42 CFR Part 2 is Changing

And these changes may impact you even if you do not offer substance use disorder services! HIPAAtrek is here to help you navigate these changes and achieve compliance under 42 CFR Part 2—even if it’s new to your organization.

Why is 42 CFR Part 2 Changing?

The Substance Abuse and Mental Health Services Administration (SAMHSA) has stated that 42 CFR Part 2 is changing in order to:

  1. Increase care coordination among providers;
  2. Increase protections for patients concerning disclosure of treatment records; and
  3. Create better alignment between Part 2 and HIPAA.

According to SAMHSA, Substance Use Disorders are the number one cause of accidental death in the United States. These regulations are intended to streamline access to treatment while protecting data to ensure individuals can access life-saving care without concern about records disclosure.

calendar icon

When?

The 42 CFR Part 2 NPRM was published to the Federal Registry Feb 16, 2024. Even if you haven’t had to comply with Part 2 in the past, you will likely need to comply now.

What is changing under 42 CFR Part 2?

The largest change with implications for your compliance is the expanded definition of a lawful holder.

What is a lawful holder? A lawful holder is now defined as a hospital, clinic, or other provider that receives records from a Substance Use Disorder (SUD) treatment facility or provider. If you have any health information that was sent to you from another lawful holder or a Part 2 program, you will be considered a lawful holder.

All records received by a lawful holder from a SUD program are subject to 42 CFR Part 2 and the lawful holder must have policies and procedures in place to protect those records.


If your policies, procedures, and BAAs are not currently compliant with 42 CFR Part 2, you will have 180 days to comply with these regulations, or risk monetary penalties. Though the purpose of these changes is to align HIPAA and Part 2, these regulations still have different requirements. Complying with HIPAA and your state regulations does not mean you are in compliance with 42 CFR Part 2.

Update Policies

Plan for the identification, creation, editing, approval, and finalization of new policies and procedures. HIPAAtrek clients already have access to policy templates compliant with 42 CFR Part 2.

Update BAAs

Vendors that will have access to Part 2 data require a new contract or Business Associate Agreement that is compliant with 42 CFR Part 2.

Training

The larger your organization is, the more staff education and training it will take to change habits, routines, and workflows to create compliance in action.

How HIPAAtrek Helps with Regulatory Changes

HIPAAtrek was built by HIPAA compliance experts who have been in your shoes, so we know how challenging sweeping changes to HIPAA can be. HIPAAtrek already supports compliance with 42 CFR Part 2, and we can help even if you are a new lawful holder.

We work diligently to support our clients through changing regulations with:

  • Specific, in-depth training to educate and prepare our clients, with opportunities to ask questions of our HIPAA compliance experts;
  • Built-in policy templates that are already compliant with 42 CFR Part 2 regulations, so you can start achieving compliance today;
  • HIPAA training videos within the software which are always updated to reflect the current regulations and assist with implementation among your team.

Schedule A Demo

There’s never been a better time to join HIPAAtrek. Register for a demo now and a member of our team will reach out with more information:

Prepare Now for Changes to 42 CFR Part 2

Conduct a Risk Analysis

Know where your compliance program stands, so you can build on a strong foundation once the changes are finalized.

Create an Action Plan

Understand the specifics of these changes and begin preparations by identifying policies and BAAs that will require updates.

Communicate with Leadership

Create buy-in among the C-suite, sharing your action plan and budget proactively.


Are you up to date with HIPAA?

We made you a free cheat sheet to guide your compliance as regulations change.

Changing Regulations Cheatsheet