The updated 42 CFR Part 2 regulation brings behavioral health record-sharing closer to HIPAA, but with critical differences that every private practice needs to understand. This guide will help you navigate the changes and ensure you are prepared for 42 CFR Part 2 compliance.

What is 42 CFR Part 2, and Why Does It Matter for Private Practices?

42 CFR Part 2 is a federal privacy regulation that protects substance use disorder (SUD) treatment records. It prevents the disclosure of any information that could identify a patient as having or having had an SUD, even to other healthcare providers, unless the patient provides written consent.

The regulation was established to protect patients from stigma, discrimination, and the misuse of sensitive information. Unlike HIPAA, which permits certain data sharing for treatment, payment, and healthcare operations (TPO), Part 2 has traditionally required explicit patient consent for nearly all disclosures.

What’s New in the 2024 Final Rule (Effective February 2026)

In 2024, HHS finalized major updates that align 42 CFR Part 2 more closely with HIPAA. The new rule introduces several key changes:

• Allows one TPO consent: Patients can now sign a single consent for future disclosures for treatment, payment, and healthcare operations until they choose to revoke it.
       
• Aligns enforcement with HIPAA: Breaches of SUD data will now trigger HIPAA-style notifications and penalties, increasing the importance of a HIPAA compliant system.
       
• Clarifies re-sharing rules: Once information is shared under a valid consent, recipients can re-disclose that information for TPO as long as the required notice accompanies it.

Do Patients Need to Be Notified or Re-Sign Paperwork?

Yes, in most cases. All providers who treat or refer for SUD must give patients an updated privacy notice that explains their rights under the new Part 2 rule. Your current consent forms likely do not include all the new required elements, such as the prohibition on re-sharing information or the expanded TPO language.

While you do not have to re-consent every patient immediately, the best practice is to:

• Update consent forms now for all new and active patients.
       
• Prioritize re-consenting high-risk or frequently referred patients.
       
• Notify all patients of the new protections through your portal, intake paperwork, or at their next visit.

A "phased re-consent" approach effectively balances compliance with clear patient communication.

How to Prepare: A Step-by-Step Roadmap for Small & Group Practices

This Week: Get Organized

• Create a “Part 2 Snapshot”: Develop a one-page summary that includes the compliance date (Feb 16, 2026), a definition of what constitutes SUD information in your practice, and who manages disclosures. Share this with your practice.
       
• Download official resources: Use the HHS and SAMHSA Part 2 toolkits to understand the regulation's requirements. These resources include consent templates and checklists.

This Month: Audit and Document

• Map your data flow: Document where SUD data is stored (EHR, scanned forms, lab reports, emails). For each location, note who has access and where the information is shared. This will help you identify where controls are needed.
       
• Review your consent forms line by line: Your updated consent must include:            
                 
  • Patient identification and signature
                 
  • A description of the information that may be disclosed
                 
  • Specific recipients or categories (e.g., “primary care provider”)
                 
  • The purpose (e.g., “for treatment, payment, and operations”)
                 
  • An expiration date/event or a statement that it is revocable
                 
  • A statement prohibiting further disclosure (“This information has been disclosed from records protected by federal confidentiality rules…”)
     
• Set up a disclosure log: If your EHR cannot segment or log SUD disclosures, create a secure spreadsheet with the columns: Date of disclosure, Recipient, Purpose, Consent on file (Y/N), and Staff initials. This log is your evidence in case of an audit.
   

This Quarter: Build Systems and Train Staff

       
• Contact your EHR vendor and billing team: Ask your partners key questions:            
                 
  • Can you tag or flag SUD-related records?
                 
  • Can disclosures of these records be restricted or require double approval?
                 
  • Can the EHR store multiple consents and track revocations?
                 
  • Will there be a system update or module available before the 2026 deadline?
           
• Update your intake and consent packets: Replace old forms with the new consent language and patient privacy notice. Include a one-paragraph summary in your welcome packet explaining how these forms protect patients.
       
• Start targeted re-consent: Begin re-consenting active SUD patients and those whose information is regularly shared. If you use a patient portal, add a digital consent option with an explanatory video or PDF.
       
• Train your staff: Conduct a 30-minute workshop to review real-world scenarios (e.g., a PCP requesting records, a patient revoking consent, a subpoena). Conclude with a simple rule: “If it mentions SUD, stop and check the consent first.”