42 CFR Part 2 — Substance Use Treatment Privacy

1. What Is 42 CFR Part 2?

Title 42 of the Code of Federal Regulations, Part 2 (commonly called "Part 2") is the federal regulation governing the confidentiality of substance use disorder (SUD) patient records. It applies to any program or individual that is federally assisted and provides alcohol or drug abuse diagnosis, treatment, or referral for treatment. Part 2 was substantially revised effective February 16, 2024 (88 FR 81,764) to align more closely with HIPAA while preserving its core stronger protections.

Under Part 2, a "patient record" means any information, whether recorded or not, relating to a patient that is created by or received by a Part 2 program. This includes:

• The patient's identity as someone receiving SUD treatment
• Diagnoses, treatment plans, and progress notes related to SUD
• Test results (including toxicology screens) connected to SUD care
• Any record that could be used to identify someone as having received SUD treatment

2. How MayDay-IC Handles 42 CFR Part 2 Records

During emergency incidents, responders may encounter patients who are receiving or have received substance use disorder treatment. MayDay-IC provides a mechanism for authorized personnel to flag specific patient records as subject to 42 CFR Part 2 protections.

The 42 CFR Part 2 Flag

When a patient record is flagged as 42 CFR Part 2 restricted within MayDay-IC:

• A prominent warning banner is displayed on the patient record
• AI-generated triage recommendations and summaries are suppressed for that record
• Any access to or disclosure of the flagged information is logged in the audit trail
• Responders are prompted with a mandatory acknowledgment before viewing sensitive fields
• The flag and the reason for flagging are encrypted at rest and audit-logged

Permissible Disclosures Without Patient Consent

Under 42 CFR Part 2, disclosure of SUD records without patient consent is permitted only in very limited circumstances:

• Medical Emergency: To medical personnel who need the information to treat a condition that poses an immediate threat to the health of the patient or others, and when the patient is unable to consent due to the emergency. The disclosure must be limited to information necessary for the emergency treatment.
• Research: To researchers who follow specific protections outlined in 42 CFR 2.52.
• Audit and Oversight: To persons performing a program audit or evaluation.
• Court Orders: Under a court order that satisfies strict requirements in 42 CFR 2.61–2.67.
• Reporting of Suspected Child Abuse: Initial reports only; follow-up information remains protected.

3. Required Patient Consent

Except in the limited circumstances described above, disclosure of 42 CFR Part 2-protected records requires a written consent from the patient that includes all of the following elements (42 CFR 2.31):

• The specific name or general designation of the program(s) permitted to make the disclosure
• The name(s) or title(s) of the individual(s) or organization(s) to whom disclosure is made
• The name of the patient
• The purpose of the disclosure
• How much and what kind of information is to be disclosed
• A statement that the patient may revoke the consent at any time except to the extent that action has been taken in reliance on it, along with an expiration date or event
• The date on which the consent is signed and the signature of the patient or authorized representative

General HIPAA authorizations, release of information forms, and advance directives are not sufficient to authorize disclosure of Part 2-protected records. A separate, specific consent form that meets Part 2 requirements is always required.

4. Prohibition on Re-Disclosure

Any person or organization receiving SUD records pursuant to a Part 2 consent is prohibited from re-disclosing those records unless: (a) further disclosure is expressly permitted by the written consent of the patient, (b) the re-disclosure is in a medical emergency under 42 CFR 2.51, or (c) the re-disclosure is to a qualified service organization under 42 CFR 2.12(c)(4).

All disclosures of Part 2-protected records made through MayDay-IC must include the following statement:

5. Prohibition on Use in Criminal Proceedings

42 CFR Part 2 records may not be used to initiate or substantiate criminal charges against a patient or to conduct any investigation of a patient. This prohibition applies regardless of how the records were originally obtained. Law enforcement access to Part 2-protected records requires a court order that meets the specific requirements of 42 CFR 2.61–2.67.

6. Breach Notification Under 42 CFR Part 2

42 CFR Part 2 does not contain its own breach notification framework; however, because SUD records also constitute Protected Health Information (PHI) under HIPAA, a breach of Part 2-protected records triggers HIPAA's Breach Notification Rule (45 CFR Part 164, Subpart D) in addition to any applicable state breach notification laws. Given the heightened sensitivity and stigma associated with SUD records, MayDay-IC treats any unauthorized disclosure of Part 2-protected records as a High or Critical severity breach under our Breach Response Plan regardless of the number of individuals affected.

Upon discovering an unauthorized disclosure of 42 CFR Part 2-protected records, MayDay-IC will:

• Immediately notify affected individuals within 24 hours (shorter than the standard 60-day HIPAA window)
• Notify HHS per HIPAA breach notification requirements
• Notify the Substance Abuse and Mental Health Services Administration (SAMHSA) as appropriate
• Preserve all audit logs and access records for law enforcement or regulatory investigation
• Conduct a comprehensive root cause analysis and corrective action

7. Training Requirements

All MayDay-IC personnel and any workforce members who may access 42 CFR Part 2-protected records must receive training on Part 2's requirements. Training covers:

• What records are protected under 42 CFR Part 2
• The difference between HIPAA and Part 2 protections
• When disclosure is and is not permitted
• The prohibition on use in criminal proceedings
• The required re-disclosure notice
• How to use MayDay-IC's 42 CFR Part 2 flag and acknowledgment workflow

Training records are maintained for a minimum of six years. Failure to comply with Part 2 requirements may result in civil and criminal penalties under 42 U.S.C. 290dd-2(f).

8. Penalties for Violations

Violations of 42 CFR Part 2 are a criminal offense under 42 U.S.C. 290dd-2(f). Any person who violates any provision of Part 2, or any regulation issued pursuant to it, shall be fined not more than $500 in the case of a first offense and not more than $5,000 in the case of each subsequent offense. These penalties are in addition to any civil liability or professional sanctions that may apply.

9. Contact