Behavioral Health Wiki
Evidence-Based Reference
Treatment Programs →

Privacy Law in Addiction Treatment

From Behavioral Health Wiki, the evidence-based reference

Contents
  1. Overview
  2. 42 CFR Part 2
  3. HIPAA
  4. Interaction Between Part 2 and HIPAA
  5. International Frameworks
  6. Practical Implications
  7. References

Overview

The confidentiality of substance use disorder (SUD) treatment records is governed by a unique and unusually stringent legal framework in the United States — a framework that provides protections exceeding those afforded to other types of medical information. This heightened protection reflects a legislative judgment, dating to the early 1970s, that the stigma associated with substance use disorders would deter individuals from seeking treatment unless they were assured that their treatment records would receive extraordinary confidentiality protections.[1]

Two federal frameworks are particularly relevant: 42 CFR Part 2 (the federal regulations governing the confidentiality of SUD treatment records) and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While HIPAA governs the privacy of all protected health information, 42 CFR Part 2 imposes additional, more restrictive requirements specifically for SUD treatment records. Understanding the interaction between these two frameworks — and their practical implications for patients, families, and treatment providers — is essential for anyone involved in the addiction treatment system.

42 CFR Part 2

42 CFR Part 2 (commonly referred to simply as "Part 2") is a set of federal regulations, originally promulgated in 1975 and most recently amended in 2024, that govern the confidentiality and disclosure of patient records maintained in connection with any federally assisted program for the treatment of substance use disorders.[1]

The regulations apply to any program that is federally assisted — a broad category that includes virtually all treatment programs, since federal assistance includes not only direct federal funding but also tax-exempt status, receipt of any federal grants or contracts, and authorization to conduct methadone maintenance treatment. In practice, Part 2 applies to the vast majority of SUD treatment programs in the United States.

Core Protections

Part 2's core prohibition is straightforward: a Part 2 program may not disclose any information that would identify a patient as having (or having had) a substance use disorder or as being (or having been) a patient at the program, except under specific circumstances defined by the regulations. These circumstances include written patient consent (which must meet specific requirements regarding content and form), medical emergencies, court orders (which require a more stringent showing than a standard subpoena), communications within the program or between the program and an entity with direct administrative control, qualified service organization agreements, research (subject to specific conditions), and audit and evaluation activities.[1]

Notably, Part 2's protections are more restrictive than HIPAA in several important respects. Part 2 generally requires written patient consent for disclosures that HIPAA would permit without consent — including disclosures for treatment, payment, and healthcare operations. Part 2 does not include a general exception for judicial proceedings — a court order under Part 2 requires the court to find that there is good cause for the disclosure, applying a balancing test specified in the regulations. And Part 2 includes a prohibition on re-disclosure — when information is disclosed under Part 2, the recipient receives a notice that the information may not be further disclosed without additional authorization.

2024 Amendments

The Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 directed the Department of Health and Human Services to align Part 2 more closely with HIPAA. Final rules implementing this directive were published in 2024, introducing several significant changes. Part 2 programs may now use and disclose Part 2 records for treatment, payment, and healthcare operations purposes based on a single, initial patient consent — eliminating the need for separate consent for each disclosure. However, the prohibition on use of Part 2 records in criminal proceedings against the patient without the patient's consent was retained — maintaining one of Part 2's most distinctive protections.[2]

HIPAA

The HIPAA Privacy Rule establishes national standards for the protection of individually identifiable health information (protected health information, or PHI) held by covered entities and their business associates. Covered entities include health plans, healthcare clearinghouses, and healthcare providers who transmit any health information in electronic form in connection with transactions for which HHS has adopted standards.[3]

HIPAA permits the use and disclosure of PHI for treatment, payment, and healthcare operations without patient authorization. It requires patient authorization for most other disclosures, with exceptions for public health activities, health oversight activities, judicial and administrative proceedings (with appropriate process), law enforcement purposes (under specific conditions), and other specifically enumerated situations. HIPAA also grants patients the right to access their own records, request amendments, receive an accounting of disclosures, and request restrictions on uses and disclosures.

Interaction Between Part 2 and HIPAA

When both Part 2 and HIPAA apply to the same records — as they do for most SUD treatment records — the more restrictive standard governs. This means that Part 2's consent requirements apply even though HIPAA would permit disclosure without consent for treatment, payment, and healthcare operations. The 2024 amendments have reduced but not eliminated this disparity — the requirement for initial written consent under Part 2 remains, even though subsequent disclosures for treatment, payment, and healthcare operations may proceed under that initial consent.[2]

The practical effect of this dual regulatory framework is that SUD treatment records receive more protection than other medical records — a distinction that has both benefits (enhanced privacy protection for a stigmatized condition) and costs (potential barriers to integrated care, difficulty sharing records across treatment providers, and complexity for patients and providers in navigating the consent requirements).

For Families and Advisors: The practical implications of Part 2 are significant for families managing a loved one's treatment. Without the patient's written consent, the treatment program generally cannot confirm to family members that the patient is even enrolled in treatment — regardless of who is paying for the treatment. Family members, family office staff, trust officers, and attorneys who need to receive information about a patient's treatment should ensure that appropriate consent forms are executed at the time of admission. Care managers and behavioral health consultants who coordinate with treatment programs must also have appropriate consent documentation in place.

International Frameworks

International treatment introduces additional privacy law complexity. The European Union's General Data Protection Regulation (GDPR) provides a comprehensive framework for the protection of personal data, including health data, within the EU and the European Economic Area. Health data is classified as a "special category" of personal data under GDPR, subject to additional protections including a general prohibition on processing except under specified conditions (explicit consent, necessary for medical treatment, necessary for public health, etc.).[4]

The United Kingdom, following Brexit, has implemented the Data Protection Act 2018, which largely mirrors GDPR provisions for health data. Switzerland's Federal Act on Data Protection (FADP), revised effective September 2023, provides robust data protection requirements that include specific provisions for health data.

For patients receiving treatment internationally, the applicable privacy framework will depend on the jurisdiction where treatment is provided. Swiss programs are subject to Swiss data protection law; UK programs are subject to the Data Protection Act 2018; and programs in EU member states are subject to GDPR. Patients should understand the specific privacy protections available in the treatment jurisdiction and should be aware that these protections may differ from those available under US law.

Practical Implications

For patients, the key practical implication is control: under both Part 2 and HIPAA, patients have the right to control the disclosure of their treatment information. This control is meaningful — properly exercised consent and authorization can ensure that only designated individuals receive treatment information, that the scope of disclosure is limited to what is clinically necessary, and that redisclosure is prohibited. Patients should work with their treatment providers and, where applicable, their legal counsel to ensure that consent documents are carefully drafted to reflect their actual preferences regarding disclosure.

For treatment providers, the dual regulatory framework creates compliance complexity that requires trained privacy officers, robust consent management systems, and staff education. The consequences of non-compliance are significant: HIPAA violations can result in civil monetary penalties up to $1.5 million per violation category per year, and Part 2 violations can result in criminal fines.

For family offices, trust officers, and attorneys, understanding the privacy framework is essential for structuring the financial and administrative aspects of treatment while respecting the patient's legal rights and the treatment program's regulatory obligations. Payment arrangements, communication protocols, and information-sharing agreements should be established in advance of treatment admission, with appropriate legal guidance.

References

  1. Substance Abuse and Mental Health Services Administration. "Confidentiality of Substance Use Disorder Patient Records." 42 CFR Part 2.
  2. Department of Health and Human Services. "Confidentiality of Substance Use Disorder (SUD) Patient Records: Conforming 42 CFR Part 2 to the HIPAA Privacy, Breach Notification, and Enforcement Regulations." Final Rule, 2024.
  3. U.S. Department of Health and Human Services. "Summary of the HIPAA Privacy Rule." Office for Civil Rights.
  4. European Parliament and Council. "Regulation (EU) 2016/679 — General Data Protection Regulation." Official Journal of the European Union, 2016.

Privacy Rights for Minors in Behavioral Health Treatment

Minor patients in behavioral health treatment occupy a complex position under privacy law. Depending on state law and the type of treatment, minors may have the right to consent to their own treatment without parental involvement — and by extension, the right to keep that treatment confidential from their parents.

Most states allow minors to consent to outpatient mental health treatment and substance use counseling without parental consent. When a minor consents to their own treatment, HIPAA generally gives the minor (not the parent) control over that treatment record. This means a parent calling a therapist to ask about their teenager's sessions may be told that the therapist cannot confirm or deny the minor is a patient — which can be jarring for parents who assume they have full access to their child's healthcare information.

42 CFR Part 2, the federal confidentiality regulation governing substance use disorder treatment records, applies to minors in the same way it applies to adults. If a teenager receives substance use disorder treatment from a Part 2-covered program, that treatment record cannot be disclosed to parents without the minor's written consent unless an exception applies (such as a medical emergency). State laws may provide additional protections or, in some cases, require parental notification for minors under a certain age.

For parents navigating this framework: understanding your state's minor consent laws is the starting point. A behavioral health attorney or your state's protection and advocacy organization can clarify exactly what information you are and are not entitled to access for your child. Many clinicians will work collaboratively with families while still honoring the minor's confidentiality rights — family therapy, for example, can involve parents meaningfully without disclosing the content of individual sessions.