42 CFR Part 2 Compliance Guide for EHR Systems (2026)

What Is 42 CFR Part 2?

42 CFR Part 2 is a federal regulation — codified in Title 42 of the Code of Federal Regulations — that governs the confidentiality of substance use disorder (SUD) patient records. Originally enacted in the 1970s during the early years of federal drug and alcohol treatment programs, Part 2 was designed to address a specific concern: that patients would avoid seeking SUD treatment if their records could be used against them in criminal proceedings, employment decisions, or custody disputes.

The regulation establishes confidentiality protections that are, in several important ways, stricter than HIPAA. While HIPAA permits covered entities to share protected health information (PHI) for treatment, payment, and health care operations (TPO) without patient authorization, Part 2 has historically required specific written consent before any disclosure of SUD records — even for treatment purposes.

The underlying statute is 42 U.S.C. Section 290dd-2, which directs the Secretary of HHS to prescribe regulations to protect the confidentiality of SUD patient records maintained by federally assisted programs. The regulatory framework at 42 CFR Part 2 implements this statutory mandate.

For decades, these heightened protections created a practical tension: they protected patients from discrimination and legal exposure, but they also created barriers to care coordination, health information exchange, and integrated treatment. A patient receiving SUD treatment at one facility could not have their records shared with a primary care physician or emergency department without executing a specific consent form for each recipient — a process that often broke down in practice and left clinicians operating without critical clinical information.

Who Must Comply with 42 CFR Part 2

Part 2 applies to any "Part 2 program" — defined as an individual or entity (other than a general medical facility) that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment. The "federally assisted" requirement is met if the program receives any form of federal assistance, which includes:

• Direct federal funding — grants, contracts, or cooperative agreements from SAMHSA, HRSA, or other federal agencies
• Medicare or Medicaid reimbursement — any program that accepts CMS payment for SUD services, which captures the vast majority of treatment providers
• Tax-exempt status — nonprofit status under the Internal Revenue Code qualifies as federal assistance
• DEA registration to dispense, administer, or prescribe controlled substances for SUD treatment (including buprenorphine prescribers and opioid treatment programs)
• State or local government funding that originates from federal sources

In practice, this means nearly every SUD treatment provider in the United States is a Part 2 program. The regulation also applies to entities that receive Part 2 records, including hospitals, primary care practices, health information exchanges (HIEs), labs, and any HIPAA covered entity or business associate that obtains SUD records under a patient consent.

Specifically Covered Entities

• Residential and outpatient addiction treatment centers
• Opioid treatment programs (OTPs) and medication-assisted treatment (MAT) providers
• Hospital-based detoxification and SUD treatment units
• Community mental health centers that offer SUD services
• Federally Qualified Health Centers (FQHCs) with integrated behavioral health
• Employee assistance programs (EAPs) providing SUD diagnosis or treatment
• Criminal justice programs with SUD treatment components
• Veterans Affairs SUD treatment facilities

A critical nuance: if a general medical facility has an identified unit that holds itself out as providing SUD treatment — even within a larger hospital or health system — Part 2 applies to the records generated by that unit. The key test is whether the program holds itself out as providing SUD diagnosis, treatment, or referral.

42 CFR Part 2 vs. HIPAA: Key Differences

The 2024 final rule brought Part 2 substantially closer to HIPAA, but important differences remain. Understanding these distinctions is essential for configuring your EHR correctly and training staff on the right disclosure protocols.

The bottom line: even after the 2024 alignment, Part 2 remains more protective than HIPAA in two critical areas — consent requirements for sharing SUD records and the prohibition on using those records in legal proceedings against patients. Any organization handling SUD data must implement controls that go beyond standard HIPAA compliance.

The 2024 Final Rule: What Changed

On February 8, 2024, HHS published the final rule amending 42 CFR Part 2, implementing the confidentiality provisions of Section 3221 of the Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020. The rule became effective on April 16, 2024, with a compliance deadline of February 16, 2026.

This was the most significant revision to Part 2 since its original enactment. The changes address the long-standing tension between patient privacy and care coordination by modernizing consent mechanisms while preserving the core protections that distinguish Part 2 from HIPAA.

Single Consent for TPO

The most operationally significant change: patients may now execute a single consent that authorizes a Part 2 program to disclose their SUD records for all future uses and disclosures related to treatment, payment, and health care operations. This consent is not required to have an expiration date and remains valid until the patient revokes it in writing.

Previously, patients had to sign separate consent forms for each recipient or category of recipients, often creating delays in care transitions and referrals. The single-consent model dramatically simplifies operations for Part 2 programs while preserving the patient's fundamental right to control disclosure.

HIPAA-Aligned Re-Disclosure

Under the new rule, HIPAA covered entities and business associates that receive Part 2 records under a valid TPO consent may redisclose those records in accordance with HIPAA regulations. This is a major shift — previously, any recipient of Part 2 records was bound by Part 2's restrictive re-disclosure rules, which effectively required a new patient consent for each downstream disclosure.

However, a critical restriction remains: each disclosure must include a notice prohibiting the use of the records in civil, criminal, administrative, or legislative proceedings against the patient. This anti-discrimination protection is the historical core of Part 2 and was not relaxed by the 2024 rule.

Breach Notification

The HIPAA Breach Notification Rule now fully applies to Part 2 records. This means organizations must:

• Conduct the four-factor risk assessment for any suspected breach involving SUD records
• Notify affected individuals within 60 days of discovering a breach
• Notify HHS — immediately for breaches affecting 500 or more individuals, annually for smaller breaches
• Notify prominent media outlets if a breach affects more than 500 residents of a state or jurisdiction

Aligned Enforcement

The 2024 rule replaced Part 2's prior criminal penalty structure with HIPAA's tiered civil and criminal enforcement framework. OCR now has jurisdiction over Part 2 violations alongside its existing HIPAA authority. Penalty tiers mirror HIPAA:

• Tier 1 (lack of knowledge): $141 to $35,581 per violation
• Tier 2 (reasonable cause): $1,424 to $71,162 per violation
• Tier 3 (willful neglect, corrected): $14,232 to $71,162 per violation
• Tier 4 (willful neglect, not corrected): $71,162 to $2,134,831 per violation

Criminal penalties for knowing violations can reach $250,000 and up to 10 years imprisonment for violations committed with intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm.

New Patient Rights

Patients now have the right to:

• Obtain an accounting of disclosures of their Part 2 records
• Request restrictions on certain disclosures of their SUD records
• File a complaint directly with the HHS Secretary for alleged Part 2 violations — they may also concurrently file with the Part 2 program

The accounting of disclosures right for TPO disclosures made through an EHR is delayed until HHS issues a final rule addressing accounting for TPO disclosures under HIPAA — a rule that has been pending since the HITECH Act of 2009.

Public Health Exception

The final rule permits disclosure of Part 2 records without patient consent to public health authorities, provided the records are de-identified according to HIPAA de-identification standards. This represents a new exception that did not exist under prior Part 2 rules and facilitates public health surveillance and reporting.

Consent Management Requirements

Consent management is the operational heart of Part 2 compliance. Even with the simplified single-consent model, organizations must manage multiple consent categories, track consent status, and ensure that disclosures align with the scope of each consent.

Consent Form Elements

Under the 2024 final rule, a valid Part 2 consent must include:

• The name of the patient
• The specific name or general designation of the Part 2 program permitted to make the disclosure
• The purpose of the disclosure (e.g., treatment, payment, health care operations)
• How much and what kind of information is to be disclosed — for a single TPO consent, this can be a general description covering all SUD records
• The name or general designation of the recipient(s) — for a single TPO consent, this can be a general designation such as "my treating providers"
• A statement that the consent is subject to revocation at any time, and instructions on how the patient may revoke
• The date, event, or condition upon which the consent expires, if applicable — a single TPO consent is not required to have an expiration date
• The signature of the patient and the date signed

Separate Consent Categories

Not all disclosures can be covered by the single TPO consent. Organizations must maintain separate consent mechanisms for:

• SUD counseling notes: These require a separate consent and cannot be combined with TPO consent
• Legal proceedings: Consent for use or disclosure in civil, criminal, administrative, or legislative proceedings must be specific to the proceedings and cannot be combined with TPO consent
• Research: Disclosures for research purposes have distinct consent requirements
• Disclosures to third parties not covered by TPO: Such as employers, life insurers, or non-treating entities

Revocation Management

Patients may revoke consent at any time in writing. When a patient revokes consent, the Part 2 program must:

• Cease future disclosures under the revoked consent as soon as practicable
• Notify downstream recipients that the consent has been revoked (though records already disclosed cannot be "un-disclosed")
• Document the revocation in the patient's record with the date received
• Update the EHR consent status to prevent future disclosures

The EHR must be configured to immediately reflect consent revocations in disclosure controls. A common compliance failure is a lag between consent revocation and the EHR's disclosure permissions being updated — particularly problematic for organizations participating in health information exchanges.

Practical EHR Consent Configuration

Most EHR systems were not designed with Part 2 consent granularity in mind. Here are the critical configuration steps:

1. Create consent status fields — at minimum, track: TPO consent (yes/no/revoked), counseling notes consent (yes/no/revoked), and legal proceedings consent (specific, per-proceeding)
2. Link consent status to disclosure rules — the EHR should prevent SUD records from flowing through standard clinical data feeds (ADT, lab interfaces, patient portal) unless the appropriate consent is active
3. Configure consent-aware workflows — referral, discharge summary, and lab result workflows should check consent status before including SUD data
4. Build consent expiration alerts — for consents with expiration dates, the system should alert staff before the consent lapses
5. Implement electronic consent capture — where permitted by state law, enable patients to sign consent forms electronically through the patient portal

EHR System Requirements for Part 2 Compliance

The 2024 final rule does not mandate data segmentation — that is, Part 2 records do not need to be maintained in a physically separate system or database. However, organizations must be able to identify, control, and track Part 2 records throughout their lifecycle. In practice, this means your EHR needs specific capabilities that most systems do not offer out of the box.

Record Identification and Tagging

Even though formal segmentation is not required, organizations must be able to distinguish Part 2 records from other PHI. Recommended approaches:

• Metadata tagging: Apply a flag or tag (e.g., "Part 2 Protected") to all records generated by or related to SUD diagnosis and treatment. This tag should be queryable for audit and disclosure tracking purposes.
• Encounter-level classification: Tag encounters, not just diagnoses. A single patient may have both Part 2-protected encounters (SUD treatment) and non-protected encounters (primary care). The EHR must distinguish between them.
• Diagnosis code filtering: Configure rules to automatically flag encounters with SUD-related ICD-10 codes (F10-F19 categories) as Part 2-protected, while allowing manual override for edge cases.

Disclosure Controls

The most operationally critical requirement: SUD records must not flow through standard interoperability channels without consent verification. This affects:

• ADT feeds: Admission, discharge, and transfer messages should not include SUD diagnosis or treatment details unless consent is verified
• Lab interfaces: Drug screening results and other SUD-related labs require consent-aware routing
• Health information exchange (HIE): Part 2 records should be excluded from automatic HIE queries unless the patient has consented
• Patient portal: SUD records displayed in the patient portal must respect Part 2 consent boundaries — this includes USCDI and FHIR-based access under the ONC information blocking rules
• Referral workflows: Clinical summaries and care documents sent to referral providers must exclude Part 2 data absent consent
• Billing and claims: Claims for SUD services must comply with Part 2 — consent for payment purposes covers standard claims submission, but organizations should verify that claims data does not expose Part 2-protected information to unauthorized entities

Re-Disclosure Notice Automation

Every disclosure of Part 2 records must be accompanied by a notice that the records are subject to Part 2 protections and that recipients are prohibited from using the information in legal proceedings against the patient. Your EHR should:

• Automatically append the required re-disclosure prohibition notice to outbound clinical documents, referral letters, and electronic communications that contain Part 2 data
• Include the notice in printed records and faxes
• Embed the notice in FHIR resources and C-CDA documents shared through interoperability channels

Role-Based Access Controls

Not all staff need access to Part 2 records. Configure your EHR with SUD-specific access roles:

• Clinicians directly involved in SUD treatment should have full access to Part 2 records
• Administrative staff handling billing for SUD services need access limited to payment-related fields
• Clinicians not involved in SUD treatment should not have default access to Part 2-protected encounters
• Emergency access ("break-the-glass") should be available for emergencies but logged and audited

For organizations evaluating EHR platforms with built-in behavioral health capabilities — including consent management and Part 2-aware disclosure controls — the behavioral health EHR comparison provides a detailed feature-by-feature analysis across leading vendors.

Audit Trail Requirements

The 2024 final rule's new patient rights — particularly the right to an accounting of disclosures — create a de facto requirement for comprehensive audit logging. Organizations must be able to produce, on patient request, a record of who accessed and disclosed their Part 2-protected information, when, to whom, and for what purpose.

What Must Be Logged

• All disclosures of Part 2 records — including those for TPO purposes
• Internal access — which users viewed Part 2-protected encounters, and when
• Electronic transmissions — every outbound message, interface feed, or document that includes Part 2 data
• Break-the-glass events — emergency access to Part 2 records outside normal role permissions
• Consent changes — when consent was obtained, modified, or revoked, and by whom
• Re-disclosure notices — confirmation that the required Part 2 notice was included with each disclosure

Audit Log Retention

While Part 2 does not specify a minimum retention period for audit logs, HIPAA requires covered entities to retain documentation of compliance activities for six years. Given the alignment of Part 2 with HIPAA, organizations should retain Part 2 audit logs for at least six years. Some states impose longer retention requirements — check your state's medical records retention laws.

Practical Implementation

To operationalize audit trail requirements:

1. Verify your EHR's audit capabilities: Can it log access at the encounter level (not just the patient chart level)? Can it filter audit logs by Part 2 status?
2. Implement disclosure tracking: Create a structured disclosure log — separate from the standard audit log — that captures the who, what, when, to-whom, and purpose of each Part 2 disclosure
3. Automate accounting of disclosures reports: Build a report that can be generated on patient request, listing all disclosures of their Part 2 records within the relevant time period
4. Conduct quarterly audit reviews: Review Part 2 access logs for anomalies — unusual access patterns, break-the-glass events, and disclosures that may not align with consent status

Breach Notification for Part 2 Records

With the 2024 final rule, the HIPAA Breach Notification Rule (45 CFR 164 Subpart D) now applies to breaches of Part 2 records. This means organizations must follow the same breach assessment and notification procedures for SUD data that they follow for other PHI.

The Four-Factor Risk Assessment

When a potential breach of Part 2 records is discovered, the organization must assess:

1. The nature and extent of the PHI involved — including the types of identifiers and likelihood of re-identification
2. The unauthorized person who used the PHI or to whom it was disclosed
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk has been mitigated

If the assessment determines that there is more than a low probability that the PHI was compromised, it constitutes a reportable breach.

Special Considerations for SUD Data

Breaches involving SUD records carry heightened sensitivity. Unlike a breach of routine medical records, exposure of SUD treatment information can lead to employment discrimination, housing denial, custody loss, and criminal prosecution — the very harms Part 2 was designed to prevent. When assessing risk and communicating with affected patients, organizations should:

• Recognize that SUD data may carry higher reputational and legal risk for affected patients than other PHI categories
• Consider the anti-discrimination provisions of Part 2 when evaluating mitigation steps — was the breached data shared with entities that could use it in legal proceedings?
• Provide affected patients with specific guidance on monitoring for SUD-related discrimination, in addition to standard identity theft resources
• Document the breach investigation with attention to Part 2-specific factors for OCR reporting

For broader guidance on security and breach prevention, see our detailed EHR security and HIPAA compliance guide.

Re-Disclosure Restrictions and Notice Requirements

One of the most operationally complex aspects of Part 2 compliance is managing re-disclosure. The 2024 final rule simplified this area significantly, but organizations must still understand the rules and configure their systems accordingly.

The New Re-Disclosure Framework

Under the 2024 rule, when a patient provides a single TPO consent and Part 2 records are disclosed to a HIPAA covered entity or business associate:

• The recipient may redisclose the records in accordance with HIPAA — this means standard HIPAA TPO, public health, and other permitted uses apply
• However, each disclosure (and re-disclosure) must include a notice stating: "This record is protected by federal confidentiality rules (42 CFR Part 2). This information has been disclosed from records protected by these rules. Federal rules prohibit any further use of this information to investigate or prosecute any patient with a substance use disorder."
• The prohibition on using Part 2 records in legal proceedings against the patient travels with the data and binds all downstream recipients

Disclosure with Consent vs. Copy of Consent

Each disclosure made with patient consent must include either:

• A copy of the consent form, or
• A clear explanation of the scope of the patient's consent for the relevant use or disclosure

In practice, most organizations include a standardized statement explaining the scope of consent rather than attaching the full consent form to every clinical document. Your EHR should be configured to automatically include this statement in outbound communications containing Part 2 data.

State vs. Federal Rules: Navigating the Patchwork

42 CFR Part 2 establishes a federal floor for SUD record confidentiality. State laws that provide greater privacy protections remain in effect and are not preempted. This creates a compliance challenge for organizations operating in multiple states or managing multi-state health information exchange.

States with More Restrictive SUD Privacy Laws

Several states impose requirements beyond the Part 2 federal baseline:

• California: The Confidentiality of Medical Information Act (CMIA) and specific provisions in the Health and Safety Code impose additional consent requirements for SUD records. California requires specific consent form elements beyond federal requirements and imposes shorter timelines for certain breach notifications.
• Connecticut: State law requires written, informed consent for disclosure of SUD records with specific form elements. Connecticut's statute predates Part 2 and contains provisions that may be more restrictive in certain areas.
• Massachusetts: Alcohol and drug treatment records are subject to heightened protections under state law, with specific consent and disclosure requirements that may exceed Part 2.
• New York: Mental Hygiene Law Article 22 governs SUD records with requirements that in some areas exceed Part 2 protections, including specific consent requirements and restrictions on re-disclosure.
• Washington: The Uniform Health Care Information Act imposes additional conditions on SUD record disclosure that may be more restrictive than Part 2.

Practical Compliance Strategy

For multi-state organizations:

1. Inventory your state requirements: For each state where you operate, identify whether SUD privacy laws exceed Part 2 requirements in any area
2. Apply the most restrictive standard: When in doubt, apply the more restrictive of federal or state law for each disclosure decision
3. Configure state-specific consent forms: Your EHR should support different consent form templates by state, if your states require different elements
4. Train staff on the applicable standard: Staff in California face different consent and disclosure rules than staff in Texas — training must be state-specific
5. Document your analysis: Maintain a written analysis of how Part 2, HIPAA, and state law interact for each state in which you operate

Organizations treating SUD patients, particularly those offering addiction treatment services, should ensure their EHR vendor can accommodate state-specific consent configurations. This is a critical capability gap in many platforms.

Part 2 Compliance Checklist for EHR Systems

Use this checklist to assess your organization's readiness. Each item maps to a specific requirement under the 2024 final rule.

If your current EHR cannot meet several of these requirements, it may be time to evaluate platforms with stronger behavioral health compliance capabilities. Our behavioral health EHR comparison evaluates leading vendors on Part 2 compliance features, consent management, and data segmentation capabilities.

Frequently Asked Questions

What is 42 CFR Part 2 and who does it apply to?

42 CFR Part 2 is a federal regulation that protects the confidentiality of substance use disorder (SUD) patient records. It applies to any "Part 2 program" — defined as a federally assisted program that holds itself out as providing, and provides, substance use disorder diagnosis, treatment, or referral for treatment. This includes addiction treatment centers, opioid treatment programs (OTPs), hospital-based SUD units, community mental health centers offering SUD services, and any provider receiving federal funding (including Medicaid or Medicare) for SUD treatment. The regulation also applies to any entity that receives Part 2 records, including downstream HIPAA covered entities and business associates.

What changed in the 2024 final rule for 42 CFR Part 2?

The February 2024 final rule, implementing Section 3221 of the CARES Act, made several landmark changes: patients can now provide a single consent for all future uses and disclosures for treatment, payment, and health care operations (TPO); HIPAA covered entities that receive Part 2 records under this consent can redisclose them under HIPAA rules; the HIPAA Breach Notification Rule now applies to Part 2 records; patients gained new rights to an accounting of disclosures and to request restrictions; and enforcement was aligned with HIPAA civil and criminal penalty structures. The compliance deadline was February 16, 2026.

How is 42 CFR Part 2 different from HIPAA?

While the 2024 final rule significantly aligned Part 2 with HIPAA, key differences remain. Part 2 still requires patient consent before sharing SUD records for TPO — HIPAA does not require consent for TPO disclosures. Part 2 records cannot be used in civil, criminal, administrative, or legislative proceedings against a patient without their consent or a court order — HIPAA has no such protection. Separate consent is required for SUD counseling notes, similar to but distinct from HIPAA psychotherapy notes protections. Part 2 also restricts re-disclosure with specific notice requirements that go beyond HIPAA minimum necessary standards.

Does my EHR need to segment 42 CFR Part 2 records separately?

The 2024 final rule does not require Part 2 programs, covered entities, or business associates to segregate or segment Part 2 records received under a single TPO consent. However, organizations must still be able to identify which records are subject to Part 2 protections, produce audit trails of all disclosures, apply the correct re-disclosure restrictions, and respond to patient requests for an accounting of disclosures. In practice, most compliance experts recommend tagging or flagging Part 2 records within the EHR rather than maintaining fully separate systems.

What are the penalties for 42 CFR Part 2 violations?

Under the 2024 final rule, Part 2 penalties are now aligned with HIPAA enforcement. Civil monetary penalties range from $141 per violation (Tier 1, lack of knowledge) up to $2,134,831 per identical violation per year (Tier 4, willful neglect not corrected), with the penalty amounts adjusted annually for inflation. Criminal penalties can reach $250,000 and up to 10 years imprisonment for knowingly obtaining or disclosing Part 2 records under false pretenses or with intent to sell. OCR now has enforcement authority for Part 2 alongside its existing HIPAA jurisdiction.

Can state laws impose stricter requirements than 42 CFR Part 2?

Yes. 42 CFR Part 2 establishes a federal floor, not a ceiling. State laws that are more restrictive — meaning they provide greater privacy protections for SUD records — remain in effect and must be followed. For example, some states require written consent for any SUD disclosure (even within TPO), mandate specific consent form elements beyond federal requirements, impose shorter breach notification timelines, or restrict specific categories of SUD information more tightly. Organizations operating in multiple states must comply with both Part 2 and the most restrictive applicable state law for each disclosure.

What EHR features are essential for 42 CFR Part 2 compliance?

Essential EHR features for Part 2 compliance include: granular consent management that tracks patient consent status per record type and purpose; the ability to flag or tag SUD records subject to Part 2; configurable disclosure controls that prevent unauthorized sharing of Part 2 data through standard interoperability feeds; comprehensive audit logging of all access to and disclosures of Part 2 records; automated re-disclosure notices on outbound communications; accounting of disclosures reporting capability; patient portal controls that respect Part 2 consent boundaries; and role-based access controls specific to SUD treatment records.