HIPAA and 42 CFR Part 2 are the two federal frameworks governing substance use disorder (SUD) records in the United States. HIPAA applies to all Protected Health Information; 42 CFR Part 2 imposes stricter requirements specific to SUD treatment programs, requiring written, specific consent before any disclosure, even to other healthcare providers. HIPAA violations carry civil penalties of $100–$50,000 per violation, with annual caps up to $1.9 million per violation category. When the two frameworks conflict, the more protective rule (usually Part 2) applies.
Handling addiction data is one of the most legally sensitive areas in behavioral health. Substance use disorder (SUD) records are governed by two overlapping federal frameworks (HIPAA and 42 CFR Part 2) and mishandling can result in civil penalties, criminal charges, and the loss of program funding.
But compliance isn’t just about avoiding fines. It’s about building the foundation of trust that every effective treatment relationship rests on.
The Legal Landscape
HIPAA and Substance Use Data
Under HIPAA, substance use records are Protected Health Information (PHI). Treatment centers must implement appropriate administrative, physical, and technical safeguards, and clients have rights to access, amend, and receive an accounting of disclosures of their records.
Penalties for HIPAA violations range from $100 to $50,000 per violation, with annual caps up to $1.9 million per violation category, enforced by the HHS Office for Civil Rights (OCR).
42 CFR Part 2: The Stricter Standard
For programs that specialize in SUD treatment, 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) imposes requirements stricter than HIPAA:
- Written consent is required before disclosing any SUD records, even to other healthcare providers, unless specific exceptions apply
- General authorizations don’t work. Consent must name the specific recipient, describe the information disclosed, and state its purpose
- Re-disclosure is prohibited without a new written consent from the client
Most treatment centers must comply with both frameworks simultaneously. When they conflict, the more protective rule applies, which is usually Part 2.
Regulatory Enforcement
The Substance Abuse and Mental Health Services Administration (SAMHSA) has repeatedly emphasized that:
- Clients must have clear visibility into what is being recorded and who can access it
- Purpose limitation must be strictly observed
- Only the minimum necessary information should be collected and shared
The Problem With Traditional Systems
Most EHR systems (such as Epic, Cerner, and similar) operate on an all-or-nothing model:
- The counselor creates clinical notes
- The client has legal rights to access, but no direct control over what is shared or with whom
- All data is collected in one system, managed by the institution
This is legally permissible under existing frameworks, but it creates a trust deficit:
“I don’t know what they’re writing about me. I don’t know who can see it.”
For clients who are already skeptical, especially court-referred clients, this worsens dropout risk and undermines the therapeutic alliance.
SmokingTracker’s Privacy by Design Model
SmokingTracker flips the model on its head with client-owned data and granular consent:
1. The Client Owns Their Data
All records (sessions, mood, notes, urge data) belong to the client. They are stored encrypted and can be permanently deleted by the client at any time, separate from the center’s clinical record system.
2. Granular Consent Toggles
Instead of “share everything or nothing,” the client can precisely control what the counselor can see:
| Data Category | Client Control |
|---|---|
| Daily activity (is the client active?) | Required for enrollment |
| Smoking sessions and history | On/Off |
| Mood registrations | On/Off |
| Personal notes | On/Off |
The client can change these settings at any time, without needing to ask the counselor.
3. The Traffic Light Dashboard
The counselor sees at minimum a traffic light (Green/Yellow/Red) indicating the client’s activity level. Detailed data is shown only if the client has actively given consent.
This means the treatment relationship is built up gradually:
- The client starts with minimal sharing → counselor sees only activity level
- Trust builds over time → the client opens more data categories
- Treatment is enriched → the counselor gets a more complete picture
Documentation and Audit Trail
When the counselor generates a PDF report for the EHR system, the report automatically includes a consent overview:
- Which data categories the client has shared
- When consent was given or changed
- What the report is based on
This creates a documented consent chain that satisfies both HIPAA’s accounting-of-disclosures requirements and Part 2’s written consent standards.
Conclusion
Compliance with HIPAA and 42 CFR Part 2 in addiction treatment isn’t just a legal obligation, it’s a clinical opportunity. By giving the client genuine control:
- Legally: You fulfill data minimization principles and maintain documented, specific consent in line with Part 2
- Clinically: The client feels ownership, which increases engagement and retention
- Practically: You still get the data you need, just with the client’s active acceptance
Frequently Asked Questions
What is 42 CFR Part 2? 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) is a federal regulation specifically protecting SUD treatment records. It requires written consent before any disclosure, more restrictive than HIPAA’s general authorization framework. Consent must name the specific recipient, describe the information to be disclosed, and state its purpose. Re-disclosure without new written client consent is prohibited.
How is 42 CFR Part 2 different from HIPAA? HIPAA is a broad health information privacy framework covering all Protected Health Information. 42 CFR Part 2 is a stricter, narrower regulation specifically for SUD treatment records. Key differences: Part 2 requires explicit written consent for disclosures that HIPAA might permit with a general authorization; Part 2 prohibits re-disclosure without new client consent; Part 2 applies even to disclosures to other treating providers who would normally receive information under HIPAA’s treatment exception.
Can a treatment center share a client’s addiction data with other providers? Under 42 CFR Part 2, sharing SUD records, even with other healthcare providers, requires written, specific consent from the client. This is more restrictive than HIPAA’s treatment exception. There are limited exceptions for medical emergencies, court orders, and certain research purposes, but routine care coordination requires client authorization. The consent must name the specific receiving entity, not just a general category.
What are the penalties for HIPAA violations in SUD treatment? Civil penalties range from $100 to $50,000 per violation depending on culpability, with annual caps up to $1.9 million per violation category. Criminal penalties (for willful disclosures) can reach $250,000 and 10 years imprisonment. Violations of 42 CFR Part 2 carry separate criminal penalties. The HHS Office for Civil Rights (OCR) enforces HIPAA; SAMHSA oversees Part 2 compliance.
What is Privacy by Design in the context of addiction treatment? Privacy by Design means building privacy controls directly into the product architecture rather than applying them as an add-on or compliance layer. For SUD treatment, this means clients have direct control over what data is collected and who can see it, rather than the institution holding all data with clients having access rights on request. This approach satisfies both Part 2’s consent specificity requirements and SAMHSA’s guidance on minimum necessary disclosure, while also improving therapeutic alliance with resistant clients.
This article was written by SmokingTracker. SmokingTracker’s privacy architecture is designed to meet the requirements of both HIPAA and 42 CFR Part 2. This article is informational and does not constitute legal advice.
Want to see how granular consent works in practice? Book a demo and try it yourself.