Know A Good Doctor? We Do.

Revised SUD Confidentiality Rules—What’s Changed and What Hasn’t.

The federal Substance Abuse and Mental Health Services Administration (SAMHSA) recently revised the confidentiality rules for patients with Substance Use Disorder (SUD), in order to facilitate care coordination among providers. With more revisions expected in early 2021, it is important for medical professionals who work with these patients to be well-versed in these rules.


The regulations governing confidentiality of patient substance use disorder (SUD) treatment records in 42 CFR Part 2 were first enacted in 1975 to address the adverse consequences for individuals with an SUD when their condition or treatment records were disclosed and used against them by law enforcement, employers, or in domestic relations cases. Part 2 protects the confidentiality of any information (recorded or not) concerning the patient’s current or past substance abuse or SUD treatment when the information is created or received by a Part 2 program.

Any individual, group, or facility provider as well as any treatment unit in a healthcare clinic or hospital that holds itself out to the public as providing SUD diagnosis, treatment, or referral for treatment, and that is federally assisted, is a Part 2 program. Federally assisted is broadly defined by Part 2 to include any healthcare provider that participates with Medicare, Medicaid, registers with the DEA to dispense controlled substances, is a 501(c)(3) tax-exempt organization, provides drug maintenance treatment or withdrawal management, or receives federal funds for any other reason.

Part 2 programs are prohibited from disclosing any SUD patient’s identifying information or treatment records outside the program to anyone, including third party payers, without the patient’s advance written consent.1 Exceptions to the prohibition are limited to:

a qualified service organization under contract with the program, e.g., the program’s billing agent, provided the contract contains mandated Part 2 language.
a bona fide medical emergency (disclosure for treatment purposes only).
scientific research—limited to a HIPAA-covered entity or their BAA or entity subject to HHS or FDA rules on protection of human subjects: no redisclosure allowed.
per a court order that complies with Part 2 criteria.
a government agency auditing or evaluating the program.
when the patient commits a crime on the program’s premises or against a staff member, limited to information relevant to the incident and patient’s last known whereabouts.
state mandated reporting of suspected child abuse.

A program’s patient consent form must contain specific Part 2 language, or disclosures made under the consent will violate the regulations. When a Part 2 program discloses patient records with a valid consent, the records remain subject to Part 2 and cannot be re-disclosed by the recipient without also first obtaining the patient’s signed consent. Part 2 further prohibits the use of a patient’s Part 2 program information or records by law enforcement to conduct a criminal investigation or prosecution of the patient.

Violation of Part 2 is punishable by imposition of federal fines from $100 to $50,000 per violation depending on the nature of the violation. Between Part 2, HIPAA, and state patient confidentiality laws, Part 2 is generally the most restrictive and usually controls whether a disclosure of a patient’s Part 2 records is permitted.

Revisions in the July 2020 Final Rule

The Part 2 restrictions on use and disclosure have presented barriers to effective patient-provider communication and care coordination between Part 2 programs and non-Part 2 providers in the midst of the nation’s ongoing opioid addiction crisis. Recognizing the need for reform, on July 15, 2020, SAMHSA adopted a number of revisions to the rule as final.2 The revised Part 2 Final Rule still prohibits use of SUD records by law enforcement for criminal prosecution and continues to only allow disclosure of SUD treatment records with the patient’s written consent, subject to the exceptions listed above. However, important changes have been made to clarify the application of Part 2 and facilitate communication and care coordination between programs, patients, and other treating providers. They include:

Clarification of How Part 2 Applies to Non-Part 2 Providers

If a patient tells their non-Part 2 treating provider that the patient has or had an SUD or SUD treatment, documenting that information in the patient’s medical record does not make the record subject to Part 2; nor does information communicated verbally by a program (with the patient’s consent) to the non-Part 2 treating provider, if the provider puts it in the patient’s record. But, if that provider receives patient records from the Part 2 program, those records remain subject to Part 2. For this reason, when the program discloses the records to the provider, it must enclose a mandatory notice of the restrictions on re-disclosure, and the provider must segregate the Part 2 records from the rest of the patient’s file to avoid unauthorized re-disclosure.

Disclosures for Payment and Healthcare Operations

A patient’s written consent to disclose their program records for payment or healthcare operations can generally designate an entity as the authorized recipient without naming a specific individual in the consent.
The Final Rule now lists 18 activities constituting payment or health operations.

Disclosures to central registries and state prescription drug monitoring programs

A Part 2 program providing opioid treatment is permitted, with the patient’s consent, to report the patient’s enrollment for MAT or withdrawal management to a central registry to prevent the patient from enrolling in multiple programs. The central registry can only redisclose or use the information to prevent multiple enrollments or for care coordination.
If a patient’s non-Part 2 treating provider asks a central registry whether the patient is enrolled for MAT to ensure the patient is not already enrolled for MAT in another program or to avoid issuing a duplicate of contraindicated prescription to the patient, the registry may disclose the Part 2 program’s contact information to the provider as well as the type, dose, and dates the program has administered medication to the patient.
When state law requires a Part 2 program to report the prescribing/dispensing of medication to a patient to a prescription monitoring program, e.g., KASPER, the program may report, but only with the patient’s written consent.

Medical Emergency Exception

A state or federally-declared natural or major disaster constitutes a medical emergency under this exception to the prohibition against disclosure without patient consent.

Program Audit/Evaluation Exception

The Final Rule clarifies the types of entities authorized to audit or evaluate a program’s patient records to improve care or when required by law without patient consent. They include government and commercial payers, quality assurance organizations, and entities with direct administrative control over a program, and their respective subcontractors and representatives.

More Changes Expected in March 2021

The CARES Act passed by Congress last March in response to the COVID-19 included amendments to the statute that authorizes the Part 2 regulations in order to bring the SUD patient confidentiality rules into harmony with HIPAA.3 SAMHSA is expected to issue additional substantive revisions to Part 2 in March 2021 to implement those statutory amendments.

Sarah Charles Wright is a healthcare law attorney with Sturgill, Turner, Barker & Moloney, PLLC. She can be reached at or (859) 255-8581. This article is intended to be a summary of state law and does not constitute legal advice.

1Patient identifying information includes name, address, SSN, fingerprints, photos, other distinguishing information, or information identifying a patient by reference to public information or verification through another person.

2Fact Sheet: SAMHSA 42 CFR Part 2 Rev. Rule. (11/9/2020).

3CARES Act (3/27/2020) amended 42 USC 290dd-s – Confidentiality of Records.