Article Updated: July 11, 2026

HIPAA and 42 CFR Part 2 Training for Therapists and Counselors

Therapists and counselors who treat clients with substance use disorders must complete training on both HIPAA and 42 CFR Part 2, because the two frameworks impose different and in some cases conflicting obligations on how patient records may be used, disclosed, and protected, and 42 CFR Part 2 applies the stricter standard wherever the two overlap. HIPAA establishes the baseline privacy and security obligations that apply to all covered entities, but 42 CFR Part 2 imposes additional confidentiality requirements specifically for records relating to substance use disorder treatment, and those requirements apply regardless of whether the therapist or counselor considers the practice to be primarily a SUD treatment program. A workforce member who understands HIPAA but has not received training on 42 CFR Part 2 will apply the wrong standard to disclosures, consent conditions, and re-disclosure rules that affect SUD clients, creating compliance exposure that training on HIPAA alone cannot prevent.

How 42 CFR Part 2 Differs From HIPAA

HIPAA permits a range of disclosures without patient authorization, including disclosures for treatment, payment, and healthcare operations. 42 CFR Part 2 does not. Under Part 2, disclosures of records that identify or could imply that a person is a patient in a SUD treatment program require written patient consent in most circumstances, even when the disclosure would be routine and permissible under HIPAA. The scope of that consent is also restricted: a disclosure may only be made within the purposes the patient authorized, and information received under a Part 2 disclosure carries a notice of non-redisclosure requirement that limits how the receiving party may use or further share it. Staff must also apply the minimum necessary standard within the boundaries of consent and must verify the identity of anyone requesting access to Part 2 records before sharing information. Any piece of information that could imply a person’s involvement in SUD treatment, not just records explicitly labeled as such, falls within Part 2’s protections.

What 42 CFR Part 2 Training for Therapists and Counselors Must Address

Training on 42 CFR Part 2 for therapy and counseling workforces must cover what Part 2 is and why it exists, which staff and which records it applies to, when written patient consent is required and how to stay within its scope, when notices of non-redisclosure must accompany a disclosure, and how to recognize information that could imply patient status even when SUD treatment is not explicitly mentioned. Practical scenario-based content is necessary to prepare staff for the real decisions they face: how to handle identity verification requests before sharing information, how to avoid multitasking errors when managing both HIPAA-governed and Part 2-governed records in the same workflow, how to use only approved technology and telehealth tools when communicating about Part 2 records, and how to respond calmly when community members or other providers pressure staff to share information that Part 2 prohibits disclosing. Staff must also understand data segmentation workflows that separate Part 2 records from other clinical documentation, and know how to recognize and report suspicious activity involving those records.

HIPAA Training for Therapists and Counselors

HIPAA Training for Therapists and Counselors from The HIPAA Journal includes a dedicated 42 CFR Part 2 training module alongside the mandatory Privacy Rule, Security Rule, and Breach Notification Rule content. The Part 2 module teaches staff the confidentiality rules specific to SUD patient records, consent requirements, non-redisclosure notices, minimum necessary standards within the Part 2 framework, and scenario-based guidance for the difficult interactions that arise when managing Part 2 records in a therapy or counseling setting. The full course is self-paced, accessible on any internet-connected device, and awards an accredited certificate with 5.0 CEUs from the Compliance Certification Board on successful completion of all mandatory modules and assessments.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.