Skip to main content
Guide

Privacy and 42 CFR Part 2, what changes in your charting

A practical read on the federal confidentiality rule for substance use disorder records, what it actually requires in the chart and the workspace, and the day-to-day decisions clinicians and administrators have to make.

Guide For All providers 15 min

42 CFR Part 2 is the federal rule that governs the confidentiality of substance use disorder (SUD) treatment records. It predates HIPAA, applies on top of HIPAA, and in several specific ways is stricter than HIPAA. For behavioral-health practices that treat SUD patients (which includes most outpatient psychiatric practices, most MAT programs, and many therapy practices), the rule shapes day-to-day decisions about what goes in the chart, who can see it, and what has to happen before any record leaves the building.

This guide covers what Part 2 actually requires, what changes in your charting and workspace setup, and the operational patterns that make compliance routine rather than constant overhead. It is written for a practice that treats SUD as part of a broader behavioral-health panel, which is the most common case, and where Part 2 is the rule that often gets fuzziest in practice.

What Part 2 covers and what it does not

Part 2 covers records of patients who are receiving SUD diagnosis, treatment, or referral for treatment from a “Part 2 program.” The definition of a Part 2 program is the part that trips practices up. It includes:

  • Federally-assisted programs whose primary function is SUD treatment (the obvious case: an OTP, a residential SUD facility, a buprenorphine clinic).
  • Identified units within general medical facilities where SUD diagnosis, treatment, or referral is the primary function (the inside-a-hospital case).
  • Medical personnel within general medical facilities whose primary function is SUD diagnosis, treatment, or referral ( the embedded-clinician case).

A general outpatient psychiatry practice that treats some SUD patients alongside everything else is typically not a Part 2 program in the strict definition. A clinician within that practice whose primary function is SUD treatment may be subject to Part 2 for the records they create. Most MAT programs are. Most outpatient psychiatry practices that include MAT services are partially.

Practical implication: if you are not certain whether Part 2 applies to your practice, get an answer from compliance counsel before you assume either way. The rule has real teeth, and the protections matter to patients regardless of whether they are technically required.

The 2024 update to Part 2 brought the rule closer to HIPAA in several places (notably permitting a single broad consent for treatment, payment, and operations) but kept the core protections intact and added new ones around segregation, redisclosure, and breach notification.

What stays the same in your charting

The substance of the SUD note does not change. The assessment, the diagnosis, the medication, the monitoring plan, the C-SSRS, the toxicology results: these are the same documentation regardless of Part 2. The note has to be clinically complete. Part 2 governs the handling of the note, not its content.

This is worth saying explicitly because clinicians sometimes try to “thin” Part 2 records, omitting clinical detail to reduce risk on disclosure. That is the wrong pattern. A thin chart that fails to support medical necessity creates a different kind of risk (denial, audit, malpractice exposure) without solving the disclosure problem. The right pattern is full clinical content with rigorous handling.

What changes in your charting

A few specific things change at the documentation level under Part 2.

First, identify the Part 2 status of the record. Many EHRs and documentation platforms allow tagging a record as Part 2. Use that tag. The tag triggers the segregation, audit, and disclosure controls that the rule requires.

Second, document the consents. Part 2 records can only be disclosed with patient consent in a specific format, with limited exceptions. The consent itself is part of the record. The chart should make it obvious which consents are in place, what they cover, and when they expire.

Third, mark the redisclosure prohibition. When a Part 2 record is disclosed to an external party, the disclosed material must carry a notice prohibiting the recipient from redisclosing without further consent. The notice is a specific statement in the regulation. Use the standard wording. Most platforms apply it automatically when the record is exported under a Part 2 disclosure consent.

Fourth, the chart should track the disclosure log. Who got what, when, and under what consent. This is not optional and it is not a HIPAA accounting-of-disclosures clone; it is its own log under Part 2.

What changes in your workspace setup

The four operational patterns that distinguish a Part 2-aware workspace from a HIPAA-only one:

  • Segregation. Part 2 records are segregated within the chart so that disclosures of non-Part 2 records do not inadvertently include Part 2 content. The segregation can be at the section level (a clearly marked SUD section that is excluded from default exports) or at the record level (a Part 2-tagged encounter that is excluded from default disclosures).

  • Consent management. The consent forms themselves are stored with the patient record, and the active consents are linked to disclosure controls. When an external disclosure is requested, the system enforces that an active, in-scope consent exists before the disclosure goes through.

  • Audit logging. Every access to a Part 2 record is logged: who accessed it, when, what they did. The log is reviewable by compliance staff and by the patient on request.

  • Workforce training. Part 2 has a workforce-training requirement on top of HIPAA. Annual training, documented per workforce member.

In Nextvisit, these patterns are surfaced through the standard access-control, audit-log, and document-management features. The segregation pattern most practices use is encounter-level tagging combined with a custom tag (e.g., “Part 2”) and disclosure controls that exclude tagged content from default export flows. The consent and disclosure logs live as documents in the patient record at /patient/[uuid]/documents with structured fields for consent type, scope, and expiration.

If you are a dedicated SUD program (OTP, residential, embedded MAT clinic with SUD as the primary function), the workspace setup should be tighter still. Talk to your compliance counsel about whether a separate workspace, or a more formal segregation architecture, is appropriate.

The “co-occurring” problem and how to chart through it

The most common day-to-day Part 2 question in a general behavioral-health practice is the co-occurring case: a patient with both a primary mood or anxiety disorder and a substance use disorder, treated by the same clinician in the same encounter.

The pragmatic approach:

  • The encounter is documented in full, with the SUD content present and clinically complete.
  • The encounter is tagged appropriately. If your clinician is functioning as a Part 2 provider for this patient (their primary function with this patient is SUD treatment or the SUD treatment is integral to the encounter’s purpose), the encounter is Part 2. If not, the encounter is HIPAA-only and the SUD content is treated under HIPAA’s protections, which are still significant.
  • The chart should make the basis of the tagging visible. A short note in the assessment (“encounter tagged as Part 2 record per primary purpose of SUD treatment today” or “encounter tagged as HIPAA record per primary purpose of mood disorder treatment today, SUD content included for clinical context”) clarifies the call for any later reviewer.
  • The patient is informed of the Part 2 protections in plain language, regardless of which way the call goes.

If the practice is not certain on a per-encounter basis, the safer default is to apply Part 2 protections more broadly rather than less. Over-application of confidentiality protections is rarely a problem. Under-application is.

What changes in your AI documentation tooling

Part 2 has implications for AI documentation tools that are easy to miss.

First, training data. Part 2 records cannot be used to train AI models without specific patient consent in the Part 2 format. Nextvisit does not train on patient data, period, but a practice should confirm the same of any tool it uses and document the confirmation.

Second, longitudinal context. AI tools that surface cross-visit patterns (the AI Timeline, Treatment Pulse, peer review) are operating across the chart, including any Part 2 content. The protection mechanism is that those views are themselves access-controlled and audit-logged, the same as direct chart access. If a clinician would not be permitted to read the underlying records, the longitudinal view derived from those records is also restricted.

Third, automations and integrations. AI Tasks (/apps/tasks) that operate on patient or encounter data may produce outputs that include Part 2 content. The output destination has to be consistent with the consents in place. A task that drafts an external referral letter, for example, should not include Part 2 content unless the referral has Part 2-compliant consent. The task configuration should reflect that constraint.

Fourth, MCP and external apps. The MCP integration surface (Settings > Tools and AI > External Apps) lets external AI assistants operate on the same clinical data a clinician sees. Part 2 records should not flow to external surfaces unless the consent and the external party’s compliance posture support it. Treat the MCP and OAuth integrations the same way you would treat any external disclosure.

The disclosure log

Every Part 2 disclosure is logged. The log entry includes: the date, the recipient, the records disclosed, the consent under which the disclosure was made, and the redisclosure-prohibition notice that accompanied the disclosure. The log is part of the patient’s record and is available to the patient on request.

Most disclosures in a behavioral-health practice are routine: a referral to a therapist, a release to a primary care physician, a query from the insurance carrier. Each of those is a separate log entry under Part 2. Build the log into the practice’s release workflow rather than treating it as an extra step. Practices that try to maintain the log retroactively typically have an incomplete log.

Patient rights under Part 2

Part 2 patients have specific rights:

  • The right to know what protections apply to their records and how the records can be used.
  • The right to consent to disclosures, with clear scope and expiration.
  • The right to revoke consent.
  • The right to access the disclosure log.
  • The right to access their own records.
  • The right to a complaint process.

Document the patient’s acknowledgment of these rights at intake or at the first SUD-related encounter. The acknowledgment is part of the chart.

Operational patterns that make compliance routine

Three patterns that practices use to make Part 2 compliance routine rather than constant overhead:

  • Default to tagging. The default for SUD-related encounters is Part 2-tagged unless the clinician affirmatively declasses the encounter for a documented reason. Default-on is dramatically more reliable than default-off-with-occasional-tagging.

  • Tie consents to disclosures. A disclosure cannot leave the system without a consent record attached. Build the workflow so it is faster to do it right than to do it wrong.

  • Train annually, document the training. Part 2 has a training requirement. Annual training plus a documented attestation per workforce member satisfies it. Make it a calendar event with an owner.

Where Nextvisit fits

Part 2 is a rule about handling, not about clinical substance. The platform supports the handling: encounter tagging, custom tags for Part 2 cohorts, document storage for consents and the disclosure log, audit logging on every access, segregated export controls, workspace-scoped API and MCP access. The clinical content of the chart is unchanged. The infrastructure around the chart is what makes Part 2 work in practice.

The right setup, configured once, fades into the background. The chart you write is the chart you would have written. The protections happen because the workspace was built to enforce them.

See it on your workflow

Twenty minutes, one mock visit. You leave with a note in your template.

We run a mock session live, draft the note, and walk through what the downstream claim would look like. No slides. No sales deck.

Book a demo Talk to sales
Live in 2 weeks or less BAA signed by default 30-day money back