HIPAA establishes baseline privacy protections for all healthcare providers, and records from substance use disorder (SUD) treatment programs like rehab facilities are also regulated by 42 CFR Part 2. The law is a federal law designed to address the heightened risks of stigma, discrimination, and legal consequences for patients seeking help for substance use issues.
A study by the Journal of Addiction Medicine, ‘Recommendations to Inform Substance Use Disorder Data Sharing Research,’ noted on the topic of legislative protections for SUD, “These regulations ‘…ensure that a patient receiving treatment for SUD… is not made more vulnerable [because they seek treatment] than an individual with a SUD who does not seek treatment.’”
Under 42 CFR Part 2, any information that could directly or indirectly identify a patient as having a current or past drug or alcohol use problem cannot be disclosed without the patient’s explicit written consent, except in very limited circumstances. It means that drug test records held by rehab facilities are protected as protected health information (PHI) under HIPAA and as confidential SUD treatment records under Part 2.
The following excerpt from Patient Confidentiality notes the definition of PHI: “The privacy rule specifies 18 elements that constitute PHI.[7] These identifiers include demographic and other information relating to an individual's past, present, or future physical or mental health or condition or the provision or payment of health care to an individual.”
Drug test results are considered PHI when they are linked to an identifiable individual and managed by a covered entity. These results cannot be disclosed without patient authorization except for specific purposes like treatment, payment, or healthcare operations.
Results related to substance use disorder diagnosis, treatment, or referral for treatment are subject to even stricter confidentiality rules under 42 CFR Part 2. Generally, written patient consent is required for any disclosure outside the treatment program, with limited exceptions.
For a rehab facility, if it delivers medical or behavioral health treatment and engages in electronic transactions related to health care, like submitting claims to insurers or exchanging electronic health records, it falls under HIPAA as a covered entity. Appendix B of Improving the Quality of Health Care for Mental and Substance-Use Conditions: Quality Chasm Series provides an apt summary of what exactly treatment is, “The rules at 45 C.F.R. § 164.501 define treatment to mean: ‘…The provision, coordination, or management of health care and related services by one or more health care providers… consultation between health care providers relating to a patient; or the referral of a patient for health care from one health care provider to another.”
If the rehab facility is part of a larger organization that performs both health care and non-health care functions, it may designate itself as a hybrid entity, applying HIPAA rules only to its health care components. The designation requires formal documentation and clear separation of health care activities from other organizational functions.
Facilities operated by healthcare providers are considered covered entities. Facilities or services run by employees who are not themselves healthcare providers may function as business associates if they handle PHI on behalf of the covered entity. These business associates must comply with HIPAA through binding agreements that delineate their responsibilities for protecting PHI but do not carry the full scope of covered entity obligations.
The distinction matters because covered entities have broader duties, including direct patient relationship management and accountability for compliance. Business associates’ responsibilities are contractual and limited to their role in supporting the covered entity’s healthcare operations. The International Journal of Telerehabilitation study ‘Telerehabilitation Store and Forward Applications’ notes on the business associate responsibilities, “The CE must have a written Business Associate Agreement (BAA) with the BA… [which] requires the BA to comply with the HIPAA and HITECH rules to protect the privacy and security of PHI.” When healthcare providers operate hybrid entities, they must formally designate which parts are subject to HIPAA.
The Addiction Science & Clinical Practice study ‘Using 42 CFR part 2 revisions to integrate substance use disorder treatment information into electronic health records at a safety net health system’ states on the function of 42 CFR Part 2, “Federal regulations for federally funded SUD treatment programs under Title 42 Consolidated Federal Register part 2 (42 CFR part 2) were designed to protect patient privacy (e.g., avoid residual stigma, labeling or non-medical access to records); an unintended consequence has been interference with care integration.”
Originating in 1972 and codified in the Code of Federal Regulations, Part 2 prohibits federally assisted SUD programs from disclosing any information that would identify a patient as having a substance use problem without the patient’s explicit, written consent, except in narrowly defined circumstances like medical emergencies or court orders. This regulation applies to entities whose primary function is diagnosing, treating, or referring patients for substance use disorders.
It shows that drug test results from SUD treatment are not inadvertently shared, which could expose patients to discrimination or legal jeopardy. Recent revisions to 42 CFR Part 2 aim to better integrate SUD treatment data into electronic health records to facilitate coordinated care.
Related: HIPAA Compliant Email: The Definitive Guide (2025 Update)
A program is covered if it is federally assisted (receives federal funding, is licensed or certified by a federal agency, or registered to dispense controlled substances for SUD treatment) and provides alcohol or drug abuse diagnosis, treatment, or referral for treatment. It includes specialized units within general medical facilities if they primarily provide SUD services.
Disclosures without consent are limited and include medical emergencies where there is an immediate threat to health or safety, qualified service organizations under a written agreement, certain court orders, and suspected child abuse reports (though disclosure that the patient is in a SUD program is still restricted).
A QSOA is a written agreement between a Part 2 program and an organization that provides services to the program. The agreement ensures that the organization abides by Part 2 confidentiality rules, preventing unauthorized disclosure of patient information.
Generally, no. Written patient consent is required for most disclosures. Exceptions include medical emergencies, qualified service organization agreements (QSOAs), certain court orders, and limited law enforcement disclosures under strict conditions.
Yes. When PDMPs receive Part 2-protected records, they become lawful holders and must protect the data according to Part 2’s privacy and security rules. Reporting to PDMPs requires written patient consent and must comply with applicable state laws.
No, programs cannot require consent as a condition of treatment. However, written consent is required for disclosure of patient information except in limited circumstances.