Substance Use Disorder Records Receive Confidentiality Protections
A substance use disorder record is among the most sensitive documents in health care. For millions of Americans seeking help for addiction, the act of entering treatment carries a fear that goes beyond withdrawal or relapse; it carries the fear of exposure. Having sensitive information like substance abuse records leaked can affect employment, custody, housing, and whether someone ever dares to seek help in the first place. Federal law has long recognized this reality. Thus, the legal framework protecting these records has grown increasingly robust over the past several decades.
At its core, the federal confidentiality scheme rests on two interlocking pillars:
The statutory authority at 42 U.S.C. § 290dd-2
Its implementing regulations at 42 CFR Part 2
Together, these provisions govern how substance use disorder patient records may be used, disclosed, and protected. The CARES Act of 2020 (Section 3221) significantly modernized this framework, aligning it more closely with the HIPAA Privacy Rule while preserving and, in key respects, strengthening the heightened protections that distinguish Part 2 from standard health information privacy law.
How 42 CFR Part 2 Protects Substance Use Disorder Records
The statutory backbone of SUD confidentiality protections is 42 U.S.C. § 290dd-2, which requires that any substance use disorder record maintained in connection with a federally assisted program be kept confidential and disclosed only under expressly authorized circumstances. The U.S. Department of Health and Human Services translates that mandate into operational rules through 42 CFR Part 2, which applies to any “Part 2 program”. This is defined as a federally assisted program that provides SUD diagnosis, treatment, or referral for treatment.
Notably, the reach of Part 2 is broad. A program is “federally assisted” if it receives any form of federal funding, holds a DEA registration to dispense controlled substances in SUD treatment, or participates in Medicare or Medicaid. This means the vast majority of addiction treatment facilities, opioid treatment programs, and many hospital-based SUD units are covered. Importantly, the protections extend to “lawful holders”. For this purpose, “lawful holders” include any person or entity that receives a Part 2 record, meaning the obligations travel with the record.
The scope of records covered is equally comprehensive. A substance use disorder record under Part 2 includes:
Any information identifying a patient as having or having had a SUD, including diagnosis, treatment, and referral details.
Billing records, emails, voicemails, and texts created by or received by a Part 2 program relating to a patient.
SUD counseling notes, which receive an additional layer of protection and require separate, specific patient consent before disclosure.
Records of both current and former patients. The protections do not expire when treatment ends.
This last point is particularly significant: health information privacy rights under Part 2 persist indefinitely. Unlike some privacy regimes that lapse with the end of a treatment relationship, a patient’s confidentiality rights in their SUD records remain enforceable for the remainder of their life.
When Substance Use Disorder Record Disclosure Is Permitted Under Part 2
The general rule under Part 2 is strict: A Part 2 program cannot share any information that would identify someone as having or having had a substance use disorder unless specifically permitted by the regulations. With limited exceptions, disclosure requires either the patient’s written consent or a court order accompanied by a subpoena or similar legal mandate. This standard is more protective than HIPAA, which allows broader disclosures without patient authorization in many treatment, payment, and operations contexts.
The CARES Act Section 3221 introduced a “single consent” mechanism that brought meaningful operational flexibility. A patient may now provide one written consent covering all future uses and disclosures for treatment, payment, and health care operations. This is referred to as a “TPO consent.”
When a HIPAA-covered entity receives a Part 2 record under a valid TPO consent, it may redisclose the record as permitted by HIPAA. However, there is one critical carve-out: The information may never be used against the patient in civil, criminal, administrative, or legislative proceedings without separate authorization.
Outside of consent, Part 2 permits a narrow set of disclosures without patient authorization. Disclosures include the following:
To medical personnel during a bona fide medical emergency
To qualified researchers, auditors, or evaluators (in de-identified or controlled form);
To public health authorities using de-identified information;
And for use in limited law enforcement contexts involving crimes on program premises.
Critically, even a valid court order does not automatically compel disclosure; it only removes the prohibition. A separate subpoena or legal mandate is required to actually compel production. This dual-step requirement reflects Congress’s deliberate effort to build meaningful procedural barriers around the most sensitive category of health information.
HIPAA Privacy Rule Alignment, Enforcement, and Breach Notification Requirements
One of the most significant changes brought by the 2020 CARES Act amendments and the 2024 revised regulations was a deliberate alignment with the HIPAA Privacy Rule. The updated Part 2 framework borrows HIPAA’s definitions, enforcement mechanisms, and breach-notification requirements, creating a more unified system for behavioral-health record confidentiality.
On the enforcement side, the revised rules replaced the old criminal fine structure with a tiered civil penalty framework under HIPAA. This means that violations of Part 2 are now subject to HIPAA civil penalties administered by the HHS Office for Civil Rights (OCR). OCR enforcement activity has been increasing, and with OCR enforcement 2026 expected to continue focusing on behavioral health and SUD records, covered entities and their business associates should treat Part 2 compliance as a core component of their privacy programs.
Breach notification requirements now apply to Part 2 programs in the same manner they apply to HIPAA-covered entities for unsecured protected health information. If a Part 2 program experiences a breach of unsecured SUD records, it must notify affected patients, HHS, and, in the case of a large breach, the media (as required by HIPAA).
Moreover, programs must maintain formal written security policies and procedures that address both paper and electronic records. Failure to do so is itself a violation.
The antidiscrimination provisions added by the CARES Act go further still. Worth noting, no entity may discriminate against an individual based on information received through any inadvertent or intentional disclosure of a substance use disorder record. “Entities” encompass employers, housing providers, and benefit programs.
What These Protections Mean for Patients and When to Seek Legal Help
The legal framework protecting substance use disorder patient records represents one of the most robust privacy regimes in American health law. The combination of 42 U.S.C. § 290dd-2, 42 CFR Part 2, and the HIPAA Privacy Rule creates overlapping layers of protection. Together, these are designed to ensure that the decision to seek SUD treatment does not result in patient discrimination, prosecution, or stigma. Furthermore, these protections are enforceable federal law, backed by civil penalties and private rights of redress.
If you or someone you know has had a substance use disorder record unlawfully disclosed, that disclosure may constitute a federal violation with serious legal consequences for the disclosing party. If protected information was used against a patient in a legal or administrative proceeding without proper consent or a valid court order, that too may be actionable.
The civil rights law firm of O’Malley & Madden, P.C. understands the intersection of civil rights law and health information privacy rights. With our clients, we stand committed to holding institutions accountable when they violate the legal protections that patients depend on. If you believe your rights under Part 2 or HIPAA have been violated, please consult with an attorney at O’Malley & Madden, P.C.
