42 CFR Part 2 compliance is required of federally assisted substance use disorder treatment programs, every member of their workforces, qualified service organizations contracted to those programs, and any individual or organization that receives patient identifying information from a Part 2 program and becomes a lawful holder of that information subject to the regulation’s redisclosure restrictions. The regulation defines federal assistance broadly, covering not only direct federal funding but also authorization to prescribe controlled substances under the Controlled Substances Act, participation in Medicare or Medicaid, and federal tax-exempt status, which means many substance use disorder programs are subject to Part 2 regardless of whether they regard themselves as federally funded. Because the compliance obligation attaches to the program and extends to everyone who operates within it or receives information from it, understanding who falls within the regulation’s reach is the starting point for any effective training program.
Federally Assisted Programs and How Federal Assistance Is Defined
A program becomes subject to 42 CFR Part 2 when it holds itself out as providing substance use disorder diagnosis, treatment, or referral and receives federal assistance in any form. The most common forms of federal assistance that trigger Part 2 obligations are Medicare and Medicaid participation, Drug Enforcement Administration registration to dispense controlled substances used in addiction treatment such as methadone or buprenorphine, and receipt of federal grants administered through the Substance Abuse and Mental Health Services Administration. Federal tax-exempt status under section 501(c) of the Internal Revenue Code also constitutes federal assistance for this purpose. A hospital, health system, or community health center that operates a substance use disorder unit alongside other clinical services falls under Part 2 for the records generated by that unit, even if the broader organization provides services that are not subject to the regulation.
Workforce Members Within Part 2 Programs
Every individual who performs a function within a Part 2 program and has access to patient identifying information is subject to the regulation’s confidentiality requirements. This scope covers clinical providers including physicians, nurses, counselors, and social workers, as well as administrative staff who schedule appointments, process referrals, or handle billing for substance use disorder services. Technical staff who maintain or access electronic records systems containing Part 2 protected information are also subject to the regulation. Part 2 does not create an exception for workforce members who access patient information only incidentally or infrequently. The obligation attaches to access, not to the primary function of the role, which means training must reach the full workforce of a covered program rather than only its clinical personnel.
Qualified Service Organizations
An organization that provides services to a Part 2 program under a Qualified Service Organization Agreement and receives patient identifying information in the course of providing those services is directly bound by 42 CFR Part 2 with respect to that information. Qualified service organizations include laboratories, medical records vendors, billing companies, legal consultants, and electronic health record providers that connect to a Part 2 program’s data environment. The Qualified Service Organization Agreement that must be executed before any patient information is disclosed to the organization commits it to maintaining the confidentiality of Part 2 records and to resisting unauthorized disclosures in the same manner required of the program itself. Workforce members of qualified service organizations who handle Part 2 records must receive training on the regulation’s requirements, not only on the HIPAA obligations that may apply in parallel.
Lawful Holders and the Redisclosure Obligation
An individual or organization that receives patient identifying information from a Part 2 program through a patient consent or other permissible disclosure mechanism becomes a lawful holder of that information. Lawful holders include treating physicians who receive referral information about a patient’s substance use disorder treatment history, hospitals that receive records during a care transition, and researchers who obtain de-identified or consented data for approved studies. A lawful holder may not redisclose Part 2 protected information to any other party without a new patient consent or an applicable regulatory exception. This prohibition applies regardless of whether the receiving organization is itself a HIPAA covered entity or a general healthcare provider not otherwise subject to Part 2. The redisclosure restriction travels with the information, not with the program that originally generated it, and workforce members at receiving organizations must be trained to recognize and apply it.
HIPAA and 42 CFR Part 2 Training for Covered Programs and Their Workforces
The HIPAA Journal’s HIPAA and 42 CFR Part 2 Training is designed for the workforces of covered entities that operate substance use disorder treatment programs, qualified service organizations that receive Part 2 protected information, and lawful holders of patient records subject to the regulation’s redisclosure restrictions. The course addresses both the HIPAA Privacy Rule and 42 CFR Part 2 as overlapping regulatory frameworks, explaining where the two sets of requirements align and where Part 2 imposes obligations that exceed those of HIPAA. Workforce members learn how to apply consent requirements before disclosing patient identifying information, how to identify the categories of disclosure permitted without consent, and how to handle redisclosure requests in compliance with the regulation. The training covers the practical decisions that clinical, administrative, and technical staff face when managing substance use disorder records in integrated care environments where Part 2 and HIPAA apply simultaneously, and it provides the documented completion records that programs need to demonstrate training compliance to licensing bodies, Medicaid agencies, and accreditation organizations.
