The Moment the Obligation Attaches
42 CFR Part 2's confidentiality obligations don't attach when a patient starts treatment. They attach — at least in terms of what you need to prepare for — the moment a new patient indicates that substance use disorder services are part of what they're seeking.
That moment often happens at intake.
For a multi-service behavioral health practice that treats both mental health and substance use disorders, this means the intake process is not just a clinical and administrative gateway — it is a regulatory trigger point. The staff member reviewing the intake form, the software routing the intake summary, the EHR receiving the intake data — all of them are handling information that may be subject to confidentiality protections more restrictive than the HIPAA framework that governs the rest of your practice's records.
This post outlines what 42 CFR Part 2 requires specifically at the intake stage, and the practical steps multi-service behavioral health practices should have in place — whether or not their intake is currently digitized.
Who Part 2 Applies To
42 CFR Part 2 applies to "Part 2 Programs" — entities that provide substance use disorder diagnosis, treatment, or referral for treatment, and that are federally assisted. "Federally assisted" is defined broadly: it includes practices that accept Medicare or Medicaid, receive any federal grant funding, or are tax-exempt under federal tax law. This covers the vast majority of community-based behavioral health practices in the United States.
If your practice has a licensed substance use disorder counselor, accepts Medicaid, and provides any SUD evaluation or outpatient treatment, you are almost certainly operating as a Part 2 Program for the SUD-related portion of your services — even if you also provide general mental health services that are not subject to Part 2. The two programs coexist in the same organization, with different regulatory frameworks governing different records.
This is the complication that catches multi-service practices. It's not that Part 2 is obscure — any practice that specifically set out to operate an SUD program would know to address it. The problem is the practice that began as a mental health practice, added SUD services (perhaps by hiring a certified addiction counselor, or by getting an outpatient SUD treatment certification), and continued operating its intake process without adjusting for the fact that it had become a Part 2 Program for part of its services.
What Part 2 Requires at Intake: The Practical Checklist
The intake stage is where Part 2 compliance infrastructure needs to start. Below is a practical checklist of what needs to be in place before a Part 2 Program collects SUD-related information from a new patient.
1. Identify the Part 2 status of the intake at the point of intake. The intake form or intake conversation must establish whether the patient is seeking SUD-related services. This doesn't require a clinical diagnosis — it requires a question that surfaces whether SUD evaluation, treatment, or referral is part of why the patient is seeking services. A "chief complaint" question that includes substance use as an option, or an AUDIT-C screening embedded in the intake flow, can serve this function for patients who haven't explicitly self-identified.
2. Deliver a Part 2-specific notice to the patient at intake. Part 2 requires that patients receive written notice of the Part 2 Program's confidentiality obligations and the patient's rights. This notice is distinct from the general HIPAA Notice of Privacy Practices. It must explain specifically that SUD records are protected under 42 CFR Part 2 and can only be disclosed with the patient's written consent or in limited statutory exceptions. Delivering this notice at intake — before any SUD information is recorded — is the required sequence.
3. Obtain a Part 2-compliant written consent before making any SUD record disclosure. Part 2 consent must include specific elements: the name of the program disclosing the information, the name or general designation of the person or entity receiving the information, the purpose of the disclosure, how much and what kind of information will be disclosed, the patient's signature, and a date. Generic HIPAA authorizations do not meet Part 2 consent requirements. The consent must be specific to each disclosure recipient and purpose.
4. Store the Part 2 consent as a retrievable record alongside the patient's SUD records. If a disclosure is ever questioned — by the patient, a regulator, or in litigation — you must be able to produce the consent that authorized it. This requires that Part 2 consents are filed in a way that links them to the specific disclosures they authorize, not just stored as a general file alongside the intake packet.
The 2024 Rule Changes: What They Mean for Integrated Practices
The 2024 final rule amending 42 CFR Part 2 (published March 2024, effective October 2024) made the most significant changes to Part 2 since its 1987 rewrite. The changes are generally in the direction of alignment with HIPAA, particularly for integrated care settings.
Key changes relevant to intake processes in multi-service practices:
- The 2024 rule allows a single patient consent to authorize all future uses and disclosures for treatment, payment, and health care operations by a treating provider — eliminating the prior requirement that consent be limited to specific disclosures. This is a meaningful simplification for integrated care practices where multiple providers may be involved in a patient's care.
- The rule also permits disclosures to public health authorities and in response to certain emergency situations without patient consent, aligning Part 2 more closely with HIPAA's public health and emergency exceptions.
- However, Part 2 still requires patient consent before disclosures for treatment purposes to providers who are not part of the treating program — meaning disclosures to a referring physician or another practice in a care coordination network still require explicit patient consent, even for treatment purposes.
The 2024 changes reduce some of the operational friction of Part 2 compliance for practices operating under integrated care models. They do not eliminate the need for a distinct Part 2 consent process, the Part 2 patient notice, or the record segmentation requirements. The intake stage still needs to handle Part 2 distinctly from HIPAA.
Why Your Current Intake Software May Not Be Handling This
Most behavioral health intake tools — including many general EHR-integrated intake modules — were designed with HIPAA as the primary compliance framework. They may include a HIPAA Notice of Privacy Practices delivery at intake, an authorization for general treatment and payment disclosures, and a records sharing consent. They do not typically include a Part 2-specific notice, a Part 2-compliant consent form, or a mechanism for segmenting SUD intake records from general mental health records in the EHR integration pathway.
This gap is not unusual — it reflects the fact that most health software was built for the healthcare market broadly, where HIPAA dominates and Part 2 applies only to a subset of providers. For those providers — multi-service behavioral health practices among them — the gap is a compliance gap at a point in the workflow where records are being created and potentially disclosed.
The practical question for any practice that offers SUD services is: when a new patient's intake identifies them as seeking SUD-related care, does your intake process change to address Part 2? Is a Part 2 notice delivered? Is a Part 2 consent collected before anything is shared with a referring provider or an EHR integration pathway? Is the SUD intake record identifiable and separable if a disclosure question ever arises?
Intake software designed specifically for behavioral health — as Intakeful is designed to be — should support these differentiated workflows: identifying SUD-related intake at the point of form completion, flagging Part 2 obligations, and supporting the delivery and collection of Part 2-specific documentation as part of the intake flow rather than as a separate manual step. Whether a practice uses Intakeful or another system, these are the operational requirements that the intake stage needs to support.
A Compliance Note on Language
Practices evaluating intake software for Part 2 compliance should be attentive to how vendors describe their compliance support. "HIPAA compliant" is a common and legally inexact claim — no software is "HIPAA certified" by a regulatory body. More importantly for behavioral health practices with SUD services, "HIPAA compliant" says nothing about Part 2. A vendor that addresses only HIPAA and does not mention 42 CFR Part 2 has either not designed for behavioral health specifically, or has not addressed the Part 2 dimension of their product's compliance approach.
The accurate language — and the language practices should expect from software vendors serving the behavioral health space — is "designed to support compliance with HIPAA Privacy and Security Rules and 42 CFR Part 2 confidentiality requirements." This language makes the distinction explicit and signals that the vendor has thought about the specific regulatory obligations behavioral health practices carry.