OCHIN Compliance Corner: 42 CFR Part 2 – Confidentiality of Substance Use Disorder Patient Records

OCHIN Compliance Corner

By Holly Weick, Compliance Coordinator

Final Rule – Current as of 2/14/2017

Current State

On February 9, 2016, the Substance Abuse and Mental Health Services Administration (SAMHSA) proposed changes to 42 CFR Part 2 in a rule titled “Confidentiality of Substance Use Disorder Patient Records.” On January 18, 2017, the rule was finalized with an effective date 30 days later.

HTML5 Icon

On January 20, 2017, President Donald J. Trump, issued an Executive Order titled, “Memorandum for the Heads of Executive Departments and Agencies.” The Executive Order stated that all regulations “that have been published in the OFR but have not taken effect…” will have their effective date posted for 60 days from the date of the memorandum. This has postponed the effective date of the rule to March 21, 2017. During this 60 day period, the new presidential administration will be reviewing all rules and may withdraw any that do not align with the objectives or values of the administration.

OCHIN will continue to monitor President Donald J. Trump’s orders and statements regarding regulatory rulemaking on 42 CFR Part 2. If the final rule is implemented on March 21, 2017, OCHIN will be publishing a more comprehensive whitepaper on the changes and how OCHIN members can operationalize the changes.

The last substantive update to 42 CFR Part 2 was in 1987, and the new rule is meant to modernize the requirements of 42 CFR Part 2 to permit integrated care and the sharing of patient information with a consent.

One of the key changes is the change from “alcohol abuse and drug abuse” to “substance use disorder.” However, the rule left many requirements in place including the requirement to have a consent, the definition of a Part 2 Program, exceptions for medical emergencies, and the general prohibition on re-disclosure. The largest changes to 42 CFR Part 2 include changes to consent forms, research, and information security.

Consent Requirements

The prior rule required that patient consents list the individuals and entities to whom the patient information was being disclosed. This caused problems for HIEs and Organized Health Care Arrangements (OHCAs) since frequently additional entities were added and all of the patient consents would need to be updated to reflect the addition of the new entity.

The new rule now permits a general consent “to my treating providers” without listing each provider, as long as the primary recipient (HIEs or OHCAs (such as OCHIN)) is listed. The new rule provides many options for consents based on whether a treatment relationship is in place with the primary recipient.

As part of the consent requirements, if a “general designation” is used, then the primary recipient must have the capability to provide a list of entities to whom the information was disclosed. 1 For example, an HIE or OHCA (like OCHIN) would need to provide a list of disclosures to any patient who makes the request for a two year period. The list of disclosures would need to include the name of the entities to which disclosures were made, the date of the disclosure, and a brief description of the patient information disclosed.

Furthermore, the consent form must include an “explicit description of the substance use disorder information that may be disclosed.” Organizations are permitted to use “all my substance use disorder information” as an option for the amount of information to be disclosed as long as more specific options are included (i.e. medications, diagnosis, labs).


One of the areas of improvement in the new rule permits data from Part 2 Programs to be used for research. 2 Any Part 2 Program or consented recipient of patient information (i.e. OCHIN or an HIE) can disclose Part 2 Program data to researchers if the patients have signed an authorization or the study otherwise follows HIPAA Privacy Rule requirements for research. Researchers are still required to not re-disclosure the Part 2 Program information.

Information Security

SAMHSA also modernized its information security requires to include electronic data. 3 Previously, 42 CFR Part 2 focused heavily on paper documents. These requirements include that a Part 2 Program have security policies and procedures. The requirements provided in 42 CFR Part 2 are similar to the HIPAA Security Rule requirements, but they are not as stringent. Covered entities and their business associates will be in compliance with the information security requirements under 42 CFR Part 2 if they are in compliance with HIPAA.

42 CFR 2.13.

42 CFR 2.52.

42 CFR 2.16.