Description
Substance use disorder records carry federal protections that exceed HIPAA. The 2024 final rule is now in full enforcement. This policy template brings your organization into compliance.
What This Template Covers
- Regulatory foundation: 42 U.S.C. 290dd-2, 42 CFR Part 2, and CARES Act Section 3221, with enforcement date of February 16, 2026
- Scope and applicability for Part 2 programs, covered entities, business associates, qualified service organizations, and intermediaries
- Definitions for all key terms introduced or revised by the 2024 final rule, including SUD treatment record, intermediary, treating provider relationship, and SUD counseling notes
- Patient rights: confidentiality, Notice of Privacy Practices, accounting of disclosures, restriction requests (including the mandatory paid-in-full restriction), consent revocation, opt-out of fundraising, and complaints to HHS
- Written consent requirements under 42 CFR 2.31, including required elements, TPO single consent, SUD counseling notes consent, and re-disclosure prohibition notices with both prescribed regulatory statements
- Permitted disclosures without patient consent: internal program communications, QSOs, medical emergencies, research, audit and evaluation, de-identified public health reporting, and central registry enrollment prevention
- Restrictions on use in legal proceedings and all three court order tracks under Subpart E (42 CFR 2.64, 2.65, 2.66)
- Redisclosure restrictions and lawful holder obligations
- Breach notification under the HIPAA framework as extended to Part 2 records by the 2024 final rule
- Civil and criminal enforcement penalties under 42 U.S.C. 1320d-5 and 1320d-6
- Workforce training requirements, sanctions policy reference, and annual review obligations
- State law relationship and instruction to identify more stringent applicable state SUD confidentiality statutes
Who This Is For
- Part 2 programs providing substance use disorder diagnosis, treatment, or referral for treatment
- HIPAA covered entities and business associates that receive or maintain SUD treatment records
- Behavioral health organizations, federally qualified health centers, and integrated care systems
- Privacy officers and compliance professionals updating policies for the 2026 enforcement date
- Healthcare legal counsel and consultants supporting covered entity or Part 2 program clients
Why 42 CFR Part 2 Requires Its Own Policy
HIPAA alone is not sufficient for organizations that maintain substance use disorder treatment records. 42 CFR Part 2 imposes separate and more stringent requirements for written patient consent before any use or disclosure, including disclosures that HIPAA would permit without authorization. A general HIPAA authorization does not satisfy Part 2. A routine records release does not satisfy Part 2. The rules governing court orders, legal proceedings, re-disclosure, and patient presence acknowledgment differ materially from what HIPAA requires.
The 2024 final rule aligned some Part 2 requirements with HIPAA, including breach notification, patient rights, and enforcement, but did not eliminate the consent requirement or the restrictions on use in legal proceedings. This template documents what your organization is required to do under the current rule, in language your workforce can follow and your auditors can verify.
Format: Microsoft Word (.docx), fully editable. Includes bracketed placeholders for organization name, dates, policy numbers, and approvals. Compatible with all major word processors. Available immediately after purchase.
