Behind the New 42 CFR Part 2 Rule: What It Means for Health Information Professionals

When the Department of Health and Human Services (HHS) finalized updates to 42 CFR Part 2 earlier this year, health information professionals everywhere had the same reaction: finally. After years of navigating the awkward divide between HIPAA and Part 2, the industry is gaining a framework that better reflects how healthcare operates today. 

The changes are substantial. Part 2 has always existed to protect people seeking substance use disorder (SUD) treatment from stigma and discrimination. While that purpose remains essential, the rule’s complexity has created major challenges for care coordination. If you've ever tried to get SUD records transferred between providers, you know exactly what I'm talking about. The complex requirements for sharing information that clinicians needed, while well-intentioned, created significant practical obstacles. 

Starting April 16, 2024 (with full compliance required by February 16, 2026), things look different. Patients can sign one consent form that covers future treatment, payment, and operations. HIPAA-covered entities can redisclose SUD records using the same rules they already know. Civil and criminal penalties now match HIPAA's enforcement structure instead of operating separately. Patients can file complaints directly with HHS and must get an updated Notice of Privacy Practices. The rule also eliminates the requirement for Part 2 programs to segregate records. 

That last point deserves emphasis. The workflow friction caused by record segregation has been a persistent challenge, so this change alone will save countless hours. 

Organizations frequently misunderstand this aspect. They assume 42 CFR Part 2 only applies to dedicated addiction treatment centers. This is incorrect. If your hospital, clinic, or physician practice receives Part 2 records as part of someone's medical history, you're in scope. If you have SUD-related data anywhere in your system, Part 2 applies. 

Even non-Part 2 entities have obligations around redisclosure, properly tagging or labeling SUD information, and maintaining accurate disclosure accounting. Too often, organizations discover this requirement after implementation has already begun. 

Guidance on the 42 CFR Part 2 Rule

This isn't something your privacy officer can handle alone. You need legal, clinical, IT, and operations at the table. Health information professionals are actually the best “translators” here. We understand both the regulatory requirements and the actual workflows where compliance happens (or doesn't). 

Start with your consent forms. They need to reflect the single-consent provision, plus whatever your state requires on top of federal rules. Your Notice of Privacy Practices also needs to be updated by February 2026 to align with HIPAA standards. 

Then comes training. Release of information staff, case managers, and anyone who touches clinical documentation needs to recognize Part 2-protected information and know the redisclosure limits. This isn't one-and-done training, either. It requires reinforcement. 

Your electronic health record (EHR) and data systems need tagging mechanisms to identify SUD information. Without tagging properly, you can't maintain compliant disclosure accounting. You'll want that audit trail documented and ready before anyone requests it. 

As healthcare data becomes more interoperable and artificial intelligence (AI) tools start parsing clinical notes, someone needs to ensure SUD-related data stays properly protected. That's us. We label it, track it, audit disclosures, and make sure patients' privacy rights stay intact while they maintain access to their own information. 

We're the ones who take dense federal regulations and turn them into policies that staff can follow. That's never been more important than it is right now. 

AHIMA is here to help! We are developing a 42 CFR Part 2 Resource Guide and Decision Tree Tool that should hit the Body of Knowledge very soon. It'll walk through consent requirements, request validation, and tricky scenarios like redisclosures, emergencies, and public health reporting. It's designed to make federal guidance accessible and usable for day-to-day operations. 

The updated Part 2 rule matters because patient trust matters. People need to know their most sensitive health information won't come back to hurt them. Our job is making that protection real, not just on paper, but in every disclosure decision, every data exchange, and every system configuration. We're well-positioned to guide our organizations through these changes successfully. So, in the words of Chef Robert Irvine, “Let’s Get to Work!” 

Jennifer Mueller, MBA, RHIA, SHIMSS, FACHE, FAHIMA, FACHDM, is AHIMA Senior Vice President, Health Information Career Advancement.