info@striverecovery.com(833) 370-0719
info@striverecovery.com(260) 289-3344

HIPPA Compliant

HIPAA and related privacy laws require healthcare organizations to protect patient information and limit when it can be shared, with even stricter rules for substance use disorder (SUD) treatment programs.

HIPAA and medical records

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a federal law that restricts disclosure of a patient’s health information without authorization and sets nationwide standards for privacy and security in healthcare. It was originally designed to improve portability and continuity of health insurance coverage, especially for people changing jobs or living with pre‑existing conditions, and later expanded to create detailed privacy and security protections for *protected* health information (PHI). PHI includes identifying information such as demographic details, health conditions, locations where care was provided, and the methods used to pay for services. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

To implement HIPAA, the U.S. Department of Health and Human Services (HHS) created the HIPAA Privacy Rule, which establishes uniform requirements for healthcare providers, health plans, clearinghouses, and other “covered entities” that handle PHI. The Privacy Rule allows PHI to be used and shared in standardized ways for treatment, payment, and healthcare operations, while requiring safeguards to preserve patient confidentiality and granting patients rights to access, amend, and limit certain uses of their records. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

In an era of electronic health records and routine digital data exchange, HIPAA functions as a baseline protection for how personal medical information is collected, stored, used, and transmitted. When individuals want information shared beyond covered entities—for example, with a family member, employer, or other third party—they must generally provide explicit permission, usually in the form of a written authorization. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

Confidentiality in SUD treatment (42 CFR Part 2)

People receiving care for a substance use disorder have additional privacy protections under federal regulations known as 42 CFR Part 2. These rules apply to programs and activities that provide substance use education, prevention, training, treatment, rehabilitation, or research, and they protect any records that could reveal a person’s identity, diagnosis, prognosis, or treatment for SUD. The goal is to address concerns that fear of stigma, discrimination, or prosecution might prevent people from seeking needed treatment. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

In early 2024, HHS issued a Final Rule updating the confidentiality regulations for SUD patient records under Part 2. Key changes include: [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Allowing Part 2 programs to rely on a single patient consent to authorize ongoing disclosures of Part 2 records for treatment, payment, and healthcare operations. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Permitting re‑disclosure of Part 2 information as allowed by the HIPAA Privacy Rule, subject to Part 2’s additional protections. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Expanding limits on the use and disclosure of Part 2 records in civil, criminal, administrative, and legislative proceedings. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Establishing new patient rights, including a right to an accounting of certain disclosures and a right to request restrictions on disclosures for treatment, payment, and healthcare operations. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Requiring programs to cooperate with enforcement activities by the Secretary of HHS. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Applying HIPAA and HITECH civil and criminal penalties to violations of Part 2. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Requiring programs to maintain a complaint process, prohibiting retaliation against patients who file complaints, and forbidding any requirement that patients waive their complaint rights as a condition of receiving services. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

Records, background checks, and SUD treatment

Prior drug or alcohol treatment generally does not appear on routine background checks or standard public records searches. While there is no shame in seeking help, many people prefer not to disclose that they are in rehab because of persistent stigma around substance use, and HIPAA and 42 CFR Part 2 work together to keep this information *confidential*. These rules significantly limit the circumstances under which treatment details can be shared, helping to protect patients from discrimination based on their decision to enter care. [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)

SUD treatment records are not typically part of criminal history databases, employment‑focused background reports, or other common screening tools, unless information is disclosed through separate channels or specific authorizations. The confidentiality framework is designed so that individuals can seek treatment without fearing that their participation will automatically be exposed to employers, landlords, or others. [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)

When SUD programs may disclose information

SUD programs must protect the confidentiality of patient records under both HIPAA and 42 CFR Part 2 and generally cannot confirm that someone is a patient or reveal details about diagnosis, prognosis, or treatment. Disclosure is usually permitted only when: [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– The patient has signed a valid written consent or authorization specifying what information can be shared, with whom, and for what purpose. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– A court issues an appropriate order permitting disclosure under applicable standards. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– Information is needed by medical personnel in a legitimate medical emergency or is shared with qualified personnel for approved research, audits, or program evaluation. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

Violating these federal requirements by improperly disclosing SUD records can be a crime and may be reported to the appropriate authorities. Staff in SUD programs are trained on HIPAA and Part 2 obligations so that patient privacy is upheld to the fullest extent permitted by law. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

Electronic exchange and HIPAA‑protected information

Electronic health information exchange allows doctors, nurses, pharmacists, other healthcare professionals, and patients to share information securely for treatment and care coordination. Common mechanisms include: [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)
– Directed exchange: One provider securely sends or receives specific clinical information—such as lab results, referral information, or discharge summaries—to or from a known, trusted recipient. To meet Part 2 requirements, a patient must complete a consent form that clearly authorizes the sharing of particular SUD‑related information. [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)
– Query‑based exchange: A provider queries clinical data sources, often through a health information exchange (HIE), to retrieve information about a patient’s history or current care. For patient‑identifying SUD information to be transmitted to or through an HIE under Part 2, the patient’s consent is required or a Qualified Service Organization Agreement (QSOA) must be in place with the HIE describing the services it performs, such as billing, lab, or pharmacy functions. [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)

Even when electronic exchange is used, programs must comply with HIPAA’s minimum necessary standard and Part 2’s heightened protections, sharing only what is needed for the stated purpose. [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)

Consent forms and patient choice

At admission to rehab or another SUD program, patients are typically informed of their privacy rights and asked to sign documents acknowledging receipt and understanding of this information. Facilities also explain consent and authorization forms, which determine when information may be shared beyond the core treatment team. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

Consent forms specify:
– The individuals or organizations authorized to receive information. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– The purpose of the disclosure. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)
– The type and amount of PHI that may be shared. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

For example, a patient may authorize the program to share progress updates with a spouse, identifying that person by name and defining the scope of information that can be discussed. If the patient does not grant consent for SUD‑related disclosures, the program generally may not share any information with family or others and may not even confirm that the patient is in treatment. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

Patients can revoke their consent for a Part 2 program at any time, in whole or in part. The revocation should be communicated to the program—verbally or in writing—and documented in the patient’s record, and future disclosures under that consent must stop, subject to disclosures already made in reliance on the prior authorization. [hhs](https://www.hhs.gov/hipaa/for-professionals/special-topics/hipaa-part-2/index.html)

Penalties for improper disclosure

Covered entities and professionals that improperly disclose PHI, whether intentionally or through negligence, may face enforcement actions. The HHS Office for Civil Rights and, in some cases, state attorneys general can investigate alleged violations and impose financial penalties, corrective action plans, or both. These penalties can be substantial and are intended to hold organizations accountable for protecting patient privacy and preventing unauthorized disclosures of health information. [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)

These enforcement mechanisms reinforce the expectation that healthcare providers, including SUD treatment programs, implement strong privacy practices, respond promptly to potential breaches, and maintain systems that comply with HIPAA, HITECH, and 42 CFR Part 2. [americanaddictioncenters](https://americanaddictioncenters.org/rehab-guide/confidentiality-hipaa)