In response to changes in the medical industry due to COVID-19, the Department of Health and Human Services (HHS) and Substance Abuse and Mental Health Services Administration (SAMHSA) have put forth a Notice of Proposed Rulemaking to streamline how doctors can access mental health information.
This article will discuss this rule change and why it seeks to address the gaps between HIPAA disclosure and mental health information protections.
What Is the Code of Federal Regulations Title 42 Part 2?
42 CFR Part 2, titled “Confidentiality of Substance Use Disorder Patient Records,” is a set of requirements outlining the responsibility of maintaining mental health and Substance Abuse Disorder (SUD) information. This regulation is a federal law that applies to any program or person that is federally assisted and providing substance use disorder treatment of any form.
This regulation sets strict guidelines for the confidentiality of substance use disorder patient records to protect patients’ privacy and encourage underserved individuals to pursue treatment for often-stigmatized conditions.
Under 42 CFR Part 2, SUD patient records cannot be disclosed without the individual’s written consent. Individuals receiving treatment for substance use disorder must be informed about their confidentiality rights and the circumstances under which their information can be disclosed. Additionally, any disclosures of SUD patient records must include a statement indicating that the information disclosed is protected by Part 2 and cannot be disclosed without the individual’s written consent, except as permitted by this regulation.
What Does HIPAA Say About Sharing Confidential Medical Information?
HIPAA regulations function similarly to 42 CFR Part 2 in that they dictate patient records’ privacy in healthcare settings. More importantly, HIPAA regulations allow healthcare providers to share patient information in certain limited circumstances, including:
- Treatment: In some cases, healthcare providers can share information without consent if treatment is needed in emergencies or where consent cannot be obtained due to this health emergency.
- Payment: Healthcare providers may share payment information with insurance companies for reimbursement.
- Operations: Healthcare providers may share patient information for healthcare operations, such as quality improvement activities, conducting audits or evaluations, or training staff.
- Public Safety: Healthcare providers may share patient information in cases of a public health crisis or where there could be an impact on general welfare.
- Legal Requirements: Healthcare providers must disclose PHI under the dictate of courts or law enforcement while maintaining patient privacy outside of that context.
It’s important to note that even when patient information is shared for these purposes, healthcare providers must still protect patient privacy and ensure that the data is only shared with those who need to know the information.
What Are the New (Potential) HIPAA Rules Attempting to Accomplish?
One of the major challenges between 42 CFR Part 2 and HIPAA is that the former is more strict than the latter regarding mental health information or SUD data. The general exceptions allowing unauthorized access to health information for emergency health care don’t touch on the information protected by 42 CFR Part 2.
This presents a significant problem, one that was laid bare during the COVID-19 pandemic. Often healthcare provided by covered entities would need, or would have benefited, from knowing an individual’s mental health or SUD information… but they cannot get it without patient consent. If this consent is not provided, or the patient cannot provide, that information is off-limits.
The new rules, which will take effect in 2023, would address and align these two regulations so doctors can better serve their patients.
The key changes suggested in the NPRM are:
- Permitting disclosure of Part 2 records such that once consent is given it covers all disclosures in the future.
- Creating new rights under Part 2 such that patients can get a full account of disclosures and to request restrictions on certain disclosures–rights that would align with those in HIPAA regulations.
- Naming a new authority to enforce civil penalties for violations of 42 CFR Part 2.
- Outlining a new process to receive and process complaints about 42 CFR Part 2 violations that can address programmatic issues and disallow restrictions to treatment or waiving rights as a precondition for filing complaints.
- Breach notifications to the HHS and affected patients for Part 2 records will fall under the Breach Notification Rule.
In the long term, this new rule will align rules contained in HIPAA with 42 CFR Part 2 such that providers can streamline treatment using important mental and addiction data without compromising patient privacy.
Stay Ahead of HIPAA Rule Changes with Lazarus Alliance
HIPAA rules seldom change; when they do, it’s a big deal. When these changes occur, they can slip under the radar for healthcare providers who aren’t up-to-date on new rulemaking.
When you work with Lazarus Alliance, you can trust that we’ve got you covered, no matter the rule. Our team of experts can help you streamline HIPAA compliance right now, where your organization is.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts