42 CFR Part 2 Compliance Assessment

Evaluate compliance with federal regulations protecting confidentiality of substance use disorder patient records

HealthcareCannabis12 minutes18 questions

1. Patient Consent Requirements

Do you obtain written patient consent before disclosing SUD treatment records?*

42 CFR Part 2 requires specific written consent for each disclosure

💡 Consent forms must include: patient name, purpose, recipient, specific information disclosed, expiration date, and signature

Do your consent forms contain all nine required elements per 42 CFR § 2.31?*

Name, purpose, recipient, information type, expiration, right to revoke, signature date, consequences of disclosure, and prohibition on redisclosure

Are consent forms separate from other treatment authorizations?*

Part 2 prohibits including SUD consent within general medical consent forms

Do you limit consent validity to no more than what is reasonably necessary?*

Consents cannot be indefinite; must have reasonable expiration

2. Disclosure & Redisclosure

Do you include a prohibition on redisclosure statement on all disclosed records?*

Required statement: "This information has been disclosed to you from records protected by federal confidentiality rules (42 CFR Part 2)..."

Have you identified and documented all permissible disclosures without consent?*

Medical emergencies, research, audits, child abuse reporting, court orders with good cause

Do you verify that court orders meet "good cause" requirements before disclosure?*

Must show public interest outweighs privacy harm; Part 2 court orders are different from subpoenas

Are Part 2 records segregated or clearly marked in electronic health records?*

Essential to prevent inadvertent disclosure to unauthorized parties

3. Notice to Patients

Do you provide a Notice of Federal Confidentiality Requirements to all patients at admission?*

Required under § 2.22: Notice must explain Part 2 protections

Is the Notice of Federal Requirements posted conspicuously in your facility?*

Do patients receive written notice explaining their right to revoke consent?*

4. Program Compliance

Is your program federally assisted (federal grants, contracts, or licenses)?

Part 2 applies to federally assisted programs holding themselves out as SUD treatment providers

💡 If yes, Part 2 fully applies. If no but you treat SUD, consult legal counsel on applicability

Have you trained all staff on Part 2 requirements annually?*

All employees with access to SUD records must understand disclosure restrictions

Do you have written policies and procedures governing Part 2 compliance?*

Do Business Associate Agreements address both HIPAA and Part 2 requirements?*

Part 2 has stricter rules than HIPAA for SUD records; BAAs must reflect both

5. Breach & Incident Response

Do you have procedures for responding to unauthorized disclosures of Part 2 records?*

Breaches must be documented and may require patient notification

Do you maintain a log of all Part 2 record disclosures?*

Essential for breach investigation and compliance audits

Are criminal penalties for wrongful disclosure (up to $500 first offense, $5,000 subsequent) communicated to staff?*

Federal criminal penalties under § 2.4 are serious; staff must understand consequences

Please answer all required questions to see your results