December 8, 2022

Aligning 42 CFR Part 2 with HIPAA: A Work in Progress

Some of you may be familiar with an esoteric regulation called 42 CFR Part 2 (Part 2), which governs the confidentiality of patient records for the treatment of substance use disorder (SUD). Part 2 in general covers SUD treatment or rehabilitation programs, employee assistance programs, programs within general hospitals, school-based programs, and clinicians who “provide substance use disorder diagnosis, treatment, or referral for treatment.” Clinicians who work in these Part 2 “programs” are subject to this regulation—and this includes you as emergency physicians who work in emergency departments (a court case from 1989 found that in general, an “emergency room” qualifies as a Part 2 program).

Over the years, one of the major policy debates around 42 CFR Part 2 has been whether this regulation should be modified to align more closely with the Health Insurance Portability and Accountability Act (HIPAA). Under 42 CFR Part 2 requirements, the sharing of medical records for patients seeking treatment for SUD requires patient consent except under limited circumstances, including bona fide medical emergencies. Conversely, under HIPAA, health care “providers” and other “covered entities” can use protected health information about a patient for treatment, payment, or health care operations without the patient’s consent. Many stakeholders believe that that these inconsistent rules between Part 2 and HIPAA create barriers to information sharing by patients and clinicians.

During the last Administration in 2019/2020, the U.S. Department of Health and Human Services (HHS) made a number of changes to the Part 2 reg in order to modernize the outdated regulation. At that time, however, HHS made it abundantly clear that while the Department wanted to more closely align 42 CFR Part 2 with HIPAA, it did not have the legal authority to do so, and congressional action was necessary.

Well, Congress listened… mostly. In March 2020, Congress passed the Coronavirus Aid, Relief, and Economic Security (CARES) Act, which includes a provision that aligns certain Part 2 requirements more closely to HIPAA. Specifically, the provision (section 3221 of the law) modifies Part 2 by permitting uses and disclosures for treatment, payment, or health care operations and establishing certain patient rights with respect to patients’ Part 2 records. Section 3321 also restricts the use and disclosure of Part 2 records in legal proceedings and set civil and criminal penalties for violations. Finally, section 3221 requires HHS to modify the Notice of Privacy Practices requirements so that HIPAA covered entities and Part 2 programs provide notice to individuals regarding privacy practices related to Part 2 records, including patients’ rights and uses and disclosures that are allowed or required without authorization.

However, like most complicated policies, even after Congress passed this law, it took a long time for HHS to figure out how to implement it—and the Department just issued a proposed regulation last week to carry out this provision.

Some of the major proposals in the newly issued proposed reg include:

  • Permitting the use and disclosure of Part 2 records based on a single patient consent given once for all future uses and disclosures. That way, patients do not need to give their consent every time they agree to share their information.
  • Permitting re-disclosure of Part 2 records in any manner permitted by the HIPAA Privacy Rule, with certain exceptions.
  • Creating new patient rights under Part 2 to obtain an accounting of disclosures and to request restrictions on certain disclosures, as also granted by the HIPAA Privacy Rule.
  • Expanding prohibitions on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings.
  • Creating new HHS enforcement authority, including the imposition of civil money penalties for violations of Part 2.
  • Updating breach notification requirements to HHS and affected patients.
  • Updating HIPAA Privacy Rule Notice of Privacy Practices requirements to address uses and disclosures of Part 2 records and individual rights with respect to those records.

As stated earlier, the Part 2 regulation includes an exemption for medical emergencies, during which time, disclosures of SUD treatment records are permitted without patient consent. While medical emergencies most often refer to individual life-threatening conditions that require immediate medical attention, this exemption also includes major disasters. The newly issued proposed reg does not make any changes to this exception but does require that patients experiencing medical emergencies receive a Notice of Privacy Practices “as soon as reasonably practicable after the emergency treatment situation.”

HHS is seeking comments from the public on all aspects of the proposed reg, and comments are due on January 31, 2023. The Department still needs to issue a final reg after it has a chance to sort through the public comments and the final policies will be effective 60 days after the final reg is issued. However, HHS plans to provide a 22-month compliance buffer to give entities subject to the final reg enough time to establish and implement all the final policies and practices. The Department requests comment on whether the 22-month compliance period is an appropriate length of time and whether there are any benefits or unintended adverse consequences of a shorter or longer compliance period.

Overall, ACEP recognizes that the 42 CFR Part 2 requirements are confusing to those of you who provide treatment to patients with SUD. We are still reviewing this proposed reg to see if it provides the needed clarity to help you better serve your patients. In the meantime, we would love to hear your thoughts on the reg! If you have any comments or feedback, please send them to me at

Until next week, this is Jeffrey saying, enjoy reading regs with your eggs!

Want Regs & Eggs delivered fresh? Sign up for our email list.

[ Feedback → ]