42 CFR Part 2: A Practical Compliance Guide

What 42 CFR Part 2 actually is

42 CFR Part 2 is a federal regulation that governs the confidentiality of records created by federally assisted substance use disorder treatment programs. It predates HIPAA by more than two decades and applies stricter rules to a narrower category of records: information about diagnosis, treatment, or referral for a substance use disorder, held by a Part 2 program.

The 2024 final rule aligned several Part 2 requirements with HIPAA, including allowing a single patient consent to authorize uses for treatment, payment, and healthcare operations. Even with that alignment, Part 2 is still meaningfully more restrictive than HIPAA, and the consent form itself has specific required elements.

What your EMR should automate

A Part 2 consent form has required elements: the patient's name, who is allowed to disclose, who is allowed to receive, the purpose of the disclosure, the amount and kind of information to be disclosed, an expiration date or event, the patient's signature and date, and a statement of the patient's right to revoke. An EMR built for behavioral health should produce a compliant consent record by structure, not by a clinician remembering to fill in every field.

The other half is handling re-disclosure. Any chart or document that originated from a Part 2 program and is shared under a consent must carry a notice prohibiting re-disclosure without further patient consent. A purpose-built EMR will attach that notice automatically to anything exported, faxed, or printed from a Part 2 chart.

Tracking is the last piece. Consents have recipients, purposes, and expirations. Revocations are a permanent event. A clinician viewing a chart should be able to see, at a glance, who currently has authorized access and when each authorization expires, without leaving the patient record.

What you still need to verify yourself

Part 2 status is a determination, not a checkbox. Whether your program qualifies as a Part 2 program depends on federal assistance, the way your program holds itself out, and what services you provide. No software can decide that for you.

Subpoenas, court orders, and law enforcement requests have specific carve-outs and required procedures under Part 2 that differ from HIPAA. When a request arrives, route it to counsel rather than to whatever workflow your EMR happens to support.

Finally, audit your own behavior. The strongest configuration in the world will not protect a chart that gets emailed to an unverified address or printed and left in a waiting room. The technical controls keep you compliant when staff follow them; staff training is what makes the technical controls actually work.

The takeaway

Part 2 is workable. The rules are knowable, the consent format is defined, and a behavioral-health-native EMR can handle the mechanics so your clinical staff focus on care. The job is to pick a system where compliance is the default, then build the human routines around the cases the software cannot decide for you.