An HHS notice on August 27, 2025 delegated enforcement of 42 CFR Part 2 to the Office for Civil Rights. This authorizes OCR to impose civil money penalties, enter resolution agreements with corrective action plans, and issue subpoenas for testimony and documents as part of compliance work.
OCR is the HHS office that investigates HIPAA violations and resolves cases through corrective action plans and monetary settlements. The delegation means OCR’s familiar HIPAA-style processes now apply to 42 CFR Part 2 enforcement as well. The 2024 Part 2 Final Rule remains the operational baseline.
In this article, we’ll review the changes to 42 CFR Part 2 for substance use disorder (SUD) confidentiality and enforcement. Compliance note: This article is for educational purposes and is not legal advice.
Key Takeaways of OCR’s Enforcement of Part 2 SUD Records
Who enforces 42 CFR Part 2 for Substance Use Disorder (SUD) Privacy?
The Office for Civil Rights (OCR) within HHS enforces 42 CFR Part 2. OCR can impose civil money penalties, negotiate settlements with corrective action plans, and issue subpoenas for compliance investigations.
Do you need patient consent to release Substance Use Disorder (SUD) records under 42 CFR Part 2?
Patients may sign a single consent for treatment, payment, and health care operations. HIPAA covered entities and business associates that receive Part 2 records under this consent can use and redisclose the information consistent with HIPAA.
Do HIPAA breach rules apply to Substance Use Disorder (SUD) 42 CFR Part 2 records?
Yes. The HIPAA Breach Notification Rule applies to incidents involving 42 CFR Part 2 records. Organizations must conduct the four-factor risk assessment and follow notification timelines if a breach occurs.
Who must comply with 42 CFR Part 2?
42 CFR Part 2 applies to federally assisted substance use disorder (SUD) treatment programs and to any “lawful holder” that receives Part 2 records. HIPAA covered entities and business associates must also comply when they hold Part 2 records.
When can organizations disclose Substance Use Disorder (SUD) 42 CFR Part 2 records without consent?
Disclosures without consent are limited to specific circumstances. These include medical emergencies, approved scientific research, audits and evaluations, and de-identified public health reporting.
What are the penalties for violating 42 CFR Part 2?
OCR enforces penalties using HIPAA’s four-tier structure for civil money penalties. The Department of Justice enforces criminal penalties, and State Attorneys General may also bring certain civil actions.
What Is 42 CFR Part 2?
42 CFR Part 2 is the federal privacy rule that protects the confidentiality of substance use disorder (SUD) treatment information. It applies to SUD treatment programs and to any “lawful holder” that later receives those records. This means the protections travel with the information. Congress created these protections to encourage people to seek care without fear of stigma, prosecution, or other harms.
42 CFR Part 2 protects records created by, received, or acquired by a Part 2 program that relate to a patient. This includes diagnosis, treatment, and referral information, billing, emails, voicemails, texts, and any patient-identifying information.
As part of HIPAA, 42 CFR Part 2 generally requires written patient consent before sharing identifiable SUD information. Some exceptions apply, such as medical emergencies, certain research pathways, audits and evaluations, and de-identified public health reporting.
42 CFR Part 2 also sets strict limits on using SUD records in court against a patient. This requires consent or a qualifying court order. A court order authorizes disclosure but does not by itself compel it.
Congress enacted the confidentiality statute to remove barriers to treatment by protecting people from stigma and legal risks, while still allowing appropriate care coordination and oversight. SAMHSA guidance highlights that Part 2 safeguards patient-identifying SUD information and limits its use and disclosure outside the treatment context.
42 CFR Part 2 Coverage and “Lawful Holders”
A “Part 2 program” includes any federally assisted program that provides SUD diagnosis, treatment, or referral. It also includes identified units within general medical facilities and personnel whose primary function is SUD services. Anyone who receives Part 2 records through valid consent or a permitted exception is a “lawful holder.” This also means the Part 2 restrictions continue to apply outside the original program.
Part 2 programs include entities that hold themselves out as providing, and do provide, SUD diagnosis, treatment, or referral, including identified units or personnel in general medical facilities whose primary function is SUD services.
Lawful holders are persons or entities bound by Part 2 because they received Part 2 records via valid consent or a permitted exception; obligations travel with the records. HIPAA covered entities and business associates that lawfully receive Part 2 records under a valid consent may use and redisclose them for TPO under HIPAA, while the proceedings limits still apply.
HIPAA Guides OCR Enforcement for 42 CFR Part 2 Violations
OCR enforces HIPAA and resolves cases through investigations, corrective action, settlements, and civil money penalties when appropriate. HIPAA’s civil and criminal penalty authorities are codified at 42 U.S.C. 1320d-5 and 42 U.S.C. 1320d-6. The HIPAA Breach Notification Rule requires a four-factor risk assessment and timely notifications when applicable.
Highlights of HIPAA enforcement include:
- Civil penalties use a four-tier structure under 45 CFR Part 160, Subpart D; current dollar amounts are published in the HHS CMP table and updated annually under 45 CFR Part 102.
- Criminal penalties for wrongful disclosures are set out in 42 U.S.C. 1320d-6 and are enforced by the Department of Justice.
- State Attorneys General may bring civil actions for HIPAA violations under HITECH.
42 CFR Part 2 starts from a consent-first model, with limited exceptions for emergencies, certain research, audits and evaluations, and specified public health activities using de-identified data.
It also imposes special limits on using SUD records in civil, criminal, administrative, or legislative proceedings against a patient, which require consent or a qualifying court order that meets 42 CFR Part 2 standards; compulsion to disclose requires a subpoena or similar mandate issued in the proceeding.
The 2024 Final Rule: Practical Changes
Patients may sign one consent that permits future uses and disclosures for treatment, payment, and health care operations. HIPAA covered entities and business associates that receive 42 CFR Part 2 records under such a consent may use and redisclose them in line with HIPAA.
42 CFR Part 2 records still may not be used to investigate or prosecute a patient without specific consent or a court order that meets Part 2 standards. Records obtained in audits or evaluations still cannot be used to investigate or prosecute patients without consent or a qualifying order.
Patients can revoke consent at any time by providing a written revocation, as required under 42 CFR § 2.31(a)(6). The revocation applies prospectively and does not undo previous disclosures that relied on this consent.
HHS aligned penalties and breach frameworks so HIPAA’s civil and criminal authorities and the HIPAA Breach Notification Rule apply to incidents involving 42 CFR Part 2 records.
HHS also clarified that segregating or segmenting 42 CFR Part 2 data is not required, though many organizations still flag SUD content for redisclosure and reporting accuracy.
Consent And Notice Requirements Under 42 CFR Part 2
A valid written consent must include the elements listed in § 2.31 such as who may disclose, who may receive, what is disclosed, the purpose, and revocation language.
Each disclosure made with patient consent must include a copy of the consent or a clear explanation of its scope; Part 2 permits an abbreviated redisclosure notice that reads: “42 CFR part 2 prohibits unauthorized use or disclosure of these records.”
SUD counseling notes require a separate, specific consent and are not covered by a general TPO consent. Do not combine a consent for use in proceedings with any other consent.
For court orders and subpoenas, do not use 42 CFR Part 2 records against a patient without specific consent or a court order that meets Subpart E. A Part 2 court order authorizes disclosure but does not compel it; compulsion requires a subpoena or similar mandate in the proceeding. OCR’s subpoena authority supports compliance investigations and does not itself authorize use of records against a patient in court.
42 CFR Part 2 Disclosure Exceptions
Medical emergencies: disclose to medical personnel to meet a bona fide emergency when prior consent cannot be obtained, and document required details after the fact.
Scientific research: programs or lawful holders may disclose to qualified researchers under defined conditions; reports must use data de-identified to HIPAA standards where specified, and data linkages require IRB approval.
Audits and evaluations: disclosures to approved auditors and evaluators are permitted with limits on copying, use, and redisclosure.
Public health: disclosures to public health authorities are permitted when de-identified to 45 CFR 164.514(b) standards.
Statement of Delegation of Authority Changes to Enforcement of 42 CFR Part 2 SUD Record Confidentiality
The August 27 Statement of Delegation of Authority authorizes the OCR to run the Part 2 program day to day.
This statement changes the following key elements of 42 CFR Part 2:
- Civil Money Penalties. OCR can assess civil money penalties for violations, using the penalty framework in Section 1176 of the Social Security Act.
- Resolution Agreements and Corrective Action Plans. OCR can resolve issues through negotiated resolution agreements, monetary settlements, and corrective action plans when organizations need to fix problems.
- Subpoenas for Investigations. OCR can issue subpoenas to require witnesses and documents during investigations or compliance reviews related to 42 CFR Part 2.
These changes continue a recent trend toward greater privacy and accountability for medical records related to substance use disorders (SUD).
Background: The CARES Act, HIPAA-Alignment, and Enforcement Needs
Congress set the stage in the CARES Act, enacted on March 27, 2020. Section 3221 amended 42 U.S.C. 290dd-2 to require HHS to align key parts of 42 CFR Part 2 with HIPAA and HITECH.
Those amendments authorized one-time, future-looking TPO consent, allowed HIPAA-consistent redisclosure by covered entities and business associates, applied the HIPAA Breach Notification Rule to incidents involving 42 CFR Part 2 records, and aligned civil and criminal penalties with HIPAA.
The CARES Act also instructed HHS to update the HIPAA Notice of Privacy Practices to address PHI protected by 42 CFR Part 2 and the associated individual rights.
HHS implemented these statutory changes by proposing updates on December 2, 2022, and the final rule on February 16, 2024. The compliance date for this final rule is February 16, 2026.
42 CFR Part 2 and State Laws
42 CFR Part 2 sets a federal baseline for protecting substance use disorder (SUD) records, but it does not replace stricter state confidentiality laws. The regulation states that it does not preempt state laws that provide greater protection than federal requirements.
That means covered entities and lawful holders must evaluate not only 42 CFR Part 2, but also the privacy rules of each state where they operate. Compliance programs should meet the strictest applicable standard, whether federal or state.
Your Next Steps for Compliance
Policies and training: Teach when 42 CFR Part 2 applies, how single TPO consent works, where Part 2 remains stricter than HIPAA, and how OCR compliance subpoenas differ from court orders in proceedings.
Consent and disclosure workflows: Use § 2.31 as your template checklist. For each disclosure with consent, attach the consent or explain its scope and include the abbreviated redisclosure notice text.
EHR/ROI processes: 42 CFR Part 2 does not require data segmentation. Add flags so staff apply the right redisclosure rules and can produce disclosure logs and audit trails quickly.
Incident response: Evaluate incidents involving SUD data under HIPAA’s Breach Notification Rule and document the four-factor risk assessment.
Helpful primers:
- HIPAA violation fines and enforcement overview
- Four-factor breach risk assessment guide
- OCR “Wall of Shame” explainer
Simplifying HIPAA Compliance with ChartRequest
42 CFR Part 2 carries some of the most protective privacy rules in healthcare. The 2024 Final Rule aligned many requirements with HIPAA, and OCR’s new enforcement role underscores that covered entities, business associates, and lawful holders must take compliance seriously.
ChartRequest makes this easier. With a perfect record for data security and a platform built for compliant record exchange, we remove the friction from handling Part 2 requests.
Whether your organization is a treatment program, a hospital system, or a legal partner handling SUD records, ChartRequest provides the guardrails and audit-ready transparency you need. That way, you can meet your obligations under 42 CFR Part 2 while keeping focus on what matters most: patient care and trust.
Schedule a personalized consultation to see how we can help your team stay compliant during the release of information.
