MentalandBehavioralHealth:42CFRPart2ITRequirements

42 CFR Part 2 is the federal regulation protecting the confidentiality of substance use disorder (SUD) records held by federally-assisted SUD programs. It has long been one of the strictest confidentiality standards in US healthcare — tighter than HIPAA in important ways — and behavioral health IT environments have historically needed specialized configuration to comply. The 2024 final rule substantially aligned Part 2 with HIPAA, but material differences remain, and the IT implications for behavioral health and integrated primary care practices are significant.

Who Part 2 Applies To

Part 2 applies to federally-assisted programs that hold themselves out as providing and actually do provide substance use disorder diagnosis, treatment, or referral for treatment. "Federally-assisted" is broad — it includes any program that receives federal funding directly or indirectly, is tax-exempt, or is licensed, certified, or registered by a federal agency. In practice, most SUD treatment programs are covered, as are general medical providers holding themselves out as providing SUD services.

Primary care practices that diagnose and treat SUD can fall under Part 2 even when they are not dedicated SUD programs. Integrated behavioral health models — where SUD services are embedded in primary care — bring Part 2 into practices that historically saw themselves as HIPAA-only.

What Part 2 Covers

Part 2 covers "records" that would identify a patient as having an SUD, directly or indirectly. This includes:

• Clinical records
• Billing and claims data
• Appointment schedules referencing SUD care
• Communications about SUD care
• Any record or communication from which a third party could reasonably infer that a patient has an SUD

The "reasonably infer" language is what drives the IT implications. If your billing system shows a patient visited an SUD treatment program, that is a Part 2 record — even if the record itself contains no clinical details.

Where Part 2 Diverged From HIPAA (Pre-2024)

Historically, Part 2 was stricter than HIPAA in several ways:

• Consent for disclosure: Part 2 required patient consent for most disclosures, including treatment, payment, and operations disclosures that HIPAA permits without authorization
• Redisclosure: Part 2 prohibited recipients of Part 2 records from redisclosing, without the patient's additional consent
• Consent specificity: consents had to identify specific recipients and specific purposes
• Criminal penalties: Part 2 violations can carry criminal penalties, not just civil

The 2024 Final Rule Alignment

In February 2024, HHS finalized a rule substantially aligning Part 2 with HIPAA on treatment, payment, and operations disclosures. Key changes:

• A single patient consent can now authorize disclosure of Part 2 records for all treatment, payment, and operations purposes — similar to HIPAA
• Redisclosure restrictions are loosened for treatment, payment, and operations
• Patient rights to access, amendment, accounting of disclosures, and restriction requests are now aligned with HIPAA
• Breach notification obligations are harmonized with the HIPAA Breach Notification Rule

Compliance date for most provisions: February 16, 2026, though many provisions can be implemented earlier.

The alignment simplifies compliance substantially, but Part 2 is not identical to HIPAA. Differences remain around:

• Consent requirements for specific disclosures (some still require Part 2-specific consent)
• Anti-discrimination provisions
• Criminal penalties for certain violations
• Specific patient notice requirements

IT Implications: What Behavioral Health Environments Need

1. Segmentation of Part 2 Records

In an integrated medical record, Part 2 records must be identifiable and segregable. The EHR needs to flag Part 2 records at the visit, encounter, or document level so that disclosures excluding Part 2 records can be generated on request.

Practical implementation varies by EHR:

• Epic, athenahealth, and other major ambulatory EHRs have Part 2 sensitivity configurations
• Behavioral health-specific EHRs (Credible, Netsmart, Valant, TherapyNotes) typically have stronger native Part 2 support
• Segmentation needs to extend to interfaces — HL7 feeds to HIEs, labs, pharmacies must filter Part 2 data unless consent permits

2. Consent Management Infrastructure

Patient consent for Part 2 disclosures must be tracked at the disclosure-recipient level. The EHR or a consent management system must:

• Capture consent with all required elements (identifying information, what records, to whom, for what purpose, expiration, right to revoke)
• Enforce consent at the point of disclosure — no Part 2 data flows to a recipient unless consent is active
• Track revocations and ensure immediate effect
• Maintain audit trail of consents, disclosures, and enforcement

Most behavioral health EHRs include consent management. General ambulatory EHRs often need add-on configuration or third-party tools.

3. HIE Participation Configuration

Health information exchange participation for behavioral health is a high-attention area. Part 2 records must not flow to HIEs without appropriate consent. HIE configurations must:

• Filter Part 2 records at the source when no consent is on file
• Honor break-glass access rules specific to Part 2
• Provide patient-specific opt-out or granular consent mechanisms
• Audit access to Part 2 records separately from general PHI

See our healthcare HIE resources for the general HIE consent framework; Part 2 layers additional requirements on top.

4. Audit Logs and Monitoring

Audit logs for Part 2 records deserve additional attention. Beyond general HIPAA audit requirements, Part 2-sensitive monitoring should flag:

• Access to Part 2 records by users without care-team assignment
• Bulk access or export patterns
• Attempts to disable Part 2 sensitivity flags
• Disclosures to recipients not on the active consent list

5. Business Associate Agreements

Business Associate Agreements with vendors who touch Part 2 data need Part 2-specific language — acknowledgment that data is Part 2, Part 2-compliant handling obligations, and Part 2-compliant breach notification. General HIPAA BAA language is not sufficient.

6. Interface Engines and Data Routing

Interface engines (Mirth, Rhapsody, Cloverleaf, InterSystems HealthShare) often sit between the EHR and external systems. Every interface must be configured to:

• Detect Part 2 content in messages
• Apply consent rules
• Filter or redact as needed
• Log for audit

7. Backup and Retention

Backup and retention for Part 2 records mirror HIPAA requirements but with additional attention to segregation. Restored Part 2 records must maintain their sensitivity classification. Retention policies should align with SUD clinical retention requirements (often longer than general medical).

Criminal Penalty Exposure

Part 2 violations can carry criminal penalties — fines up to $500 for a first offense and up to $5,000 for subsequent offenses. In practice, civil enforcement is far more common, but criminal exposure is a meaningful differentiator from HIPAA. This affects how organizations structure training and internal discipline for Part 2 violations.

Training Requirements

Part 2 requires workforce training on Part 2 requirements. Training should address:

• What Part 2 covers and why it is stricter than HIPAA
• Consent requirements and how to identify a valid consent
• Redisclosure rules
• Criminal and civil penalty exposure
• What to do if a Part 2 violation is suspected

Integrated Primary Care: The Emerging Challenge

As SUD screening and treatment integrate into primary care, general medical practices increasingly handle Part 2 records without the specialized Part 2-aware infrastructure of behavioral health EHRs. The gap is narrowing with the 2024 final rule's alignment, but practices delivering integrated SUD services should not assume HIPAA-only compliance covers them.

Due diligence for an integrated practice:

• Does the EHR support Part 2 sensitivity configuration?
• Are workflows configured to capture Part 2-compliant consent?
• Are interfaces and HIE connections configured to filter Part 2 data?
• Are BAAs updated with Part 2 language?
• Has staff received Part 2 training?

For behavioral health or integrated primary care IT assessments, see our healthcare services or schedule a consultation. Part 2 compliance requires more than a HIPAA program, and getting the configuration right up front is materially cheaper than retrofitting.