Understanding Confidentiality of Substance Use Disorder (SUD) Patient Records or “Part 2”

Part 2 is a federal law (42 U.S.C. 290dd-2 and 42 CFR part 2) that protects the confidentiality of patient records for people receiving services for substance use disorders (SUDs). Part 2 confidentiality rules describe when and how SUD patient records may be used and disclosed. These records are called Part 2 records.

Part 2 rules apply to any federally assisted program that provides SUD diagnosis, treatment, or referral for treatment. These programs are called Part 2 programs. Some Part 2 requirements also apply to people and organizations who receive Part 2 records, such as other health care providers, Qualified Service Organizations (QSOs), HIPAA covered entities and business associates, intermediaries, and investigative agencies.

Confidentiality protections are important because fear of discrimination or legal trouble can deter people from seeking SUD treatment. Part 2 rules establish:

• Limitations on when SUD patient records can be shared - In general, Part 2 programs cannot share any information that would identify someone as having, or having had, a substance use disorder unless Part 2 specifically permits it. With limited exceptions, such as for emergency medical treatment, records may only be shared if the patient gives written consent or there is a court order and subpoena (or similar legal mandate).
• Single consent and redisclosure - Patients can provide a single consent for all future uses and disclosures of Part 2 records for treatment, payment, and health care operations. This is called a “TPO consent.” When an entity that is subject to HIPAA, such as a covered health care provider or a patient’s health plan, receives a Part 2 record with the TPO consent, that entity can share the record again without consent in all the ways that HIPAA allows, except for using the information in legal proceedings against the patient.
• Prohibitions on the use of SUD patient records against a patient - Part 2 prohibits SUD patient records from being used or disclosed in legal proceedings against patients without their consent or a court order and subpoena (or a similar legal mandate). It also establishes requirements for court orders that permit use and disclosure under limited circumstances.

On this page

• Part 2 Law
• Enforcement of Part 2
• Filing a Part 2 Complaint
• Filing a Part 2 Breach Report to the Secretary
• Privacy Notices

Part 2 Law

Federal law protects the privacy of patient records related to substance use disorder. The law applies to federally assisted programs providing education, prevention, training, treatment, rehabilitation, or research for substance use disorder. The law provides safeguards and procedures for using and disclosing Part 2 records, including criteria for court orders to authorize disclosure of SUD records. It also gives the Secretary of Health and Human Services (HHS) the authority to issue regulations.

CARES Act Changes

In 2020, the Coronavirus Aid, Relief, and Economic Security (CARES) Act amended the law. These changes aligned Part 2 more closely with other health privacy laws, including:

• The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy, Breach Notification, and Enforcement Rules.
• The Health Information Technology for Economic and Clinical Health (HITECH) Act.

The CARES Act required significant changes to Part 2, including:

• Aligning Part 2 more closely with HIPAA Privacy Rule provisions permitting uses and disclosures of records for treatment, payment, and health care operations.
• Establishing certain patient rights with respect to their Part 2 records consistent with provisions of the HITECH Act.
• Further restricting the use and disclosure of Part 2 records in legal proceedings against a patient.
• Applying civil and criminal penalties for violations.
• Adding breach notification requirements.

2024 Part 2 Final Rule

In 2024, HHS published a final rule updating 42 CFR part 2 as required by the CARES Act. The Final Rule has been effective since April 16, 2024, and compliance was required by February 16, 2026.

• Read the Final Rule Fact Sheet
• Read the Final Rule
• View the Final Rule Webinar Video

The modifications in this final rule reflect the proposals published in the December 2, 2022, Notice of Proposed Rulemaking (NPRM) and public comments.

• Read the NPRM Fact Sheet
• Read the NPRM
• Read Public Comments on the NPRM

Delegation of Authority

On August 25, 2025, the HHS Secretary delegated to the Director of the Office for Civil Rights (OCR) the authority to administer and enforce Part 2. 

Read the Federal Register Notice Delegation of Authority.

Enforcement of Part 2

OCR enforces 42 CFR part 2. OCR seeks voluntary compliance with Part 2 by Part 2 programs, QSOs, lawful holders of Part 2 records, and other persons holding Part 2 records. 

To enforce Part 2, OCR may:

• Conduct compliance reviews.
• Investigate complaints alleging noncompliance with Part 2.

If OCR determines that a violation has occurred, OCR has a range of available remedies, including the imposition of a civil money penalty. 

The enforcement provisions that apply to Part 2 are found in the HIPAA Enforcement Rule at 45 CFR part 160, subparts C, D, and E.

Filing a Part 2 Complaint

Beginning on February 16, 2026, anyone can file a Part 2 complaint. If you believe that a person or organization shared SUD patient records in noncompliance with Part 2, you may file a complaint with OCR.

File a Complaint

Filing a Part 2 Breach Report

Part 2 programs must report breaches of unsecured Part 2 records. If a breach happens, Part 2 programs are required to notify affected individuals, the Secretary of HHS, and in some cases the media.

Learn about breach notification requirements and how to file a breach report to the Secretary.

Privacy Notices

Part 2 programs and HIPAA covered health care providers and health plans must notify individuals about their privacy practices and individuals’ privacy rights.

Part 2 programs are required to provide a notice to patients that includes

• Part 2 confidentiality requirements.
• Patients’ rights related to their Part 2 records.

HIPAA covered health care providers and health plans that create or maintain Part 2 records are required to provide a notice to individuals that includes:

• How the entity may use and disclose Part 2 records.
• The entity’s responsibilities with respect to the records.
• Individuals’ privacy rights.

Part 2 programs that are also HIPAA covered entities are allowed to create a combined notice that meets the requirements of both the HIPAA NPP and the Part 2 Patient Notice.

Model Notices for Professional Use

Programs and covered entities can adapt these model notices by entering their specific information.

• Model Part 2 Patient Notice
• Updated Model HIPAA Notice of Privacy Practices (NPP)