Substance Use Disorder (SUD) treatment records are governed by 42 CFR Part 2, and hospitals must be aware of the potential applicability of these regulations. Like the Health Insurance Portability and Accountability Act (HIPAA), these “Part 2” regulations safeguard confidentiality of patient records and protect some of the most vulnerable patients: those in SUD treatment. The heightened protections in the Part 2 regulations are meant to ensure that a patient who receives SUD treatment is not made more vulnerable by the availability of his or her treatment records.
 

The Part 2 regulations pre-date HIPAA and are approximately 40 years old. For years, there has been a lack of congruence between HIPAA and Part 2. They use different terms (HIPAA’s “authorization” versus Part 2’s “consent”); have different record keeping requirements; and have different requirements for requested records (a HIPAA subpoena versus Part 2’s required subpoena + Court Order).
 

Recently, the U.S. Department of Health and Human Services (HHS) released rulemaking to bring these different sets of regulations closer together. The new regulations were released Feb. 16, 2024 (Reference: 89 Fed. Reg. 12472, 02/16/24, the Final Rule).
 

Part 2 records identify a patient as having an SUD, contain drug or alcohol abuse information, and are obtained/maintained by a federally-assisted drug or alcohol abuse program (a Part 2 Program). Two key points are considered in determining whether a provider is a Part 2 Program: 1) whether it is “federally assisted” – including participating in the Medicare program; and 2) whether it is a treatment or rehabilitation program, a program within a general hospital, or a private practitioner that holds itself out as “providing substance use disorder diagnosis, treatment, or referral for treatment.” (Reference: 42 CFR 2.12(e)).
 

However, the second component of the test above remains unclear, even after the revisions. Notably, the Part 2 regulations provide as the example that the regulations do not apply to emergency room staff who refer a patient to the intensive care unit for an apparent overdose, “unless the primary function of such personnel is the provision of SUD disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room promoted itself as a provider of these services.”
 

Hospitals must be aware of these regulations and evaluate their applicability. A recent trend brings the importance of the Part 2 regulations even more into focus. A number of hospitals have established new partial hospitalization programs and/or intensive outpatient programs (PHP/IOP Programs) that include SUD treatment. These hospitals are very likely subject to Part 2 requirements.
 

As some industry commenters have noted, enforcement under 42 CFR Part 2 has been “non-existent.” HIPAA enforcement, however, is common. With the recent changes, Part 2 has been aligned with HIPAA, and the HIPAA breach notification requirements will also apply to breaches of records under Part 2. Further, patients can file complaints alleged Part 2 violations with the Part 2 program and with the federal government. Finally, the regulatory revisions replace the current Part 2 criminal penalties with the civil and criminal enforcement authorities that apply to HIPAA violations.
 

HHS requires compliance within two years from the date the Final Rules were released: Feb. 16, 2026. Providers may take advantage of provisions that benefit them immediately; full compliance is not required until the deadline.
 

Since the definition of “Part 2 Program” remains ambiguous, hospitals should determine whether they are “holding themselves out” as providing SUD diagnosis, treatment, or referrals. If so, they should establish compliance policies, forms, and patients consents, or update the ones already in place. Hospitals subject to Part 2 should also work with their information technology departments and/or vendors to ensure they are prepared to meet these unique requirements.
 

SUD providers who already have Part 2 policies and procedures in place should also take note of major regulatory changes including: 1) updates to consents allowing disclosures for treatment, payment, and healthcare operations; 2) new requirements for separate consents for SUD Counseling Notes, legal proceedings, and sharing information with the state Prescription Monitoring Program; 3) alignment of Part 2 patient notice requirements with the HIPAA notice of privacy practices requirements; and 4) a requirement that each disclosure made (even for treatment, payment, or operations) includes a copy of the patient’s consent.

Substance Use Disorder (SUD) treatment records are governed by 42 CFR Part 2, and hospitals must be aware of the potential applicability of these regulations. Like the Health Insurance Portability and Accountability Act (HIPAA), these “Part 2” regulations safeguard confidentiality of patient records and protect some of the most vulnerable patients: those in SUD treatment. The heightened protections in the Part 2 regulations are meant to ensure that a patient who receives SUD treatment is not made more vulnerable by the availability of his or her treatment records.
 

The Part 2 regulations pre-date HIPAA and are approximately 40 years old. For years, there has been a lack of congruence between HIPAA and Part 2. They use different terms (HIPAA’s “authorization” versus Part 2’s “consent”); have different record keeping requirements; and have different requirements for requested records (a HIPAA subpoena versus Part 2’s required subpoena + Court Order).
 

Recently, the U.S. Department of Health and Human Services (HHS) released rulemaking to bring these different sets of regulations closer together. The new regulations were released Feb. 16, 2024 (Reference: 89 Fed. Reg. 12472, 02/16/24, the Final Rule).
 

Part 2 records identify a patient as having an SUD, contain drug or alcohol abuse information, and are obtained/maintained by a federally-assisted drug or alcohol abuse program (a Part 2 Program). Two key points are considered in determining whether a provider is a Part 2 Program: 1) whether it is “federally assisted” – including participating in the Medicare program; and 2) whether it is a treatment or rehabilitation program, a program within a general hospital, or a private practitioner that holds itself out as “providing substance use disorder diagnosis, treatment, or referral for treatment.” (Reference: 42 CFR 2.12(e)).
 

However, the second component of the test above remains unclear, even after the revisions. Notably, the Part 2 regulations provide as the example that the regulations do not apply to emergency room staff who refer a patient to the intensive care unit for an apparent overdose, “unless the primary function of such personnel is the provision of SUD disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room promoted itself as a provider of these services.”
 

Hospitals must be aware of these regulations and evaluate their applicability. A recent trend brings the importance of the Part 2 regulations even more into focus. A number of hospitals have established new partial hospitalization programs and/or intensive outpatient programs (PHP/IOP Programs) that include SUD treatment. These hospitals are very likely subject to Part 2 requirements.
 

As some industry commenters have noted, enforcement under 42 CFR Part 2 has been “non-existent.” HIPAA enforcement, however, is common. With the recent changes, Part 2 has been aligned with HIPAA, and the HIPAA breach notification requirements will also apply to breaches of records under Part 2. Further, patients can file complaints alleged Part 2 violations with the Part 2 program and with the federal government. Finally, the regulatory revisions replace the current Part 2 criminal penalties with the civil and criminal enforcement authorities that apply to HIPAA violations.
 

HHS requires compliance within two years from the date the Final Rules were released: Feb. 16, 2026. Providers may take advantage of provisions that benefit them immediately; full compliance is not required until the deadline.
 

Since the definition of “Part 2 Program” remains ambiguous, hospitals should determine whether they are “holding themselves out” as providing SUD diagnosis, treatment, or referrals. If so, they should establish compliance policies, forms, and patients consents, or update the ones already in place. Hospitals subject to Part 2 should also work with their information technology departments and/or vendors to ensure they are prepared to meet these unique requirements.
 

SUD providers who already have Part 2 policies and procedures in place should also take note of major regulatory changes including: 1) updates to consents allowing disclosures for treatment, payment, and healthcare operations; 2) new requirements for separate consents for SUD Counseling Notes, legal proceedings, and sharing information with the state Prescription Monitoring Program; 3) alignment of Part 2 patient notice requirements with the HIPAA notice of privacy practices requirements; and 4) a requirement that each disclosure made (even for treatment, payment, or operations) includes a copy of the patient’s consent.

Substance Use Disorder (SUD) treatment records are governed by 42 CFR Part 2, and hospitals must be aware of the potential applicability of these regulations. Like the Health Insurance Portability and Accountability Act (HIPAA), these “Part 2” regulations safeguard confidentiality of patient records and protect some of the most vulnerable patients: those in SUD treatment. The heightened protections in the Part 2 regulations are meant to ensure that a patient who receives SUD treatment is not made more vulnerable by the availability of his or her treatment records.
 

The Part 2 regulations pre-date HIPAA and are approximately 40 years old. For years, there has been a lack of congruence between HIPAA and Part 2. They use different terms (HIPAA’s “authorization” versus Part 2’s “consent”); have different record keeping requirements; and have different requirements for requested records (a HIPAA subpoena versus Part 2’s required subpoena + Court Order).
 

Recently, the U.S. Department of Health and Human Services (HHS) released rulemaking to bring these different sets of regulations closer together. The new regulations were released Feb. 16, 2024 (Reference: 89 Fed. Reg. 12472, 02/16/24, the Final Rule).
 

Part 2 records identify a patient as having an SUD, contain drug or alcohol abuse information, and are obtained/maintained by a federally-assisted drug or alcohol abuse program (a Part 2 Program). Two key points are considered in determining whether a provider is a Part 2 Program: 1) whether it is “federally assisted” – including participating in the Medicare program; and 2) whether it is a treatment or rehabilitation program, a program within a general hospital, or a private practitioner that holds itself out as “providing substance use disorder diagnosis, treatment, or referral for treatment.” (Reference: 42 CFR 2.12(e)).
 

However, the second component of the test above remains unclear, even after the revisions. Notably, the Part 2 regulations provide as the example that the regulations do not apply to emergency room staff who refer a patient to the intensive care unit for an apparent overdose, “unless the primary function of such personnel is the provision of SUD disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room promoted itself as a provider of these services.”
 

Hospitals must be aware of these regulations and evaluate their applicability. A recent trend brings the importance of the Part 2 regulations even more into focus. A number of hospitals have established new partial hospitalization programs and/or intensive outpatient programs (PHP/IOP Programs) that include SUD treatment. These hospitals are very likely subject to Part 2 requirements.
 

As some industry commenters have noted, enforcement under 42 CFR Part 2 has been “non-existent.” HIPAA enforcement, however, is common. With the recent changes, Part 2 has been aligned with HIPAA, and the HIPAA breach notification requirements will also apply to breaches of records under Part 2. Further, patients can file complaints alleged Part 2 violations with the Part 2 program and with the federal government. Finally, the regulatory revisions replace the current Part 2 criminal penalties with the civil and criminal enforcement authorities that apply to HIPAA violations.
 

HHS requires compliance within two years from the date the Final Rules were released: Feb. 16, 2026. Providers may take advantage of provisions that benefit them immediately; full compliance is not required until the deadline.
 

Since the definition of “Part 2 Program” remains ambiguous, hospitals should determine whether they are “holding themselves out” as providing SUD diagnosis, treatment, or referrals. If so, they should establish compliance policies, forms, and patients consents, or update the ones already in place. Hospitals subject to Part 2 should also work with their information technology departments and/or vendors to ensure they are prepared to meet these unique requirements.
 

SUD providers who already have Part 2 policies and procedures in place should also take note of major regulatory changes including: 1) updates to consents allowing disclosures for treatment, payment, and healthcare operations; 2) new requirements for separate consents for SUD Counseling Notes, legal proceedings, and sharing information with the state Prescription Monitoring Program; 3) alignment of Part 2 patient notice requirements with the HIPAA notice of privacy practices requirements; and 4) a requirement that each disclosure made (even for treatment, payment, or operations) includes a copy of the patient’s consent.

Substance Use Disorder (SUD) treatment records are governed by 42 CFR Part 2, and hospitals must be aware of the potential applicability of these regulations. Like the Health Insurance Portability and Accountability Act (HIPAA), these “Part 2” regulations safeguard confidentiality of patient records and protect some of the most vulnerable patients: those in SUD treatment. The heightened protections in the Part 2 regulations are meant to ensure that a patient who receives SUD treatment is not made more vulnerable by the availability of his or her treatment records.
 

The Part 2 regulations pre-date HIPAA and are approximately 40 years old. For years, there has been a lack of congruence between HIPAA and Part 2. They use different terms (HIPAA’s “authorization” versus Part 2’s “consent”); have different record keeping requirements; and have different requirements for requested records (a HIPAA subpoena versus Part 2’s required subpoena + Court Order).
 

Recently, the U.S. Department of Health and Human Services (HHS) released rulemaking to bring these different sets of regulations closer together. The new regulations were released Feb. 16, 2024 (Reference: 89 Fed. Reg. 12472, 02/16/24, the Final Rule).
 

Part 2 records identify a patient as having an SUD, contain drug or alcohol abuse information, and are obtained/maintained by a federally-assisted drug or alcohol abuse program (a Part 2 Program). Two key points are considered in determining whether a provider is a Part 2 Program: 1) whether it is “federally assisted” – including participating in the Medicare program; and 2) whether it is a treatment or rehabilitation program, a program within a general hospital, or a private practitioner that holds itself out as “providing substance use disorder diagnosis, treatment, or referral for treatment.” (Reference: 42 CFR 2.12(e)).
 

However, the second component of the test above remains unclear, even after the revisions. Notably, the Part 2 regulations provide as the example that the regulations do not apply to emergency room staff who refer a patient to the intensive care unit for an apparent overdose, “unless the primary function of such personnel is the provision of SUD disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room promoted itself as a provider of these services.”
 

Hospitals must be aware of these regulations and evaluate their applicability. A recent trend brings the importance of the Part 2 regulations even more into focus. A number of hospitals have established new partial hospitalization programs and/or intensive outpatient programs (PHP/IOP Programs) that include SUD treatment. These hospitals are very likely subject to Part 2 requirements.
 

As some industry commenters have noted, enforcement under 42 CFR Part 2 has been “non-existent.” HIPAA enforcement, however, is common. With the recent changes, Part 2 has been aligned with HIPAA, and the HIPAA breach notification requirements will also apply to breaches of records under Part 2. Further, patients can file complaints alleged Part 2 violations with the Part 2 program and with the federal government. Finally, the regulatory revisions replace the current Part 2 criminal penalties with the civil and criminal enforcement authorities that apply to HIPAA violations.
 

HHS requires compliance within two years from the date the Final Rules were released: Feb. 16, 2026. Providers may take advantage of provisions that benefit them immediately; full compliance is not required until the deadline.
 

Since the definition of “Part 2 Program” remains ambiguous, hospitals should determine whether they are “holding themselves out” as providing SUD diagnosis, treatment, or referrals. If so, they should establish compliance policies, forms, and patients consents, or update the ones already in place. Hospitals subject to Part 2 should also work with their information technology departments and/or vendors to ensure they are prepared to meet these unique requirements.
 

SUD providers who already have Part 2 policies and procedures in place should also take note of major regulatory changes including: 1) updates to consents allowing disclosures for treatment, payment, and healthcare operations; 2) new requirements for separate consents for SUD Counseling Notes, legal proceedings, and sharing information with the state Prescription Monitoring Program; 3) alignment of Part 2 patient notice requirements with the HIPAA notice of privacy practices requirements; and 4) a requirement that each disclosure made (even for treatment, payment, or operations) includes a copy of the patient’s consent.

Substance Use Disorder (SUD) treatment records are governed by 42 CFR Part 2, and hospitals must be aware of the potential applicability of these regulations. Like the Health Insurance Portability and Accountability Act (HIPAA), these “Part 2” regulations safeguard confidentiality of patient records and protect some of the most vulnerable patients: those in SUD treatment. The heightened protections in the Part 2 regulations are meant to ensure that a patient who receives SUD treatment is not made more vulnerable by the availability of his or her treatment records.
 

The Part 2 regulations pre-date HIPAA and are approximately 40 years old. For years, there has been a lack of congruence between HIPAA and Part 2. They use different terms (HIPAA’s “authorization” versus Part 2’s “consent”); have different record keeping requirements; and have different requirements for requested records (a HIPAA subpoena versus Part 2’s required subpoena + Court Order).
 

Recently, the U.S. Department of Health and Human Services (HHS) released rulemaking to bring these different sets of regulations closer together. The new regulations were released Feb. 16, 2024 (Reference: 89 Fed. Reg. 12472, 02/16/24, the Final Rule).
 

Part 2 records identify a patient as having an SUD, contain drug or alcohol abuse information, and are obtained/maintained by a federally-assisted drug or alcohol abuse program (a Part 2 Program). Two key points are considered in determining whether a provider is a Part 2 Program: 1) whether it is “federally assisted” – including participating in the Medicare program; and 2) whether it is a treatment or rehabilitation program, a program within a general hospital, or a private practitioner that holds itself out as “providing substance use disorder diagnosis, treatment, or referral for treatment.” (Reference: 42 CFR 2.12(e)).
 

However, the second component of the test above remains unclear, even after the revisions. Notably, the Part 2 regulations provide as the example that the regulations do not apply to emergency room staff who refer a patient to the intensive care unit for an apparent overdose, “unless the primary function of such personnel is the provision of SUD disorder diagnosis, treatment, or referral for treatment and they are identified as providing such services or the emergency room promoted itself as a provider of these services.”
 

Hospitals must be aware of these regulations and evaluate their applicability. A recent trend brings the importance of the Part 2 regulations even more into focus. A number of hospitals have established new partial hospitalization programs and/or intensive outpatient programs (PHP/IOP Programs) that include SUD treatment. These hospitals are very likely subject to Part 2 requirements.
 

As some industry commenters have noted, enforcement under 42 CFR Part 2 has been “non-existent.” HIPAA enforcement, however, is common. With the recent changes, Part 2 has been aligned with HIPAA, and the HIPAA breach notification requirements will also apply to breaches of records under Part 2. Further, patients can file complaints alleged Part 2 violations with the Part 2 program and with the federal government. Finally, the regulatory revisions replace the current Part 2 criminal penalties with the civil and criminal enforcement authorities that apply to HIPAA violations.
 

HHS requires compliance within two years from the date the Final Rules were released: Feb. 16, 2026. Providers may take advantage of provisions that benefit them immediately; full compliance is not required until the deadline.
 

Since the definition of “Part 2 Program” remains ambiguous, hospitals should determine whether they are “holding themselves out” as providing SUD diagnosis, treatment, or referrals. If so, they should establish compliance policies, forms, and patients consents, or update the ones already in place. Hospitals subject to Part 2 should also work with their information technology departments and/or vendors to ensure they are prepared to meet these unique requirements.
 

SUD providers who already have Part 2 policies and procedures in place should also take note of major regulatory changes including: 1) updates to consents allowing disclosures for treatment, payment, and healthcare operations; 2) new requirements for separate consents for SUD Counseling Notes, legal proceedings, and sharing information with the state Prescription Monitoring Program; 3) alignment of Part 2 patient notice requirements with the HIPAA notice of privacy practices requirements; and 4) a requirement that each disclosure made (even for treatment, payment, or operations) includes a copy of the patient’s consent.