Interpreting The Confidentiality of Substance Use Disorder (SUD) Patient Records Law  (42 CFR Part 2) 

In the world of healthcare, patient privacy and data confidentiality are of utmost importance. To ensure the protection of sensitive information related to Substance Use Disorder (SUD) patients, the US Department of Health and Human Services and The Substance Abuse and Mental Health Services Administration (HHS and SAMHSA) collaborated to create the HIPAA Drug and Alcohol Records Law, also known as 42 CFR Part 2. This law outlines the guidelines for handling patient consent and the sharing of SUD-related Protected Health Information (PHI). In this blog post, we will delve into the key aspects of this crucial legislation and explore the recent updates and anticipated changes in 2023.

What does it say?

The law in question serves as a comprehensive guide for determining when patient consent is necessary for the sharing of Substance Use Disorder (SUD)-related Protected Health Information (PHI). It defines specific scenarios in which sharing such information is permissible without explicit patient consent. These circumstances include Part 2 Programs, where PHI can be shared within the program to facilitate coordinated care. Additionally, medical emergencies warrant the disclosure of PHI to any necessary healthcare provider to ensure prompt and appropriate treatment. Furthermore, the law re-emphasizes the importance of sharing SUD-related PHI with authorities and medical providers in situations of child abuse and neglect, ensuring the child’s safety is prioritized within the confines of the law.

What are “Part 2 Programs”?

“Part 2 Programs” refers to programs that are federally assisted such as the following:

  • Specialized substance use disorder treatment facilities, 
  • Units within general medical care facilities
  • Medical personnel 
  • Staff in a general medical care facility whose primary function is for SUD diagnosis, treatment, or referral
  • Practitioners such as physicians, psychologists, and counselors that provide SUD diagnosis, treatment, or referral. 

To sum it up, this law applies to any federally-authorized, funded, certified or assisted entity providing substance use disorder diagnosis, treatment, or referral for treatment. 

Rule on re-disclosure: Referrals can’t give referrals PHI

Re-disclosure is the act of sharing previously disclosed information with another party. Under 42 CFR Part 2, if a patient gives consent for their treatment program to disclose their information to a third party, that third party is generally not allowed to redisclose that information with another entity without the patient’s additional explicit consent.

This rule restricting re-disclosure applies even in situations where the initial disclosure was allowed under one of the limited exceptions to the patient consent requirement. For example, SUD related information that was obtained in an emergency cannot necessarily be shared by the emergency care provider. There are some cases where re-disclosure is allowed such as for certain types of research, audits, and evaluations.

2020 Updates and Expected Changes for 2023

In 2020, additional updates were integrated into the HIPAA Privacy Rule (45 CFR § 164.508) to accommodate technological advancements and evolving privacy demands. These amendments reinforced data encryption, restricted access, and imposed stricter penalties for unauthorized disclosure, conforming to both HIPAA and legal code requirements.

In 2023, we anticipate further enhancements to the HIPAA Privacy Rule to ensure unparalleled confidentiality for SUD patient records. The ongoing commitment to updating regulations highlights the dedication to safeguarding patient privacy, encompassing both HIPAA and legal code requirements.

The Importance of Clarification

The need to clarify and update the law arose from the ever-evolving nature of technology and substance use. Ensuring patient privacy and data confidentiality in this context is crucial to maintain trust between patients and healthcare providers. By continuously refining and interpreting the law, authorities aim to strike a balance between providing necessary care and respecting patients’ rights to privacy.


Understanding the guidelines for patient consent and the sharing of PHI is essential for healthcare providers and individuals seeking treatment alike. As the healthcare landscape evolves, continuous updates to the law demonstrate a commitment to safeguarding patient privacy while meeting the challenges posed by advancing technology and changing healthcare needs. By adhering to these regulations, healthcare providers can create a safe and secure environment for patients seeking treatment.

For step by step support and guidance in HIPAA compliance, consider trying HIPAA Prime. You’ll gain access to our team of experts who will create policies and procedures specifically for your business. Book a Clarity Call today to learn more about HIPAA Prime!


SUD related information is still private from authorities and any entities not related to health care. This means people shouldn’t avoid treatment for fear of being turned over to authorities for using illegal substances.

“The law aims to encourage individuals to seek help for substance use disorders without fear of stigmatization or legal consequences.”


Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)