US Medical BillingRevenue cycle solutions
Behavioral health billing

Confidentiality and 42 CFR Part 2

42 CFR Part 2 is a federal regulation that restricts the disclosure and use of records identifying a person as having a substance use disorder when those records are created by a federally assisted treatment program. It sits alongside the HIPAA Privacy Rule and, in several respects, imposes stricter conditions on when protected information may be shared — including for the billing and payment steps that make up the revenue cycle. Because it governs a narrow but sensitive category of records, its requirements affect how eligibility is verified, how claims are submitted, and how remittances are handled for substance use disorder billing. The rule has been amended over time, and specific consent, redisclosure, and enforcement details vary by program type, payer, and state law, so administrators should confirm current requirements against the current regulation and federal guidance rather than relying on a fixed summary.

Updated 7 min read

On this page

Key takeaways

What 42 CFR Part 2 covers

42 CFR Part 2 applies to a specific category of information: records that would identify a patient as having a substance use disorder, when those records originate with a program that is both federally assisted and holds itself out as providing substance use disorder diagnosis, treatment, or referral for treatment. The regulation is administered under the U.S. Department of Health and Human Services, and its interpretation is supported by guidance from SAMHSA. It is narrower than behavioral health billing generally — mental health services that do not meet the program definition are not automatically subject to Part 2, though they remain protected under HIPAA and applicable state law.

Program status is the threshold question

  • Records that identify a patient as having a substance use disorder from a federally assisted program
  • Information created or maintained in connection with covered diagnosis, treatment, or referral
  • Redisclosures of that information by recipients who received it under the rule

How the rule affects billing and payment

Revenue cycle functions routinely move protected information between the treatment program, payers, clearinghouses, and downstream recipients. Because Part 2 governs disclosures — including for payment and health care operations — administrators must confirm that each step in claim submission and payment posting rests on a valid legal basis. That can mean obtaining patient consent structured to permit the specific disclosures involved, or relying on a permitted exception where one applies. The interaction between Part 2 and HIPAA has been a focus of recent federal rulemaking, so whether payment and operations disclosures require individual consent should be verified against current guidance.

Illustrative points where Part 2 intersects the revenue cycle
Illustrative points where Part 2 intersects the revenue cycle
Revenue cycle stepConfidentiality considerationWhere requirements vary
Eligibility verificationDisclosing patient identity to confirm coverage may reveal program involvementPayer, plan, and state law
Claim submissionClaim content and provider identity can indicate substance use disorder treatmentConsent structure and program type
Remittance and postingRemittance data may be subject to redisclosure limitsRecipient type and downstream use
Denials and appealsSupporting documentation may contain protected recordsAppeal channel and reviewer

This table is illustrative; actual obligations depend on the applicable consent, exception, and current federal and state rules.

A central feature of Part 2 is that disclosures generally require patient consent unless a specific exception applies. Consent documents have defined content elements, and information disclosed with consent has historically traveled with a notice restricting further redisclosure. The precise required elements — and the treatment of consent for payment and operations — have been modified through rulemaking, so the current version of the regulation and SAMHSA guidance are the controlling references.

  1. Determine whether the program is covered

    Confirm federally assisted status and how the program holds itself out before assuming Part 2 applies.
  2. Identify the legal basis for each disclosure

    Match every billing-related disclosure to a valid consent or a recognized exception under the current rule.
  3. Verify consent content against current requirements

    Consent element requirements have changed over rulemaking cycles; validate against the current regulation rather than a prior template.
  4. Control redisclosure downstream

    Track any redisclosure notice obligations that follow protected information to recipients such as payers and clearinghouses.

Do not treat consent as one-size-fits-all

Part 2 in relation to HIPAA and state law

Part 2 does not replace HIPAA; it operates in addition to it for the records it covers. Where the two frameworks differ, the more protective condition generally controls for that information. State confidentiality laws can add further restrictions. This layering means a single record can be subject to HIPAA, Part 2, and state law at once, and administrators handling documentation requirements for these services should account for all applicable layers rather than defaulting to HIPAA alone.

HIPAA Privacy Rule
The general federal framework governing protected health information across most health care settings.
State confidentiality law
State-specific requirements that may impose additional restrictions on disclosure and consent.

Operational practices for covered programs

Programs subject to Part 2 typically build confidentiality controls into everyday revenue cycle workflows rather than treating them as a separate compliance task. That includes coordinating with payers on how protected claims are transmitted, and aligning prior authorization and appeals processes with consent scope. Because enforcement details and permitted disclosures continue to evolve, written procedures should reference the current regulation and be reviewed when federal guidance changes.

  • Maintain consent records aligned to current federal content requirements
  • Coordinate transmission methods with payers for covered claims
  • Document the legal basis for each category of disclosure
  • Review procedures when SAMHSA or HHS guidance is updated
  • Account for state law layered on top of federal requirements

Note

Frequently asked questions

Does 42 CFR Part 2 apply to all behavioral health providers?

No. It applies specifically to records that identify a patient as having a substance use disorder when created by a program that is federally assisted and holds itself out as providing substance use disorder diagnosis, treatment, or referral. Many mental health services fall outside this definition, though they remain protected under HIPAA and any applicable state law. Whether a given program is covered should be confirmed against the current federal definition.

How is Part 2 different from HIPAA?

HIPAA is the general federal privacy framework for protected health information, while Part 2 is a separate rule adding conditions for a narrow category of substance use disorder records. Part 2 has historically imposed stricter consent and redisclosure conditions for the records it covers. The alignment between the two has been adjusted through federal rulemaking, so the current regulation and HHS guidance should be reviewed for specifics.

Can protected records be disclosed for billing and payment?

Disclosures for payment generally require a valid legal basis, which may be patient consent structured for the specific disclosure or a recognized exception. Whether individual consent is required for payment and operations has been a focus of recent rulemaking. Programs should verify the current requirement rather than assume payment disclosures are automatically permitted.

What happens to information after it is disclosed?

Information disclosed under Part 2 has historically carried restrictions on further redisclosure by the recipient. The exact notice content and downstream obligations have been revised over time. Covered programs and their billing partners should track current redisclosure requirements when protected information flows to payers, clearinghouses, or other recipients.

Does state law affect Part 2 obligations?

Yes. State confidentiality laws can add restrictions beyond the federal rule. Where requirements differ, the more protective condition generally governs for the affected information. A single record can be subject to HIPAA, Part 2, and state law simultaneously, so all applicable layers should be considered together.

Related glossary terms

Confidentiality obligations touch several revenue cycle concepts. These glossary entries provide plain-language definitions of terms used throughout this article.

Ready to improve your revenue cycle?

Explore our services and knowledge base to see how we can help.