HIPAA Vs 42 CFR Part 2: Which Regulations Actually Apply to Your SUD Program?

If you're running a substance use disorder program, you've probably asked yourself this question at least a dozen times: "Wait, which privacy law am I actually supposed to follow here?"

You're not alone. The intersection of HIPAA and 42 CFR Part 2 has confused even the most experienced compliance professionals. And here's what makes it particularly tricky, some SUD programs need to follow Part 2, some need to follow HIPAA, and some need to follow both. Getting it wrong isn't just an academic problem; it's a compliance risk that can result in penalties ranging from $25,000 to $1.5 million.

We specialize in navigating these exact regulatory crossroads, and we're here to help you cut through the confusion. Let's break down exactly which regulations apply to your program and how to stay compliant with both.

Understanding the Foundation: What Each Regulation Actually Covers

42 CFR Part 2 is the more specialized regulation. It was created specifically to protect the privacy of individuals seeking treatment for substance use disorders. The goal? Remove barriers to treatment by ensuring that SUD records remain confidential and protected from unauthorized disclosure, even from other healthcare providers.

HIPAA (the Health Insurance Portability and Accountability Act), on the other hand, is the broader healthcare privacy law. It applies to covered entities, healthcare providers, health plans, and healthcare clearinghouses, and protects all protected health information (PHI), not just SUD-related records.

The critical distinction: Part 2 offers more stringent protections for SUD treatment records than HIPAA provides for general medical records.

When Does 42 CFR Part 2 Actually Apply to Your Program?

Part 2 applies to federally assisted SUD treatment programs. Let's unpack what "federally assisted" means in practical terms.

Your program is subject to Part 2 if:

✅ You're licensed or certified to provide SUD diagnosis, treatment, or referral for treatment ✅ You receive any form of federal assistance

And here's where it gets broader than most people think. "Federal assistance" includes:

• Medicare or Medicaid reimbursement for SUD services

• Substance Abuse Prevention and Treatment (SAPT) block grant funds

• Federal grants or contracts for SUD services

• Tax-exempt status (IRS 501(c)(3)) if you receive any other federal support

• Participation in federal programs like the VA or Indian Health Service

The bottom line: If you're a licensed SUD treatment provider accepting Medicaid or Medicare for substance use services, you're almost certainly subject to Part 2, regardless of whether you consider yourself a "specialized" SUD program.

When Does HIPAA Apply to Your SUD Program?

HIPAA applies if your organization qualifies as a covered entity or business associate.

You're a HIPAA covered entity if you:

✅ Conduct electronic healthcare transactions (like billing insurance electronically) ✅ Operate as a healthcare provider, health plan, or healthcare clearinghouse ✅ Transmit any health information in electronic form in connection with HIPAA-standard transactions

Here's what surprises many SUD program operators: Not all Part 2 programs are automatically HIPAA covered entities. A small, cash-only counseling practice that doesn't bill insurance electronically might be subject to Part 2 but not HIPAA.

Conversely, a large hospital system providing SUD treatment alongside general medical services would be subject to both HIPAA (as a covered entity) and Part 2 (for its federally funded SUD services).

The Overlap Zone: When Both Regulations Apply

If you're running an integrated healthcare facility or a behavioral health organization that treats both SUD patients and other conditions while accepting federal funding, congratulations, you're playing compliance on hard mode. You need to follow both Part 2 and HIPAA.

When both apply, here's the rule: The more stringent requirement wins.

In most cases, Part 2 is more protective than HIPAA, so you'll need to:

• Obtain specific patient consent before disclosing SUD treatment information (even for treatment purposes)

• Include prohibition on redisclosure statements on all records

• Maintain separate privacy protocols for SUD records vs. general medical records

• Train staff on the differences between Part 2 and HIPAA requirements

Critical Update: The February 16, 2026 Alignment (That Just Went Into Effect)

Here's something you need to know right now: Major changes to Part 2 took effect just three days ago on February 16, 2026. These updates align Part 2 more closely with HIPAA while maintaining its stronger protections for SUD information.

What Changed on February 16, 2026:

✔ Single Consent for TPO Previously, Part 2 required separate consent forms for every disclosure. Now, programs can use a single consent form covering treatment, payment, and healthcare operations (TPO), similar to HIPAA's general consent. This is huge for workflow efficiency.

✔ De-Identification Standards Part 2 programs now follow HIPAA's de-identification standard (45 C.F.R. §164.514(b)). This means you can disclose properly de-identified SUD information without patient consent for research, quality improvement, and analytics.

✔ Breach Notification Requirements All Part 2 programs, even those not previously subject to HIPAA, must now report breaches according to HIPAA Breach Notification Rule requirements. If you experience a breach affecting 500 or more individuals, you must notify HHS, affected individuals, and potentially the media.

✔ Accounting of Disclosures Part 2 programs must now provide patients with an accounting of all disclosures made with consent for the past three years, matching HIPAA's requirements.

✔ Enhanced Penalties Don't take these lightly. Civil penalties now range from $25,000 to $1,500,000. Criminal penalties range from $50,000 to $250,000 in fines and/or one to ten years imprisonment for knowing violations.

If your consent forms, policies, and breach procedures haven't been updated to reflect these changes, you're already operating out of compliance.

Key Differences That Still Remain

Despite the alignment, Part 2 maintains several important distinctions from HIPAA:

Consent Revocation Under Part 2, patients can revoke consent verbally. Under HIPAA, revocations must be in writing. If you're subject to both, you need protocols that handle both scenarios.

Redisclosure Prohibitions Part 2 requires a prohibition on redisclosure statement on all records shared with third parties. HIPAA doesn't require this. The statement must read: "This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2). The federal rules prohibit you from making any further disclosure of this information unless further disclosure is expressly permitted by the written consent of the person to whom it pertains or as otherwise permitted by 42 CFR Part 2."

No Incidental Use and Disclosure Exception HIPAA allows for incidental uses and disclosures if reasonable safeguards are in place. Part 2 does not. Every disclosure of Part 2-protected information must be specifically authorized.

Stricter Requirements for Disclosure in Emergencies While both regulations allow disclosure in medical emergencies, Part 2's definition is narrower and more protective.

How to Determine Which Regulations Apply to Your Program

Use this decision tree to assess your compliance obligations:

Step 1: Do you receive any federal funding for SUD services? → Yes? Part 2 applies. → No? Continue to Step 2.

Step 2: Are you a HIPAA covered entity? → Yes? HIPAA applies. → No? You may only be subject to state privacy laws.

Step 3: Do both Part 2 and HIPAA apply? → Yes? Follow the more stringent requirements (usually Part 2).

Step 4: Have you updated policies, consent forms, and training to reflect the February 2026 changes? → No? You have immediate work to do.

Practical Next Steps for Compliance

For Programs Subject to Part 2 Only:

• Update consent forms to utilize the new single TPO consent option

• Implement HIPAA-style breach notification procedures

• Train staff on de-identification standards

• Review and update privacy policies to reflect February 2026 changes

For Programs Subject to Both Part 2 and HIPAA:

• Create separate workflows for SUD records vs. general medical records

• Update your Notice of Privacy Practices to address both regulations

• Implement a dual-consent system when appropriate

• Train staff on when Part 2's stricter requirements override HIPAA

• Ensure prohibition on redisclosure statements appear on all Part 2-protected records

For Programs Subject to HIPAA Only:

• Verify that you truly don't meet Part 2's "federally assisted" definition

• Document your reasoning for not being Part 2-covered

• Stay alert: accepting federal funding in the future would trigger Part 2 compliance

You Don't Have to Navigate This Alone

The intersection of HIPAA and Part 2 is complex, and the February 2026 alignment changes add another layer of urgency. Getting it right requires understanding not just the regulations themselves, but how they interact with your specific program structure, funding sources, and service delivery model.

At KBBG Systems, we specialize in helping behavioral health and SUD programs navigate exactly these types of regulatory crossroads. We know the landscape because we've lived in it: working with programs across multiple states to build compliance frameworks that protect your patients, your program, and your peace of mind.

Whether you need help updating your consent forms, training your team on the new requirements, or conducting a comprehensive compliance assessment to determine which regulations actually apply to your program, we're here to help you get it right.

The regulations are complex. Your compliance doesn't have to be.