42 CFR Part 2: What Changed, Why It Matters, and What to Do Now
On November, 7, 2025, I spoke to the Massachusetts Health Information Management Association about the federal government’s sweeping updates to 42 CFR Part 2—the confidentiality rules governing substance use disorder (SUD) records—to better align with HIPAA while preserving Part 2’s core patient protections. Issued in April 2024 with a two-year runway, the rule becomes enforceable on February 16, 2026. Organizations subject to Part 2 should be executing their implementation plans now to update notices, consents, contracts, workflows, and training.
At a high level, the revisions modernize consent to support integrated care; harmonize definitions, notices, enforcement, and breach obligations with HIPAA; and maintain strict limits on using SUD records against patients in legal proceedings. What follows is a concise summary of the most consequential changes and their operational implications.
Modernized Consent and Redisclosure
The most significant change is the introduction of a single, durable patient consent that authorizes future uses and disclosures of Part 2 records for treatment, payment, and health care operations. Once a HIPAA covered entity or business associate receives Part 2 records under this consent, it may use and redisclose the records in accordance with HIPAA.
A critical exception remains: redisclosures for civil, criminal, administrative, or legislative proceedings against the patient are prohibited absent patient consent or a qualifying court order. Importantly, Part 2 makes clear that recipients are not required to segregate SUD data received under a single TPO consent, although role-based controls and tagging remain prudent to avoid unnecessary exposure of highly sensitive information.
Consent form content has been updated to mirror HIPAA’s structure while retaining Part 2 specifics. Consents must identify the disclosing program and recipients, describe scope, purpose, expiration, and revocation rights, and include statements about potential HIPAA redisclosures when records are used for TPO. Consents for use or disclosure in legal proceedings cannot be combined with other consents, and each disclosure with consent must be accompanied by the consent or a clear explanation of its scope.
New Protection for SUD Counseling Notes
Part 2 now recognizes “SUD counseling notes” as a distinct, highly protected category analogous to psychotherapy notes under HIPAA. These are notes by a SUD or mental health professional documenting the contents of private, group, joint, or family SUD counseling sessions and maintained separate from the medical record. They are generally not disclosable without specific patient consent. Routine clinical information such as prescriptions, session times, modalities, test results, and summaries of diagnosis or treatment plan are excluded from this category.
Notices, Patient Rights, and HIPAA Alignment
Part 2 programs must provide a Notice of Privacy Practices that aligns with HIPAA’s framework and incorporates Part 2-specific content. The notice must describe permitted uses and disclosures (including those allowed without consent), the single TPO consent option, restrictions on legal proceedings, patient rights (such as to restrict disclosures to a health plan for self-paid services, request other reasonable restrictions, obtain an accounting of disclosures, and opt out of fundraising communications), and the right to complain to the program and directly to HHS.
Patient rights under Part 2 are expanded to align with HIPAA, including access rights, the right to an accounting of disclosures (including certain EHR-based TPO disclosures for a defined lookback), and enhanced transparency obligations for intermediaries that disclose records based on general designations.
Legal Process and Enforcement
Part 2’s foundational protections against using SUD records to initiate or substantiate criminal charges or other proceedings against patients remain intact. Disclosures pursuant to court orders continue to require rigorous justification and protective measures, and separate compulsory process (such as a subpoena) is needed to compel production.
Enforcement is now harmonized with HIPAA. HHS’s Office for Civil Rights will enforce Part 2 using the HIPAA civil and criminal penalty framework, and HIPAA’s Breach Notification Rule applies to Part 2 records held by covered entities and business associates. Programs must maintain written security policies addressing paper and electronic records and follow breach protocols. Patients can file complaints directly with HHS OCR, and programs may not retaliate or require waiver of complaint rights. A new safe harbor protects investigative agencies that exercise reasonable diligence before seeking records and take prescribed steps if Part 2 data is received without a qualifying court order.
State Law Interplay and Practical Next Steps
Part 2 does not preempt more protective state laws. Organizations must map Part 2 and HIPAA permissions against applicable state privacy, mental health, and data security requirements, ensuring breach response timelines, content, and patient rights are satisfied across legal regimes.
With the February 16, 2026 compliance date approaching, programs should update Notices of Privacy Practices; revise consent forms to enable single TPO consent and separate SUD counseling notes consent; refresh policies for redisclosure, public health and PDMP workflows, fundraising opt-outs, and legal process response; align breach response plans with HIPAA; amend BAAs, vendor agreements, and intermediary contracts to flow down Part 2 obligations; and train staff on the new requirements and court order standards. These steps will allow integrated, privacy-preserving care while safeguarding the unique protections that remain at the heart of Part 2.
