FAQs About 42 CFR Part 2 Requirements

42 CFR Part 2 is the set of laws that outline substance abuse confidentiality regulations. The law specifies what information a healthcare professional can disclose regarding a patient facing a substance use disorder, outlines who they can disclose the information to, and dictates when they have permission to disclose it. In essence, the law provides a general framework for consent for disclosure of records.

There are two primary instances when a healthcare provider may disclose information about persons dealing with a substance use disorder, both with and without consent. If the patient consents to disclosure, then a healthcare professional can provide information to the appropriate parties. Additionally, the law outlines instances where a healthcare professional can reveal information without consent, such as in a medical emergency.

Healthcare providers who provide services for patients covered under Part 2 must do everything in their power to prevent records from unauthorized view. While this can seem daunting for a healthcare business of any size, it doesn’t need to be. Hiring an IT firm that can protect you from any issues with your system, like accidental information leaks or being compromised in a cyberattack, can be extremely valuable.

There are two primary aspects that determine when Part 2 applies to a patient or their caretaker. First and foremost, it’s important to examine the verbiage within the law – the creators specify that it is both “federally assisted” and a “program.”

“Federally assisted” concerns any SUD program that receives help from the federal government to provide treatment. This applies to many SUD programs, whether they have direct control and management by a federal office or receive money from the federal government.

“Programs” are anything that provides diagnosis, treatment, or referral for people with SUD. Programs can include individuals or medical facilities so long as they provide the aforementioned services.

On the surface, HIPAA and Part 2 may seem to be the same. Both laws provide an outline and guideline regarding who can share privileged medical information and when they can share it. However, HIPAA has broader protections that apply to every patient, while Part 2 only applies to patients who are dealing with SUD and seeking help through a federally assisted program.

Part 2 provides more protections for patients than HIPAA, and healthcare businesses and their associated providers will need to know these differences and how to protect themselves. With HIPAA, once someone legally discloses medical information, the protection ends.

Part 2’s protections, however, extend to the person or organization who learns of the information through legal means. Organizations must maintain the security regarding Part 2 records.

Many people with SUD tend to show trepidation regarding accepting treatment, and this may partially be due to security concerns regarding their information. They may worry about the stigma society has established for people with SUD and avoid seeking help to remain anonymous. Additionally, there is considerable worry that news of a substance use disorder will lead to issues with the police, employer, legal system, or landlords.

A study by the Substance Abuse and Mental Health Services Administration demonstrated that many people worry about maintaining confidentiality regarding their substance use disorder treatment.

Part 2 seeks to alleviate these fears and keep information regarding SUD history and treatment separate away from the general public’s knowledge. As such, medical providers have both a legal and ethical burden to maintain confidentiality when required by Part 2. Having well-maintained and organized digital records can prevent any leaks from happening and help keep your patients’ information secure and your business from dealing with legal fallout.

Patients also face the risk of stigma within the medical field if other entities acquire privileged Part 2 information. Some patients fear the stigma will lead to them not getting help or losing their insurance coverage.

Yes, a patient can volunteer to disclose information under Part 2. The patient must fill out the appropriate paperwork to consent to the release of the information. The party or parties who receive the medical information are also beholden to Part 2 and must avoid revealing information without proper approval.

Ensuring a properly recorded disclosure document will allow you to avoid dealing with a legal case from the unauthorized spreading of information. On a disclosure form, you’ll need the names of any individuals whose records you are revealing and the names of the party or parties to whom you intend to provide documents.

The form should state the purpose of the disclosure and how much information the healthcare provider will reveal to the entities named in the form. There must be a legitimate reason for the disclosure and the patient must approve of any information provided as well as the entities you provide the information.

Once all the details are included, you must date the document and have the patient provide a signature. The form should also include a date when the consent will expire. As a healthcare provider, you will want to impress upon a patient the fact that they can revoke consent at any time.

A recent amendment to the law does allow a patient to consent to disclose information to entities with whom they do not have a providing relationship. For instance, a patient may want to provide documents to the Social Security Administration. The patient can allow a healthcare provider to provide this information without having to name the specific entity.

Additionally, the patient will not be able to provide consent orally, and you must have the proper information in writing for legal consent.

Yes, patients maintain the right to revoke their consent to the disclosure of information under Part 2. A patient must speak with their healthcare provider and express their wishes to revoke consent to release any personal information. Patients can maintain the consent with any entities they wish but can pull out of specific consent agreements at any time.

For healthcare providers in non-Health Information Exchange (HIE) environments, it is important to modify the consent forms on the patient’s records. A healthcare provider with an HIE environment should communicate with the health information organization and provide notes on the patients’ records.

Unlike HIPAA, Part 2 does not allow patients to opt out of the consent process. If a healthcare provider wants to share information with another relevant agency or party, they will have to seek consent each time. A patient cannot give a blanket waiver of their rights to privacy under Part 2.

Members of the military experience different protections and regulations for their medical records compared to civilians. While HIPAA and Part 2 both apply in some instances, there are others where neither comes into effect regarding the treatment of a member or former member of the United States Armed Forces.

Any information or records the Armed Forces acquire while a patient is subject to the Uniform Code of Military Justice must remain in compliance with Part 2. This does not apply to any information the Armed Forces share between themselves. If a veteran is seeking SUD treatment through the Department of Veterans Affairs, Part 2 is not applicable. However, Part 2 will apply when healthcare businesses exchange records with a patient getting help through the Military Health System and TRICARE.

Files protected under HIPAA give a patient reasonable privacy coverage, but law enforcement can see these documents with most general subpoenas from the court. Law enforcement can then view the files as they wish and use the information during an investigation.

However, Part 2 provides additional protection for a patient. If law enforcement approaches a healthcare provider with a general subpoena regarding a patient covered under Part 2 requirements, they cannot hand over the requested documents in most cases. For law enforcement to legally acquire the documents, they will have to acquire a special subpoena to access the files.

In general, medical professionals cannot reveal information about a patient who is protected under Part 2. To reveal this information, a healthcare provider must obtain consent from the patient. However, there are instances where a patient doesn’t need to provide consent because they cannot provide consent for a variety of reasons. Some of the instances where healthcare providers do not need to seek consent include:

Your employees must ensure that they follow the proper procedures when presenting information to other parties without the patient’s consent. To do so, it is essential that you maintain your digital filing system to avoid any accidental information leaks or hacking attempts.

Part 2 allows healthcare providers to distribute relevant information protected under Part 2 to “medical personnel” during an emergency. The law does not, however, define who counts as medical personnel. During an emergency, the healthcare provider must determine who needs the information for treatment and must ensure they document who received what information.