News & Events


The Confidentiality of Drug and Alcohol Records in Part 2 Programs

By Procopio Partner Diane M. Racicot and Associate Tina Safi Felahi

The misuse of drugs, including opioids, is currently one of the most serious public health problems in the United States. While health officials grapple with ways to address the drug epidemic (e.g. expansion of access to naloxone, tougher laws regulating opioid prescriptions), the treatment gap remains large.

That said, over the past several years, the U.S. Department of Health and Human Services (HHS) has worked to expand the availability of treatment, and has also established medication assisted treatment (MAT) as the standard of care for treatment of opioid use disorder.* As the country continues to fight the opioid crisis, entities providing prevention, treatment, and recovery services will want to ensure they understand heightened privacy obligations and implement processes to address the complex requirements imposed by the regulations governing the confidentiality of substance use disorder (SUD) information.

The regulations implementing the law - 42 Code of Federal Regulations (CFR) Part 2 – are commonly referred to as “Part 2.” Part 2 generally prohibits treatment programs from disclosing patient identifying information (PII), meaning any information by which the identity of a patient can be determined with reasonable accuracy (e.g., a name, address, photograph), without patient consent. The Part 2 regulations were most recently updated in 2017 and 2018, when the Substance Abuse and Mental Health Services Administration (SAMHSA) issued Final Rules amending Part 2.

While significant changes have occurred within the U.S. health care system since Part 2 was first implemented, SAMHSA indicated in its 2018 Final Rule that persons with SUDs may still encounter discrimination if their information is improperly disclosed. Negative consequences can include anything from loss of child custody and employment to incarceration. Thus, confidentiality remains a top concern for those receiving treatment.

As a preliminary step, it is important for SUD treatment programs to determine whether they are covered by Part 2, which only applies to those entities or individuals which are both “federally assisted” and meet the definition of “program” under Part 2. An individual physician may also meet the definition of a Part 2 program in certain circumstances. Once the entity or individual determines that Part 2 applies, it must then ensure that it is complying with Part 2 requirements.

Part 2 carries significant criminal and civil penalties for violations, and it often takes months for entities (particularly those which include Part 2 programs as a part of a larger, multi-use facility) to implement changes to comply with Part 2. For this reason, once it is determined that an entity qualifies as a Part 2 Program, it is important to expeditiously develop policies, procedures, and documents for use in the program.

For treatment programs which have been aware that they are required to comply with Part 2, the 2017 and 2018 amendments to Part 2 did not greatly affect existing practices for protecting patient confidentiality. The amendments were significant, however, from a compliance perspective. They drew attention to Part 2 (which had last been updated in 1987) both by treatment programs which might not have previously understood they were covered by Part 2, and also by payers and auditors, which are requiring compliance with Part 2.

Notably, Part 2 is often confused with the requirements imposed by the Health Insurance Portability and Accountability Act (HIPAA). In light of the stigma associated with SUDs and the vulnerability of Part 2 patients, however, Part 2 imposes separate, stricter requirements than HIPAA. This is confusing for health care clients, who may incorrectly conclude they are compliant with Part 2 simply because they are compliant with HIPAA.

The full Part 2 regulations can be found here. We can provide guidance addressing providers’ questions regarding applicability of Part 2 and if appropriate, implementation of Part 2 confidentiality requirements.

* Community health centers funded by the Health Resources and Services Administration (HRSA) saw a 64 percent increase in patients receiving MAT between 2016 and 2017. In 2018, HHS awarded more than $2 billion in grants to support state, local, and tribal governments, health centers, and other entities in providing prevention, treatment, and recovery services. Learn more here.


Diane M. Racicot counsels health care providers and managed care health plans with their corporate compliance programs, governance responsibilities, internal audits and corrective actions, responses to government audits and investigations and False Claims Act cases. Diane’s practice focuses on providing compliance counseling to health care providers including, local health care district hospitals, hospices, Tribal health clinics, specialty laboratories, medical groups and other providers, as well as health plans on a range of issues including anti-kickback, physician self-referral (“Stark”), overpayment, debarment/exclusion and privacy (including HIPAA and Part 2) laws, as well as numerous other laws and regulations. Diane assists Medicaid and Medicare managed care plans with a myriad of contractual, regulatory and operational issues including those involving provider networks, first tier, downstream and related entities (FDRs) and vendors. She also counsels emerging medical device companies on privacy, fraud and abuse and other health care laws.

Tina Safi Felahi provides legal counsel to health care organizations including hospitals, medical groups, non-physician medical practitioners, ancillary and alternative medicine services providers, and medical device companies on a broad range of health care topics. Tina provides compliance guidance to health care providers, including local health care district hospitals, hospices, Tribal health clinics, specialty laboratories, medical groups and other providers, as well as health plans on a range of state and federal laws and regulations, including corporate practice of medicine, privacy (including HIPAA and Part 2), Medicare and Medicaid overpayment and fraud, waste and abuse (FWA) laws (including the Stark Law and Anti-Kickback Statute). She also advises medical staffs on credentialing and privileging decisions, providing assistance with investigations and reviews of practitioner clinical and behavioral issues, as well as representation throughout the judicial review hearing process.