Back to News and Insights

Part 2 Update: HHS Final Rule Aligning Federal Protections for Substance Use Disorder Records with HIPAA

Image of prescription pills spilling out of a bottle

On February 16, 2024, the Office for Civil Rights (OCR) in coordination with the Substance Abuse and Mental Health Services Administration (SAMHSA), released a Final Rule modifying the federal Confidentiality of Substance Use Disorder (SUD) Patient Records regulations, commonly known as 42 CFR Part 2 (or Part 2).

The Final Rule incorporates amendments to Part 2 that were required by the Coronavirus Aid, Relief, and Economic Security (CARES) Act, passed by Congress in 2020. Specifically, the CARES Act mandated that HHS bring Part 2 into greater alignment with certain aspects of HIPAA’s Privacy, Breach Notification, and Enforcement Rules, improving the ability to use, disclose, and redisclose SUD records, while also creating new breach reporting requirements and penalties. (Our prior alert on the CARES Act amendments can be accessed here.)

Part 2 is intended to protect records that relate to “the identity, diagnosis, prognosis, or treatment of any patient” maintained by federally-assisted programs that involve SUD education, prevention, training, treatment, rehabilitation, or research. Part 2’s heightened protections for SUD records are aimed at ensuring that individuals do not fear prosecution or stigmatization, and are not deterred from entering SUD treatment.  Under prior regulations, Part 2 generally required federally-assisted SUD programs to obtain a patient’s consent before disclosing their identifying information outside of the program, including for treatment purposes. Given the inability to share information between health care providers under most circumstances, many providers vocally advocated for changes to align Part 2 with HIPAA. The Final Rule intends to strike a balance between such calls for alignment, on the one hand, and continued concern for the privacy of SUD records on the other, by allowing for disclosures for treatment, payment, and healthcare operations as permitted by HIPAA, but still requiring an initial written and revocable consent from the patient. Through the Final Rule, HHS hopes that such alignment will facilitate greater integration and exchange of SUD treatment information and enable improved care coordination among patients, providers and payers.

Recognizing the significant shift from prior regulations, HHS will not require compliance with the Final Rule by Part 2 programs until February 16, 2026, though organizations may choose to begin compliance starting April 16, 2024 (the Final Rule’s effective date). In commentary in the Final Rule, HHS stated that it intends to engage in outreach efforts, create guidance materials, and provide technical guidance to assist Part 2 programs in their efforts to implement the Final Rule changes.

Below follows key takeaways for health care providers from the Final Rule.

  • Patient Consent and Redisclosure of Part 2 Records. As detailed above, likely the most significant change to Part 2 under the Final Rule are the new streamlined requirements to obtain patient consent to disclose Part 2 records. Under the Final Rule, a Part 2 program will be authorized to use and disclose Part 2 records for the purposes of all future treatment, payment or health care operations (TPO) based on a single written consent, rather than obtaining consent upon each disclosure (patients would have the right to revoke this consent in writing and such initial consent could not be combined with any patient consent authorizing disclosures for civil, criminal, administrative, and legislative proceedings against the patient).
  • New Patient Rights.
    • Request Restrictions on Permitted Disclosures. Similar to HIPAA, the Final Rule will require Part 2 programs to permit patients to request restrictions on the use or disclosure of Part 2 information to carry out TPO, including when the patient has signed a written consent for such disclosures. In general, Part 2 programs will not be required to agree to these restrictions, except in limited circumstances such as where the patient has paid for services in full and has requested restrictions on disclosures to health plans for payment or health care operations.
    • Accounting of Disclosures. Under the Final Rule, patients will be entitled to an accounting of disclosures for up to three years prior to the date the accounting is requested from Part 2 programs, using a standard that mirrors the HIPAA Privacy Rule. The Final Rule will also incorporate the requirements in the Health Information Technology for Economic and Clinical Health (HITECH) Act that disclosures for TPO purposes be included in the accounting only where such disclosures are made through an electronic health record, but only for the prior three years. Notably, the compliance date for the Part 2 accounting requirements, however, are tolled until the effective date of any finalized regulatory modifications by HHS to the accounting of disclosures requirements mandated by the HITECH Act.
  • Intermediaries. The Final Rule clarifies the responsibilities of “intermediaries” that receive Part 2 records under a consent with a general designation, such as research institutions, accountable care organizations (ACOs), and care management organizations that aren’t typically subject to HIPAA. Following significant public comment on the topic – particularly from HIEs, HINs, and health IT vendors – HHS revised the term “intermediary” to explicitly carve out other part 2 programs, covered entities, and their business associates. Importantly, this means that HIEs, HINs, and health IT vendors acting in the capacity as a business associate to a Part 2 program will NOT be subject to the obligations currently imposed on intermediaries.
  • Segregation of Part 2 Data. HHS included in the Final Rule an express statement that Part 2 programs, covered entities, or business associates that received records based on a single consent for TPO are not required to segregate or segment Part 2 records, though they may still choose to do so.
  • Notices of Privacy Practices. As required by the CARES Act, HHS modified the Part 2 confidentiality notice requirements (“Patient Notice”) to align with the HIPAA Privacy Rule’s requirements regarding covered entities’ Notice of Privacy Practices (NPP). Under the Final Rule, the Patient Notice must address the same key elements as the HIPAA NPP (which can be in the same or separate documents), including a description of the permitted uses and disclosures of Part 2 records (and when separate consent is required).
  • Fundraising. The Final Rule creates a new right for patients to opt out of receiving fundraising communications (this is different than HIPAA, which treats many fundraising activities as part of a covered entity’s health care operations).
  • Complaints of Violations. The Final Rule requires Part 2 programs to establish a process to receive complaints regarding Part 2 violations as well as a prohibition against intimidating, threatening, coercing, discriminating against, or taking other retaliatory action against a patient for filing a complaint or otherwise exercising a right provided for under Part 2. The rule also added a right for patients to file a complaint directly with the HHS Secretary for an alleged violation of Part 2.
  • Breaches. Breaches of Part 2 records by Part 2 programs will be subject to the HITECH Act breach notification provisions currently implemented in the HIPAA Breach Notification Rule. This change will require Part 2 programs to establish and implement policies and procedures to notify HHS, affected patients, and in some cases media outlets, of a breach of unsecured Part 2 records consistent with the HIPAA Breach Notification Rule.
  • Enforcement and Penalties. The Final Rule aligns Part 2 penalties with HIPAA by replacing criminal penalties currently in Part 2 with civil and criminal enforcement authorities that also apply to HIPAA violations.
  • SUD Counseling Notes. Finally, after receiving significant support in comments, HHS created a new definition and protections specific to the notes of SUD counseling sessions by a Part 2 program professional that are voluntarily maintained separate from the treatment and medical record, similar to the HIPAA Privacy Rule’s definition and heightened requirements for psychotherapy notes. Disclosure of SUD counseling notes require specific consent from an individual and cannot be used or disclosed based on a broad TPO consent.

Importantly, the Final Rule modifies practically every provision of the current Part 2 regulations, and while some of those changes are clarifying, many have significant import.  This article does not address all substantive changes, and readers are encouraged to review the Final Rule in full.


Andrea Frey
San Francisco
Amy M. Joseph
Alicia Macklin
Los Angeles

For more information, please contact Andrea Frey or Paul Smith in San Francisco, Alicia Macklin in Los Angeles, Amy Joseph in Boston, Monica Massaro in Washington, D.C., or your regular Hooper, Lundy & Bookman contact.