42 CFR Part 2 and HIPAA are distinct federal regulatory frameworks that both govern the confidentiality of health information but differ in scope, the categories of information they protect, the standards they apply to disclosure and consent, and the consequences they attach to violations. HIPAA establishes the baseline privacy and security requirements that apply to protected health information across covered entities and their business associates, while 42 CFR Part 2 imposes a separate and stricter set of confidentiality rules that apply specifically to substance use disorder patient records held by federally assisted programs. In settings where both regulations apply simultaneously, workforce members must be trained on both frameworks and must apply whichever standard is more protective at the point of each disclosure decision.
Scope and Regulated Entities
HIPAA applies to covered entities including healthcare providers, health plans, and healthcare clearinghouses, along with their business associates. Its scope encompasses all protected health information regardless of the condition being treated or the type of service provided. 42 CFR Part 2 applies to a narrower category of organizations: programs that hold themselves out as providing substance use disorder diagnosis, treatment, or referral and receive federal assistance in any qualifying form. General medical providers that treat a wide range of conditions are subject to HIPAA for all patient records, but only become subject to 42 CFR Part 2 for records generated within a substance use disorder treatment unit or program that meets the federal assistance threshold. An integrated care organization may therefore operate simultaneously under HIPAA for its full patient population and under 42 CFR Part 2 for its substance use disorder program records, with different rules governing each category of information.
Consent and Disclosure Standards
HIPAA permits covered entities to use and disclose protected health information for treatment, payment, and healthcare operations without patient authorization. A provider may share a patient’s records with another treating clinician, submit claims to a health plan, or conduct internal quality improvement activities without obtaining individual consent for each use. 42 CFR Part 2 does not permit these same disclosures for substance use disorder patient records without written patient consent in most circumstances. Disclosing that an individual is or has been a patient of a substance use disorder program, or sharing any information from that program’s records, generally requires a specific written consent that names the recipient, describes the purpose of the disclosure, and states an expiration date or event. The narrow exceptions to this consent requirement include medical emergencies, research under specified conditions, and audits by oversight agencies, but these exceptions are defined more tightly than the equivalent HIPAA provisions.
Redisclosure Restrictions
When a covered entity discloses protected health information to another party under HIPAA, the receiving party’s subsequent use of that information is governed by its own HIPAA obligations and the terms of any applicable business associate agreement. 42 CFR Part 2 operates differently. When a Part 2 program discloses substance use disorder patient records to any recipient, the information carries a redisclosure prohibition that travels with it regardless of whether the recipient is itself a HIPAA covered entity. A hospital that receives substance use disorder treatment records from a Part 2 program during a care transition becomes a lawful holder of Part 2 protected information and may not redisclose those records to a third party, including other treating clinicians, without a new patient consent or an applicable regulatory exception. This redisclosure restriction has no direct equivalent in HIPAA and represents one of the most operationally significant differences between the two frameworks for workforce members who receive records from substance use disorder programs.
Enforcement Authority and Penalties
HIPAA enforcement sits with the HHS Office for Civil Rights, which investigates complaints, conducts compliance reviews, and imposes civil monetary penalties under a tiered structure based on culpability. The Department of Justice handles criminal enforcement for knowing violations. 42 CFR Part 2 violations are subject to criminal penalties under 42 U.S.C. §290dd-2, enforced through the Department of Justice. The penalty structure differs from HIPAA and historically produced less frequent enforcement activity, though the 2024 amendments to 42 CFR Part 2 aligned certain provisions with the HIPAA framework and expanded the circumstances under which information can be shared, including for treatment, payment, and healthcare operations, bringing the two regulatory regimes into closer alignment on some disclosure questions while preserving the stricter consent and redisclosure restrictions that have long distinguished Part 2 from HIPAA.
Training on Both Frameworks
The HIPAA Journal’s HIPAA and 42 CFR Part 2 Training addresses both regulatory frameworks in a single integrated curriculum designed for covered entities operating substance use disorder treatment programs, qualified service organizations, and lawful holders of Part 2 protected records. The course explains where HIPAA and 42 CFR Part 2 impose identical obligations, where Part 2 imposes stricter requirements that override HIPAA’s default permissions, and how workforce members must identify which framework governs each disclosure situation they encounter in practice. It covers the consent requirements unique to Part 2, the redisclosure prohibition and how it applies to information received from a Part 2 program, the 2024 regulatory amendments that changed how Part 2 records may be used for treatment and payment purposes, and the practical steps workforce members must take to remain compliant when both sets of rules apply simultaneously. Completion certificates and documentation records support the training compliance requirements that licensing bodies, Medicaid agencies, and accreditation organizations impose on substance use disorder treatment programs.
