42 CFR Part 2
Confidentiality of Substance Use Disorder Patient Records
Federal regulations providing stricter privacy protections for substance use disorder (SUD) treatment records than HIPAA. Essential for behavioral health and addiction treatment apps.
SAMHSA — 42 CFR Part 2Up to $500 per first offense, $5,000 per subsequent offense
2 to 4 months for 42 CFR Part 2 compliance on top of HIPAA
Generated code includes SUD data segregation, consent management, and re-disclosure restrictions
42 CFR Part 2 protects the confidentiality of substance use disorder (SUD) patient records maintained by federally assisted programs. These protections are stricter than HIPAA — SUD records cannot be re-disclosed without explicit patient consent, and they require specific consent forms that go beyond standard HIPAA authorizations. In 2024, SAMHSA finalized major updates aligning Part 2 more closely with HIPAA while maintaining core SUD protections. Any mental health or behavioral health app that handles addiction or substance abuse data must comply with both HIPAA and 42 CFR Part 2.
What It Covers
Patient consent for disclosure — written, specific, revocable consent required for any SUD data sharing
Prohibition on re-disclosure — recipients cannot share SUD data further without new consent
Restrictions on use in legal proceedings — SUD records cannot be used to investigate or prosecute patients
Audit and accounting requirements — track all disclosures of SUD information
Qualified Service Organization Agreements (QSOAs) — similar to BAAs but for SUD programs
Penalties & Enforcement
Criminal penalties: up to $500 for first offense, $5,000 for subsequent offenses
HIPAA penalties also apply to the underlying health data
Loss of federal funding for non-compliant programs
Civil lawsuits from patients whose SUD records were improperly disclosed
Reputational damage in the behavioral health community
How VertiComply Helps
Separate consent management for SUD data (beyond standard HIPAA consent)
Re-disclosure restriction enforcement in generated code
Segregated data storage patterns for SUD records
QSOA documentation templates
Audit trail specifically tracking SUD data disclosures
Frequently Asked Questions
When does 42 CFR Part 2 apply?
When your app handles substance use disorder treatment records from a federally assisted program. This includes most addiction treatment centers, many behavioral health clinics, and apps that track substance abuse treatment.
How is 42 CFR Part 2 different from HIPAA?
Part 2 is stricter — it requires explicit written consent for any disclosure (HIPAA allows treatment/payment/operations exceptions). Part 2 also prohibits re-disclosure and restricts use in legal proceedings.
Related Articles
Build 42 CFR Part 2-compliant from day one
VertiComply generates production-ready code with 42 CFR Part 2 safeguards built in automatically.
Quick Facts
Region
United States
Category
Healthcare
Max Penalty
Up to
Manual Timeline
2 to 4 months
With VertiComply
Minutes