Deadline nears for 42 CFR Part 2 compliance

On February 16, 2024, the U.S. Department of Health and Human Services (HHS) published a Final Rule amending 42 CFR Part 2, the federal regulation that protects the confidentiality of substance use disorder (SUD) treatment records. The deadline for meeting the amendment requirements is nearing. 

What happened

These amendments were designed to better align Part 2 with the HIPAA Privacy, Breach Notification, and Enforcement Rules, allowing for improved coordination of care while maintaining strong privacy safeguards. The rule introduced significant updates, including new requirements for Notices of Privacy Practices (NPPs), expanded patient rights, and the establishment of an internal complaint process for privacy violations. 

The compliance deadline for these changes is set for February 16, 2026, which gives regulated entities almost two years to implement the necessary updates. As that date approaches, providers and SUD programs across the country should be working to meet the new standards.

In the know 

42 CFR Part 2 is a federal regulation that protects the confidentiality of SUD treatment records in the United States. It was first issued in the 1970s by the HHS, then under the Department of Health, Education, and Welfare, to encourage individuals to seek treatment for substance use disorders without fear that their personal information could be used against them in criminal, civil, or administrative proceedings.

The law applies to federally assisted programs that provide diagnosis, treatment, or referral for SUD, including hospitals, clinics, and independent practitioners receiving federal funding, certification, or tax-exempt status. Under 42 CFR Part 2, any information that would identify a person as having a substance use disorder, or as having received treatment at a Part 2 program, cannot be disclosed without the patient’s explicit written consent, except under specific circumstances such as medical emergencies, research, audits, or court orders.

What was said 

Commentary from The Network for Public Health Law fact sheet notes, “Of particular interest to public health authorities is the provision that now expressly permits Part 2 programs to disclose de-identified data to public health authorities.20 The de-identified patient information must meet the HIPAA standard for de-identification.21 SAMHSA did not believe it had authority under the CARES act to extend this exception to identifiable data, even though HIPAA permits regulated entities to share identifiable information with public health authorities. As such, the rule is explicit that the permitted disclosures are limited to de-identified data.”

What happens next

In the months ahead, healthcare organizations covered under 42 CFR Part 2 will need to update their NPP with the new language required by the rule, refine their internal complaint processes, and train employees on the expanded patient rights. The amendments signal a clear move toward greater transparency and closer alignment with HIPAA’s privacy standards.

Patients now have stronger control over their information, including the right to see who has accessed their records and to limit how their substance use disorder data is shared. For providers, that means building systems capable of tracking disclosures accurately and respecting those limits whenever possible. By combining in HIPAA-style breach notifications and consent rules, the amendments create a more consistent framework for protecting patient data. 

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

FAQs

What is SUD data?

It refers to information that identifies someone as having a substance use disorder or receiving related treatment.

Can SUD data be shared without consent?

Only in limited cases, such as medical emergencies, audits, research, or with a court order.

How is 42 CFR Part 2 different from HIPAA?

While HIPAA protects general health information, Part 2 adds stricter rules for SUD records, requiring patient consent for most disclosures—even to other healthcare providers.