42 CFR Part 2: Confidentiality of Substance Use Disorder Patient Records

What Part 2 covers

Part 2 applies to any federally assisted program that holds itself out as providing SUD diagnosis, treatment, or referral. Hospitals, integrated health systems, and primary care practices that include SUD services are typically covered for that subset of records. Records covered include any information that would identify a patient as having received SUD services.

How Part 2 differs from HIPAA

• Consent — Part 2 historically required patient consent for most disclosures (including treatment / payment / operations). The 2024 final rule aligned TPO uses to HIPAA, but other disclosures still require Part 2-specific consent forms.
• Re-disclosure prohibition — recipients of Part 2 records cannot re-disclose without separate authorization. Required notices accompany each disclosure.
• Subpoenas — court subpoenas alone are insufficient; a court order with specific findings is required.
• Penalties — Part 2 violations carry both civil and criminal penalties.

What analytics platforms must support

• Sub-account or tenant isolation for Part 2 SUD data within the broader PHI environment.
• Role-based access scoped to authorized SUD treatment staff.
• Separate audit log for Part 2 data access.
• Re-disclosure notice generation when Part 2 data leaves the platform.

Where Vizier fits

Vizier supports Part 2 access controls with the same audit and access primitives used for general PHI, plus the additional consent tracking and re-disclosure notice generation that Part 2 requires.