Behavioral Health Compliance: 42 CFR Part 2 + HIPAA Together
8 min read · Last reviewed May 23, 2026
Behavioral health practices that diagnose or treat substance use disorder are subject to SAMHSA's 42 CFR Part 2 framework on top of HIPAA. The February 16, 2024 final rule aligned Part 2 with HIPAA on consent structure, breach notification, and enforcement, but Part 2's heightened patient-consent and re-disclosure rules remain in force. A general behavioral health practice that also provides SUD diagnosis or treatment lives under both regimes simultaneously.
What 42 CFR Part 2 actually requires for a behavioral health practice
42 CFR Part 2 implements the federal statute at 42 USC § 290dd-2, which protects the confidentiality of substance use disorder patient records held by federally assisted SUD programs. The regulation lives at 42 CFR Part 2.
The threshold question is whether the practice is a "Part 2 program." Under 42 CFR § 2.11, a Part 2 program is an individual or entity, other than a general medical facility, that holds itself out as providing — and provides — SUD diagnosis, treatment, or referral for treatment. Within a general medical facility, an identified unit or staff member who provides SUD diagnosis, treatment, or referral can be a Part 2 program. Federal assistance is interpreted broadly: receipt of Medicare/Medicaid, federal grants, or tax-exempt status all qualify.
The February 16, 2024 final rule made the largest changes to Part 2 since 1987. The headline changes:
- Single consent for all future TPO uses. A patient can now sign one consent authorizing all future treatment, payment, and healthcare operations uses, much like HIPAA. 42 CFR § 2.31 was rewritten to support this.
- HIPAA-aligned breach notification. Part 2 incorporates 45 CFR §§ 164.400–414 for breach response.
- Enforcement aligned with HIPAA. HHS now uses the HIPAA enforcement structure for Part 2 violations, including the civil money penalty tiers at 45 CFR § 160.404.
- Patient rights aligned with HIPAA. Right of access, right to an accounting of disclosures, and right to request restrictions now mirror HIPAA mechanics.
- Re-disclosure protections preserved. The 42 CFR § 2.32 prohibition-on-re-disclosure notice still travels with the record.
What general behavioral health practices most often miss: the 2024 rule did not eliminate Part 2 consent. It restructured it. A behavioral health practice that thinks alignment means "Part 2 is now HIPAA" will produce records on a HIPAA-style subpoena and create a violation.
The documents you must maintain
A behavioral-health Part 2 binder should produce on demand:
- Threshold analysis documenting whether the practice (or any unit within it) is a Part 2 program under 42 CFR § 2.11, with reasoning
- Notice of Privacy Practices that addresses Part 2 separately from HIPAA where Part 2 applies
- Part 2-compliant patient consent form under 42 CFR § 2.31, with all required elements (specific persons authorized to disclose, recipient identification, purpose, expiration, signature)
- Prohibition-on-re-disclosure notice template per 42 CFR § 2.32 — produced with every Part 2 disclosure
- Subpoena-and-court-order protocol routing all legal-process requests through counsel before any Part 2 disclosure
- Qualified Service Organization Agreements (QSOAs) for vendors receiving Part 2 records — analogous to but distinct from HIPAA BAAs
- Workforce training records documenting Part 2-specific training in addition to HIPAA training
- Breach response file aligned with 45 CFR §§ 164.400–414 and the practice's Part 2 obligations
- Integrated-record protocols where SUD information is embedded in a broader chart, documenting how Part 2 elements are tagged or segregated
How Part 2 audits actually work
SAMHSA does not conduct routine compliance audits the way OCR does for HIPAA. Part 2 enforcement comes through three channels:
- OCR enforcement. Since the 2024 final rule, OCR handles complaints and breach investigations under both HIPAA and Part 2. Behavioral health practices increasingly see Part 2 issues raised inside OCR letters that originated as HIPAA matters.
- State licensing-board actions. State behavioral health and addiction-treatment licensure programs incorporate Part 2 compliance into their inspection criteria. State boards are far more active inspectors than SAMHSA itself.
- Civil litigation. Patients and former employees file Part 2-based actions, often under state-law privacy frameworks that incorporate the federal standard. The civil discovery process surfaces what the practice actually does.
What we see drive Part 2 enforcement, in order:
- Subpoena-driven disclosures without a Part 2-compliant court order under 42 CFR § 2.61. This is the single most common Part 2 violation we see.
- Consent forms missing required elements at 42 CFR § 2.31(a), particularly the specific designation of who is authorized to disclose and who is authorized to receive.
- Re-disclosure notice missing on records produced to insurers or downstream providers.
- Integrated records where SUD information bleeds through unprotected, particularly in shared EHR systems.
- Vendors processing Part 2 records under a HIPAA BAA only, without a QSOA addressing the 42 CFR § 2.11 requirements.
- Breach response missing the Part 2-specific element (the breach involved SUD records, requiring tailored individual notice content).
Common gaps unique to behavioral health
The patterns we see most often:
- Practices treating Part 2 as superseded by the 2024 final rule. The rule aligned the regimes — it did not collapse them.
- A general behavioral health practice that adds MAT services without re-doing the Part 2 threshold analysis. Adding buprenorphine prescribing often converts a non-Part 2 practice into a Part 2 program.
- Consent forms that comply with HIPAA but miss the Part 2-required elements (designated recipient, expiration date, prohibition-on-re-disclosure statement).
- Re-disclosure notice missing on faxed records sent to specialists, insurers, or PCPs.
- Workforce members trained on HIPAA but not on the specific Part 2 obligations.
- Subpoena response treated as a HIPAA-only process, with records produced before Part 2 counsel review.
- EHR vendors that "support" Part 2 but require manual tagging the practice does not actually perform.
Maintenance cadence
- At intake: Confirm Part 2 status applies, obtain Part 2-compliant consent under 42 CFR § 2.31, document the consent in the chart.
- At every disclosure: Verify the consent covers the recipient and purpose; attach the prohibition-on-re-disclosure notice.
- At every legal-process request: Route to counsel before any production. Subpoena alone is not authority for Part 2 records.
- Monthly: Sample disclosure log for prohibition-on-re-disclosure notice attachment.
- Quarterly: Review vendor list for QSOA coverage; verify Part 2-receiving vendors are signed up.
- Annually: Re-affirm the Part 2 threshold analysis. Refresh workforce Part 2 training. Review the 2024 final rule alignment status — SAMHSA and HHS continue to publish sub-regulatory guidance.
- On every service-line change: New service line (MAT, residential, IOP) triggers a new threshold analysis. Document.
State preemption to watch
State substance-use confidentiality laws often layer additional protections on top of Part 2:
- California: Welfare and Institutions Code § 5328 protects mental health records broadly; the Lanterman-Petris-Short Act adds specific consent and disclosure rules. CMIA covers SUD records in addition.
- New York: Mental Hygiene Law § 33.13 restricts disclosure of mental health and SUD records, with stricter authorization requirements than HIPAA in many scenarios.
- Texas: HB 300 covers SUD records; Texas Occupations Code Chapter 611 governs mental health records confidentiality with state-specific consent elements.
- Massachusetts: Mental health and SUD records protected under M.G.L. c. 123 and c. 111B, with state-specific subpoena-response procedures.
- Florida: F.S. § 394.4615 covers mental health records; SUD records additionally fall under Part 2's federal floor.
The general rule: state law applies where it is more stringent than federal Part 2. Many state laws are stricter on subpoena response, family-member access, and minor consent. Part 2 alone is rarely sufficient.
How d3rx fits
The d3rx compliance binder includes a behavioral health section that names the Part 2 threshold analysis, the 42 CFR § 2.31-compliant consent template, the prohibition-on-re-disclosure notice, the QSOA template, and the subpoena-response protocol. The binder is source-grounded — each element traces to the federal CFR or state statute. See the compliance binder overview for how the behavioral health section integrates with HIPAA and OSHA.
D3rx compliance guides are administrative documentation aids. They do not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program.
Step 1 · Get the binder
Get the d3rx compliance binder for your practice
Pre-filled to address the gaps this guide covers — Behavioral Health Compliance: 42 CFR Part 2 + HIPAA Together. We will email you the section preview and your binder intake link.
No PHI required. We use your email to send the binder preview and intake link only.
Frequently asked
Does Part 2 apply to my general behavioral health practice, or only to addiction-treatment programs?
Part 2 applies to a 'Part 2 program' as defined at [42 CFR § 2.11](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-A/section-2.11) — an entity that holds itself out as providing, and provides, substance use disorder (SUD) diagnosis, treatment, or referral for treatment, and receives federal assistance. A general behavioral health practice that does not hold itself out as providing SUD treatment is not a Part 2 program. A clinician who diagnoses SUD as part of broader practice may still create records that become Part 2 records if the practice meets the federal assistance and holding-out tests. Read the definition closely.
Did the 2024 final rule eliminate the need for separate Part 2 consent?
No. The [February 16, 2024 final rule](https://www.federalregister.gov/documents/2024/02/16/2024-02905/confidentiality-of-substance-use-disorder-sud-patient-records) aligned Part 2 with HIPAA on many fronts but preserved the patient-consent requirement for disclosure of Part 2 records. The change is that a single consent can now authorize all future uses for treatment, payment, and healthcare operations, similar to the HIPAA TPO framework. Before the 2024 rule each disclosure typically required its own consent.
Can I share Part 2 records with a HIPAA-covered entity?
Yes, with patient consent under [42 CFR § 2.31](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-C/section-2.31). For a single consent that authorizes future treatment, payment, and health care operations (TPO) uses by a HIPAA covered entity, business associate, or health plan, [42 CFR § 2.31(a)(4)(iii)](https://www.ecfr.gov/current/title-42/part-2/section-2.31) lets the receiving HIPAA-regulated entity redisclose the records as permitted by the HIPAA Privacy Rule — *except* for use or disclosure in a civil, criminal, administrative, or legislative proceeding against the patient (which still requires a court order under § 2.64–§ 2.65). The [42 CFR § 2.32](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-C/section-2.32) prohibition-on-redisclosure notice still attaches to the original disclosure, but downstream TPO redisclosures by the HIPAA-regulated recipient follow HIPAA, not a blanket Part 2 re-disclosure bar.
What does the Part 2 breach notification framework look like after the 2024 rule?
The 2024 final rule applied the HIPAA Breach Notification Rule at [45 CFR §§ 164.400–414](https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D) to Part 2 records. A breach of Part 2 records now follows the same individual-notice (60 days), media-notice (500+ in a state), and HHS-notice timelines as a HIPAA breach. Before 2024, Part 2 had no parallel breach notification structure.
If I get a subpoena for Part 2 records, can I produce them?
Not on a subpoena alone. [42 CFR § 2.61](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-E/section-2.61) requires a court order issued under the standards at [42 CFR § 2.64](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-E/section-2.64) or [§ 2.65](https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-E/section-2.65) before Part 2 records can be disclosed for litigation. A subpoena without a Part 2-compliant court order is not sufficient authority. This is the most common Part 2 mistake — practices treating a subpoena like a HIPAA subpoena and producing records they should not.
Does Part 2 apply to electronic medication-assisted treatment (MAT) records?
Yes. Records of methadone, buprenorphine, and naltrexone treatment provided by a Part 2 program are Part 2 records regardless of medium. The 2024 final rule clarified Part 2 application to integrated records: when SUD information is embedded in a broader medical record at a non-Part 2 entity, the SUD-specific entries retain Part 2 protections.
Turn this into a review-ready binder
The Security Risk Analysis is where this guide becomes documentation you can actually hand to a reviewer — assembled into one review-ready binder. Source-grounded, citation-linked, and explicit about what it does and does not do.
Editorial process. This guide was drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and edited by the D3rx team for restraint and source fidelity. A named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged to verify citations — see the team page for status. Until that reviewer engagement is finalized, this page does not claim credentialed review.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, CMS, the Code of Federal Regulations, NIST, and state regulators.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 42 CFR Part 2https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
- 42 CFR § 2.11https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-A/section-2.11
- February 16, 2024 final rulehttps://www.federalregister.gov/documents/2024/02/16/2024-02905/confidentiality-of-substance-use-disorder-sud-patient-records
- 42 CFR § 2.31https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-C/section-2.31
- 45 CFR §§ 164.400–414https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-D
- 45 CFR § 160.404https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-D/section-160.404
- 42 CFR § 2.32https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-C/section-2.32
- 42 CFR § 2.61https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2/subpart-E/section-2.61
- Welfare and Institutions Code § 5328https://leginfo.legislature.ca.gov/faces/codes_displaySection.xhtml?lawCode=WIC§ionNum=5328
- Mental Hygiene Law § 33.13https://www.nysenate.gov/legislation/laws/MHY/33.13
Sources verified as of May 23, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
Related across the archive
- SRAHIPAA Risk Analysis for a Mental Health PracticeWhat therapists, psychologists, and psychiatry practices need in a HIPAA Security Risk Analysis, including the psychotherapy notes carve-out at 45 CFR 164.501 and 164.508(a)(2).
- ComplianceOCR Investigation Letter: Your 30-Day Response PlaybookReceived an OCR HIPAA investigation letter? The first 30 days set the trajectory. Confirm the docket, freeze logs, route through counsel, and produce a tabbed response.
- SRAThe HIPAA Breach Notification Rule, ExplainedThe four-factor risk assessment at 45 CFR 164.402, the 60-day individual notice clock at 164.404, the HHS/media notice paths, and the small-practice annual report under 164.408(c).
- SRAHIPAA Policies and Procedures: What a Small Practice Actually NeedsWhat 45 CFR 164.316 and 164.530(i) require for HIPAA policies and procedures, the minimum set a small practice should maintain, and how to keep them current without bloat.
- Glossary42 CFR Part 2 (SUD Records)Federal regulation providing heightened confidentiality protection for substance use disorder treatment records.
- CompliancePsychiatry Compliance: Controlled Substances + 42 CFR Part 2 + TelepsychiatryDEA controlled-substance prescribing, 42 CFR Part 2 SUD confidentiality, the DEA/HHS fourth temporary telemedicine extension through December 31, 2026, and the documentation surveyors actually sample first.
- RegulationHIPAA Authorization Requirements (45 CFR 164.508)Required elements and statements for a valid HIPAA authorization, plus the prohibition on combining authorizations with other documents in most circumstances.
- BillingWhat to Do When a Payer Says You're UnderbillingGot a letter saying you're underbilling? Here's what it actually means, whether you should worry, and what action to take.