Behavioral Health Privacy: HIPAA, 42 CFR Part 2, and Private Clients

Understanding the Two-Tiered Legal Framework That Governs Addiction Treatment Records

There is a persistent misunderstanding among otherwise well-informed people that HIPAA — the Health Insurance Portability and Accountability Act of 1996 — is the primary law protecting the privacy of addiction treatment records. It is not. HIPAA is the floor. For substance use disorder treatment records specifically, a separate and substantially more protective federal regulation governs: 42 CFR Part 2, formally titled the Confidentiality of Substance Use Disorder Patient Records. The distinction between these two frameworks is not academic. For private clients navigating behavioral health treatment, understanding where HIPAA ends and Part 2 begins is the difference between meaningful privacy protection and a false sense of security.

What HIPAA Actually Covers

HIPAA's Privacy Rule, codified at 45 CFR Parts 160 and 164, establishes national standards for the protection of individually identifiable health information held by covered entities — health plans, healthcare clearinghouses, and healthcare providers who conduct certain electronic transactions. The Privacy Rule restricts how these entities can use and disclose protected health information (PHI), requires them to implement safeguards, and gives patients certain rights over their records, including the right to access, amend, and receive an accounting of disclosures.

These are meaningful protections. But they contain exceptions that are significant for behavioral health patients. Under HIPAA, covered entities may disclose PHI without patient authorization for treatment, payment, and healthcare operations — the so-called TPO exception. This means your psychiatrist can share your records with another provider involved in your care, your insurance company can access your records to process claims, and healthcare organizations can use your information for quality assessment and business management activities. For routine medical care, these exceptions are generally benign. For substance use disorder treatment, they create exposure pathways that Congress specifically sought to close with a different law.

HIPAA also permits disclosure without authorization in response to certain court orders and subpoenas, for law enforcement purposes under specific circumstances, for public health activities, and in other enumerated situations. Each of these exceptions represents a potential disclosure pathway that a sophisticated adverse party — an opposing counsel in a custody dispute, a licensing board, a business competitor — could theoretically exploit.

The Architecture of 42 CFR Part 2

Part 2 predates HIPAA by more than two decades. Its origins trace to the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970 and the Drug Abuse Prevention, Treatment, and Rehabilitation Act of 1972. Congress enacted these laws in response to a documented reality: people were not seeking treatment for substance use disorders because they feared that doing so would result in criminal prosecution, employment termination, loss of housing, and social ostracism. The legislative finding was explicit — the public health interest in encouraging people to seek treatment outweighed the interests served by routine disclosure of treatment records.

The resulting regulation, administered by the Substance Abuse and Mental Health Services Administration (SAMHSA), applies to any program that is federally assisted and holds itself out as providing — and provides — substance use disorder diagnosis, treatment, or referral for treatment. "Federally assisted" is broadly defined: it includes programs that receive any federal funding, are conducted by a federal department or agency, are carried out under a license or certification authorized by federal law, or are tax-exempt under the Internal Revenue Code. In practice, this encompasses the vast majority of substance use disorder treatment programs in the United States, including most private facilities that serve high-net-worth clients.

The Critical Difference: Under HIPAA, a covered entity can disclose your health information for treatment, payment, and healthcare operations without your specific authorization. Under 42 CFR Part 2 (prior to the 2024 final rule), a Part 2 program generally could not disclose your substance use disorder records for any purpose — including payment and healthcare operations — without your prior written consent. This single distinction is the reason Part 2 exists. It closes the very disclosure pathways that HIPAA leaves open.

Consent Under Part 2: A Different Standard

When a Part 2 program does disclose records with patient consent, the consent itself must meet specific requirements that go beyond HIPAA's general authorization form. A valid Part 2 consent must identify the specific patient, the specific information to be disclosed, the specific purpose of the disclosure, and the specific recipient. It must include a statement that the patient may revoke consent at any time. And — critically — it must include a prohibition on redisclosure: a notice to the recipient that the information is protected by federal law and that the recipient cannot further disclose it without an additional consent from the patient or a court order.

This redisclosure prohibition is the mechanism that prevents the cascade effect that HIPAA permits. Under HIPAA, once information enters the healthcare system through a legitimate disclosure, it can flow through that system via subsequent TPO disclosures with relative freedom. Under Part 2, each link in the chain requires a separate consent. The information does not simply enter the stream; it remains locked behind a gate that only the patient can open.

For private clients, this distinction has practical implications at every stage of treatment. When a facility asks you to sign consent forms on admission — and they will present a stack of them — each form that authorizes disclosure of your Part 2-protected records should be reviewed with care. Who is the recipient? What information is being disclosed? For what purpose? Can the consent be limited to specific dates of treatment, specific categories of information, or specific providers? The answer to all of these questions is yes, and sophisticated patients exercise these options.

The 2024 Final Rule: Alignment and Its Consequences

In February 2024, SAMHSA and the HHS Office for Civil Rights published a final rule that represents the most significant modification to Part 2 since its inception. The rule, implementing provisions of the CARES Act, aligned certain aspects of Part 2 with HIPAA while attempting to preserve Part 2's core anti-discrimination protections. Understanding what changed — and what did not — is essential for anyone entering treatment after the rule's effective date.

The most consequential change: Part 2 programs may now disclose records for treatment, payment, and healthcare operations based on a single, initial patient consent, rather than requiring separate consents for each disclosure. This aligns Part 2 with HIPAA's TPO framework and, proponents argue, facilitates care coordination for patients with co-occurring disorders who need their substance use disorder information shared among multiple providers.

The concern, articulated forcefully by patient advocacy organizations and privacy scholars, is that this change dilutes the very protection that made Part 2 meaningful. Under the prior framework, a patient could consent to disclosure to their primary care physician without that consent enabling downstream disclosure to their insurance company's utilization review department. Under the new framework, a single consent to share records for "treatment, payment, and healthcare operations" potentially opens a much broader disclosure pathway.

The final rule addresses this concern, in part, through strengthened anti-discrimination provisions. Part 2 records disclosed under a TPO consent cannot be used to deny employment, housing, or access to benefits. The rule also prohibits the use of Part 2-protected information in civil, criminal, administrative, or legislative proceedings against the patient without a specific court order. These provisions are meaningful, but they operate after disclosure has occurred — they address the consequences of disclosure rather than preventing it.

What Private Clients Need to Know That Standard Patients Do Not

The regulatory framework is the same for every patient. But its practical implications differ dramatically based on the patient's profile, risk exposure, and capacity to exercise the options the law provides.

Private-pay patients have more control. When treatment is paid by insurance, the insurer has a legitimate claim to information necessary to process the claim. This creates an inherent tension between privacy and payment. Patients who pay privately eliminate this tension entirely. There is no claim to process, no EOB to generate, no utilization review to satisfy. The payment pathway — the single largest category of routine disclosure — simply does not exist. For private clients, this is not merely a financial decision; it is a privacy architecture decision.

Consent forms are negotiable. The standard consent forms that facilities present on admission are drafted for the broadest possible authorization. They serve the facility's operational convenience. They are not the minimum required by law. A patient — or a patient's attorney — can modify these forms to limit the scope, duration, and recipients of authorized disclosures. They can strike provisions that are broader than necessary. They can add conditions. Facilities that serve private clients regularly encounter patients who negotiate consent forms, and competent facilities accommodate these negotiations without resistance.

State law may provide additional protections. Part 2 and HIPAA establish federal minimums. Many states have enacted behavioral health privacy statutes that exceed these minimums. California's Lanterman-Petris-Short Act, New York's Mental Hygiene Law, Connecticut's substance abuse confidentiality statutes, and similar laws in other states may impose additional consent requirements, restrict specific categories of disclosure, or provide additional remedies for breaches. An attorney familiar with behavioral health law in the state where treatment occurs — which may differ from the state where the patient resides — should review the applicable protections before treatment begins.

The electronic health record complicates everything. The migration of healthcare records to electronic systems has created interoperability that Part 2 was not designed to address. When a Part 2 program enters records into an electronic health record system that is shared with other providers — a health information exchange, a hospital network's unified EHR — the technical mechanisms for limiting access to Part 2-protected information within that system are imperfect. Some EHR systems allow for segmentation of Part 2 records; others do not. Understanding the facility's technology infrastructure — and the technical safeguards it employs to prevent unauthorized access within its own systems — is a question that private clients should ask and that facilities should be able to answer clearly.

The litigation environment is adversarial. In divorce proceedings, custody disputes, business litigation, and professional disciplinary proceedings, opposing parties routinely seek access to behavioral health records. Part 2 provides significant protection against court-ordered disclosure — requiring a specific judicial finding that the need for the information outweighs the potential harm to the patient, the physician-patient relationship, and the treatment services — but this protection must be actively asserted. It does not assert itself. Patients who anticipate litigation, or whose circumstances make litigation a foreseeable possibility, should ensure that their legal counsel understands Part 2's requirements for court orders and can intervene promptly if a subpoena for treatment records is issued.

The Practical Synthesis

The law gives patients with substance use disorders stronger privacy protections than patients with virtually any other medical condition. This was a deliberate legislative choice, rooted in the recognition that the stigma associated with addiction creates a specific, documented barrier to treatment. But the law is a tool, and like any tool, its effectiveness depends on the skill and intention with which it is used.

For private clients, the practical synthesis is this: the legal framework provides a strong foundation, but it must be supplemented by operational privacy measures — private payment, careful consent management, geographic distance, digital security, and legal counsel — that address the real-world pathways through which confidentiality fails. The law prevents your treatment facility from disclosing your records without consent. It does not prevent the other hundred ways that information escapes into the world. The most protected clients are those who understand both what the law provides and where it ends.