Description
If your SUD treatment program shares patient records with any outside service provider — a billing company, EHR vendor, lab, legal firm, or staffing agency — federal law requires a signed Qualified Service Organization Agreement before any disclosure.
42 CFR Part 2 • 2024 Final Rule • Full Enforcement February 16, 2026
The Qualified Service Organization Agreement (QSOA) Template is a professionally written, fully editable Word document built for federally assisted substance use disorder treatment programs operating under the Confidentiality of Substance Use Disorder Patient Records regulations at 42 CFR Part 2. It documents the legally required binding acknowledgment between a Part 2 program and its service provider, authorizing the disclosure of patient records without individual consent under the narrow exception at 42 CFR 2.12(c)(4).
The template is aligned to the 2024 final rule published at 89 FR 12618, which replaced prior criminal-only penalties with HIPAA-level civil and criminal enforcement, extended the HIPAA Breach Notification Rule to Part 2 programs, and revised the required disclosure notice language under 42 CFR 2.32. Full enforcement is effective February 16, 2026.
Why a QSOA Is Required
Under 42 CFR 2.12(c)(4), a Part 2 program may disclose patient records to a service provider without individual consent only if the service provider has entered into a written agreement meeting the definition of a Qualified Service Organization under 42 CFR 2.11. That agreement must include a binding acknowledgment of all Part 2 obligations and an agreement to resist judicial efforts to obtain impermissible access to patient records.
A QSOA is a legally distinct instrument from a HIPAA Business Associate Agreement. Executing a BAA alone does not satisfy the QSOA requirement. Where the QSO also qualifies as a HIPAA business associate, both agreements must be executed separately — a point confirmed by HHS in the 2024 final rule.
What Is Included
The template contains 16 fully drafted sections with all bracketed placeholder fields clearly marked for customization:
| 1. Background and Purpose Regulatory basis, CARES Act reference, 2024 final rule. Includes distinction from a HIPAA BAA. |
2. Definitions Part 2 Records, Patient Identifying Information, Lawful Holder, Unsecured Record, SUD Counseling Notes, Covered Entity, Business Associate — all grounded in 42 CFR 2.11 and 45 CFR 160.103. |
| 3. Parties Fillable identification tables for both the Part 2 Program and the QSO including service category field. |
4. Scope of Services Customizable services table with Part 2 Records involvement and applicable personnel columns. |
| 5. QSO Acknowledgments and Obligations (6 subsections) 5.1 Full Binding Acknowledgment under 42 CFR 2.11 5.2 Obligation to Resist Judicial Proceedings under 42 CFR 2.11 5.3 Restrictions on Redisclosure — subcontractor conditions, downstream accountability, QSO liability 5.4 Prohibition on Use in Legal Proceedings Against Patients under 42 CFR 2.12(d)(1) 5.5 Safeguards — administrative, physical, technical; Security Rule alignment under the 2024 final rule 5.6 Minimum Necessary Standard |
|
| 5.7 Audit Rights Part 2 Program right to inspect QSO policies, subcontractor agreements, disclosure documentation, and workforce training records. |
5.8 Permitted Exceptions Research (42 CFR 2.52), audit and evaluation (42 CFR 2.53), and medical emergency (42 CFR 2.51) disclosures with conditions and QSO obligations for each. |
| 6. Breach Notification HIPAA Breach Notification Rule alignment per 2024 final rule; QSO reporting obligations; four-element notification content requirements; risk assessment citation to 45 CFR 164.402(2). |
7. Enforcement, Complaints, and Non-Retaliation 2024 civil monetary penalties (42 U.S.C. 1320d-5) and criminal penalties (42 U.S.C. 1320d-6); patient complaint rights under 42 CFR 2.21; non-retaliation obligation. |
| 8. Term and Termination Termination for cause and convenience; record return or destruction on termination; survival of confidentiality obligations. |
9. Required Notice and Consent to Accompany Disclosure Both updated 2024 short form and long form notice language under 42 CFR 2.32(a); consent copy requirement new for 2024. |
| 10. Records Retention Six-year retention for agreement and disclosure records; contractually adopted from 45 CFR 164.530(j). |
11. Relationship of Parties Independent contractor status; QSO accountability for workforce and subcontractors. |
| 12. General Provisions (8 subsections) Governing law and regulatory supremacy; entire agreement; amendment; severability; counterparts and electronic execution; no waiver; notices; indemnification (mutual, survives termination). |
|
| 13. Acknowledgment and Execution Dual-party signature blocks with name, title, date, and address fields. |
14. Instructions for Use Placeholder completion guide; when a QSOA is required; relationship to a HIPAA BAA; periodic review guidance; attorney review notice. |
| 15. Related Documents Cross-reference table linking to related HIPAA Essentials Library templates. |
16. Revision History Three-version history table (v1.0, v1.2, v1.3) documenting all substantive changes. |
Who Needs This
This template is designed for:
- Federally assisted SUD treatment programs — outpatient programs, opioid treatment programs (OTPs), residential programs, and other entities meeting the definition of a Part 2 program under 42 CFR 2.11 that share patient records with any outside service provider
- Behavioral health organizations with SUD treatment components that contract with billing companies, EHR vendors, laboratories, legal services, accounting firms, staffing agencies, or population health management vendors
- Compliance officers and privacy officers responsible for ensuring the program’s service provider contracts satisfy 42 CFR Part 2 requirements before the February 16, 2026 enforcement date
- Healthcare attorneys and consultants advising Part 2 programs who need a well-structured starting point that already incorporates the 2024 final rule changes
Updated for the 2024 Final Rule — Enforcement Begins February 16, 2026
The 2024 final rule (89 FR 12618) made the most significant changes to 42 CFR Part 2 in decades. This template incorporates all material changes: the revised 42 CFR 2.32 disclosure notice language (both short form and long form), the new requirement to accompany each disclosure with a copy of the patient consent or a written explanation of consent scope, the shift to HIPAA civil and criminal enforcement penalties, and the extension of the HIPAA Breach Notification Rule to unsecured Part 2 records. Organizations using pre-2024 QSOAs should review and update those agreements before the enforcement date.
Format and Delivery
Delivered as a single Microsoft Word (.docx) file. All bracketed fields are clearly marked for customization. The document includes a version history table, a static table of contents, and an Instructions for Use section. Immediate download after purchase.
Reviews
There are no reviews yet.