Federal privacy rules for substance use disorder (SUD) treatment records are changing. On February 8, 2024, the U.S. Department of Health and Human Services updated 42 CFR Part 2, the law that governs how these records are handled. While the rule is already in effect, all covered organizations must be fully compliant by February 16, 2026.
If your organization sends, receives, stores, or uses SUD records, these changes apply to you, even if you are not a substance use treatment program.
Why This Change Matters
Part 2 has always given SUD records extra privacy protection to reduce stigma and help people seek care. But the old rules made it tough to share information when coordinating treatment. The updates bring Part 2 closer to HIPAA, making it easier to share records safely while still protecting patient privacy.
What’s New Under the Updated Rule
One Consent for Routine Care
Patients can now sign one general consent that allows their SUD records to be used for:
This works similarly to HIPAA. Records received under this consent can be used as allowed under HIPAA, as long as proper notices are included.
Special Protection for Counseling Notes
Notes from counseling sessions get extra protection. They cannot be shared without a separate, specific consent from the patient.
Limits on Legal Use
SUD records generally cannot be used in legal proceedings unless:
This protection remains one of the most important differences between Part 2 and HIPAA.
Redisclosure Rules Still Apply
Whenever SUD records are shared, they come with a notice from the sending provider explaining that the information is federally protected. Anyone who receives the records must follow the notice and cannot share the information further unless the patient allows it or the law permits.
Example redisclosure notice language:
“These records are protected under federal law, 42 CFR Part 2. They may not be disclosed or used for any purpose other than what the patient has authorized. Redisclosure without written patient consent or as allowed by law is prohibited.”
This ensures privacy protections follow the records wherever they go, so everyone who handles them knows the rules.
Patient Rights
Patients can:
Organizations need to track disclosures and respond to these requests in the required timeframes.
Sharing with Public Health
SUD records that are properly de-identified (so they can’t be linked to an individual) can be shared with public health authorities without patient consent. Make sure the data truly meets HIPAA standards before sharing.
Breaches and Penalties
The new rule now applies HIPAA breach notification rules to SUD records. If records are accessed or shared improperly, they must be treated like a HIPAA breach. Penalties now align with HIPAA, so the enforcement risk is higher.
Who Does This Apply To?
Any HIPAA-covered entity that creates, receives, maintains, or transmits SUD records must ensure its Notice of Privacy Practices (NPP) accurately explains:
This includes healthcare providers, health plans, and clearinghouses, even if they are not SUD treatment programs. For example, organizations handling claims, payment, utilization review, or care coordination may still be affected.
If your organization truly does not handle SUD records, no NPP changes may be needed. However, organizations should assess their current records to support that conclusion.
Steps to Get Ready Now
To be prepared by February 16, 2026, organizations should:
Helpful Resources
We’ve created easy-to-use resources to help your organization get ready:
Bottom Line
The updated Part 2 rules make it easier to coordinate care while keeping strong privacy protections for patients. Start now, and you’ll be ready well before the February 16, 2026, deadline, reducing compliance risk and keeping your team confident and prepared.
