The Regulation Most Health Tech Vendors Haven't Read
42 CFR Part 2 — the Confidentiality of Substance Use Disorder Patient Records regulation — has been federal law in one form or another since 1975. It applies to any program that provides substance use disorder (SUD) diagnosis, treatment, or referral to treatment, and it imposes confidentiality requirements that go significantly beyond standard HIPAA protections.
Most health technology vendors have not designed their products with 42 CFR Part 2 in mind. That's because most health tech is built for the general healthcare market, where HIPAA is the dominant framework. But behavioral health is not the general healthcare market — and a multi-service behavioral health practice that sees patients for both mental health and substance use disorder services is operating under two overlapping regulatory frameworks simultaneously, with the more restrictive one (42 CFR Part 2) governing the SUD portion.
This post is for behavioral health tech vendors, practice administrators, and clinical directors who need to understand what 42 CFR Part 2 requires — and how it translates to software design decisions at the intake stage.
What 42 CFR Part 2 Actually Requires
The core obligation under 42 CFR Part 2 is straightforward in principle and complicated in execution: patient records from a SUD program (covered entities under Part 2 are called "Part 2 Programs") may not be disclosed without specific patient consent, except in very limited circumstances. The exceptions are narrower than HIPAA's — they do not include most of the routine treatment, payment, and healthcare operations disclosures that HIPAA permits.
Specifically, 42 CFR Part 2 prohibits disclosure of SUD patient records to:
- Other treating providers (including the patient's own primary care physician) without explicit patient consent — this is a departure from standard HIPAA treatment-exception rules
- Family members, unless the patient has consented
- Employers and insurers, without consent — even when a payer is requesting records for prior authorization or utilization review
- Law enforcement, in most circumstances, even in response to a subpoena (Part 2 requires a court order with a higher standard than a standard subpoena)
The 2024 final rule update to 42 CFR Part 2 (effective October 2024) aligned some Part 2 provisions more closely with HIPAA's treatment-payment-operations (TPO) exception and made consent more durable for integrated care settings — a significant change for multi-service practices operating under coordinated care models. However, it did not eliminate Part 2's separate consent requirements or reduce the heightened protections in fundamental ways. Part 2 records still require a separate patient consent before they can be integrated into a general health record shared across providers.
How This Affects the Intake Stage
The intake stage is where 42 CFR Part 2 complications begin — because intake is where you first identify that a patient may be seeking SUD-related services.
Consider the intake workflow for a behavioral health practice that offers both psychotherapy and substance use disorder treatment. A new patient fills out an intake form indicating they're seeking help for anxiety and alcohol use. At that moment, a Part 2 obligation has potentially attached. If the practice's intake system treats this patient record the same as all other patients — routing their information to an integrated EHR, sharing the intake summary with a referring physician, or including them in a treatment coordination email — it may already be violating Part 2 if those disclosures were not consented to separately.
The intake stage must:
- Identify whether the presenting concern includes SUD-related services
- Trigger a separate Part 2-compliant consent process before any SUD-related record is created or disclosed
- Maintain the SUD consent record alongside the patient record for the duration of treatment
- Ensure that the clinical routing and EHR integration pathways respect the consent scope — meaning a Part 2 patient who has not consented to disclosure to their referring physician should not have SUD intake data sent to that physician's system, even if the general HIPAA authorization permits other information sharing
What Software Needs to Handle
From a software design perspective, 42 CFR Part 2 compliance support requires several specific capabilities that a general-purpose intake tool or EHR module typically does not have.
Flagging mechanism at intake. The intake form or screening logic must be able to identify when a patient's presenting concern triggers Part 2 obligations — typically when SUD diagnosis, treatment, or referral is part of the intake request. This requires either a direct presenting-concern question with SUD as an identified category, or a screening instrument result (AUDIT-C, for example) that crosses a threshold indicating SUD evaluation is appropriate.
Separate consent workflow. Part 2-flagged patient records require a separate consent form that specifies who the patient is authorizing to receive their information, for what purpose, and for how long. This cannot be bundled with a general HIPAA authorization. The software must support collection and storage of this consent as a distinct, retrievable record.
Record segmentation. SUD-related records must be separable from general mental health records in the practice's system. If the EHR integration layer sends intake summaries to a connected provider system, it must be able to exclude Part 2 records from that transmission for patients who have not consented to that specific disclosure.
Audit trail. Every disclosure of a Part 2 record — including within the practice for treatment purposes — should be logged with sufficient detail to demonstrate that the disclosure was within the scope of patient consent. This supports both compliance documentation and breach investigation if a disclosure is later questioned.
A Realistic Scenario: Multi-Service Practice Discovery
A 22-clinician behavioral health group operating across three office locations in the mid-Atlantic region had been using a general-purpose practice management platform for several years. Their intake workflow collected PHQ-9, GAD-7, and AUDIT-C scores, routed patients to the appropriate clinician, and synced intake data to their EHR.
When they added a licensed substance use disorder counselor to the practice and began accepting patients specifically for SUD evaluation and outpatient treatment, they did not change their intake software workflow. Within three months of the expansion, their compliance officer identified that the intake system was routing SUD intake data through the same EHR integration pathway as general mental health data — including transmitting records to an affiliated primary care network under a care coordination agreement that predated the SUD service expansion. The care coordination agreement was a valid HIPAA TPO disclosure, but it did not constitute valid Part 2 consent.
The software they were using had no mechanism to flag or segment Part 2 records. The practice had to retrospectively audit disclosures, notify affected patients, and retool their intake process before the SUD program could continue accepting patients.
We're not saying this scenario makes that practice negligent or that the technology vendor was malicious — most general-purpose intake tools were built for a HIPAA world and were not designed to ask "is this patient's presenting concern SUD-related?" at the point of intake. The gap is a product gap, not a bad-faith gap. But for behavioral health practices, the product gap is a compliance gap.
What "Designed to Support 42 CFR Part 2 Compliance" Means for Software
Software that claims to support 42 CFR Part 2 compliance — as Intakeful is designed to do — should be able to demonstrate specific design features: SUD identification at intake, separate consent workflow, record segmentation in EHR integration, and audit logging for disclosures. This is distinct from a generic "HIPAA-compliant" label, which says nothing about Part 2.
Practices evaluating intake software for any service line that includes SUD should ask vendors directly: does your intake workflow identify Part 2 records separately? Can SUD intake data be excluded from EHR integration transmissions where consent has not been granted? Is the Part 2 consent captured and stored in retrievable format? Vendors who cannot answer these questions clearly have likely not designed for Part 2.
42 CFR Part 2 is not a new regulation. It is an underimplemented one in the software ecosystem. As behavioral health practices increasingly expand to multi-service models — adding SUD services to mental health practices, or vice versa — the gap between what HIPAA requires and what Part 2 requires becomes directly operational. Intake is where that gap either gets addressed or gets ignored.