform Code of Military Justice must remain in compliance with Part 2. This does not apply to any information the Armed Forces share between themselves. If a veteran is seeking SUD treatment through the Department of Veterans Affairs, Part 2 is not applicable. However, Part 2 will apply when healthcare businesses exchange records with a patient getting help through the Military Health System and TRICARE.

    Can Law Enforcement See a Patient’s Files Under Part 2?
    Files protected under HIPAA give a patient reasonable privacy coverage, but law enforcement can see these documents with most general subpoenas from the court. Law enforcement can then view the files as they wish and use the information during an investigation.

    However, Part 2 provides additional protection for a patient. If law enforcement approaches a healthcare provider with a general subpoena regarding a patient covered under Part 2 requirements, they cannot hand over the requested documents in most cases. For law enforcement to legally acquire the documents, they will have to acquire a special subpoena to access the files.

    Are There Instances Where a Healthcare Provider Can Share Part 2 Information Without Consent?
    In general, medical professionals cannot reveal information about a patient who is protected under Part 2. To reveal this information, a healthcare provider must obtain consent from the patient. However, there are instances where a patient doesn’t need to provide consent because they cannot provide consent for a variety of reasons. Some of the instances where healthcare providers do not need to seek consent include:

    • Medical emergencies for the patient
    • State law mandates reporting of information regarding potential child neglect or abuse to law enforcement or other authorities
    • Research requests
    • Law enforcement presents a valid court order to view the privileged information
    • When a patient makes a reasonable threat to commit a crime
    • When a lawful entity conducts an audit of medical records
    • When a qualified service organization needs the information to provide services to the healthcare program

    Your employees must ensure that they follow the proper procedures when presenting information to other parties without the patient’s consent. To do so, it is essential that you maintain your digital filing system to avoid any accidental information leaks or hacking attempts.

    Who Qualifies as Medical Personnel During an Emergency?
    Part 2 allows healthcare providers to distribute relevant information protected under Part 2 to “medical personnel” during an emergency. The law does not, however, define who counts as medical personnel. During an emergency, the healthcare provider must determine who needs the information for treatment and must ensure they document who received what information.

    Healthcare ITSM: Helping With Any Healthcare IT Needs

    Helping with your IT needs

    Managing Healthcare IT is one of the most important tasks for modern SUD treatment and recovery businesses, just as it is for other healthcare businesses. Secure and organized digital records will help your employees access the information they are authorized to view while reducing the risk of accidentally leaking information or losing important documents. If you need to reassess your information systems to ensure Part 2 compliance, our team at Healthcare ITSM can help.

    Contact us today to learn more about our IT solutions for healthcare businesses or to schedule a consultation.

    Resources :

    1. Compliancy Group. (n.d.). Substance Abuse Disorder Treatment: 42 CFR Part 2 and HIPAA. Retrieved from
    2. American Society of Addiction Medicine. (n.d.). FAQs about 42 CFR Part 2. Retrieved from”
    3. Substance Abuse and Mental Health Services Administration. (n.d.). Substance Use Confidentiality Regulations. Retrieved from
    Post Navigation