Compliance & Privacy

Privacy, HIPAA, and 42 CFR Part 2 — how Intakeful is designed

Behavioral health practices carry heightened compliance obligations: HIPAA Privacy and Security Rules plus 42 CFR Part 2 for substance use records. Intakeful is designed to support both — from the first intake form to the clinician handoff.

HIPAA and 42 CFR Part 2 compliance framework showing administrative technical and physical safeguard pillars

How we describe our compliance design

Throughout this page, we use the phrase "designed to support compliance with HIPAA Privacy and Security Rules" and "designed to support compliance with 42 CFR Part 2 confidentiality requirements." We do not claim HIPAA certification (there is no such certification) or 42 CFR Part 2 certification. Each covered entity bears responsibility for its own compliance program. Intakeful is designed to support your compliance obligations, not to substitute for your practice's compliance responsibility.

HIPAA Safeguards Framework

HIPAA Privacy and Security Rules — how Intakeful is designed

Administrative Safeguards

  • Role-based access controls (minimum necessary)
  • Business Associate Agreement available on all plans
  • Audit log of all intake events and access events
  • User authentication and session management

Technical Safeguards

  • TLS encryption in transit for all patient data
  • Data encrypted at rest
  • Unique user identifiers per staff account
  • Automatic session timeout

Physical Safeguards

  • Infrastructure hosted in SOC 2 Type II data centers
  • Data center physical access controls
  • Workstation use policies for Intakeful staff

42 CFR Part 2

42 CFR Part 2 — the standard HIPAA doesn't cover

42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records) imposes confidentiality requirements on substance use disorder records that are significantly more restrictive than standard HIPAA. Disclosure of SUD records generally requires patient written consent — unlike many HIPAA Treatment, Payment, and Operations disclosures.

Behavioral health practices that offer substance use disorder services — or multi-service care that may include SUD treatment — need intake software that is designed with these requirements in mind.

Intakeful does not provide legal advice on 42 CFR Part 2 compliance. Please consult qualified legal counsel for your practice's specific obligations.

What "42 CFR Part 2 Aware" means for Intakeful

Intakeful's intake data handling is designed to support 42 CFR Part 2 requirements: SUD-related intake data is segregable, consent workflows are configurable per practice, and SUD records are not co-mingled in general intake dashboards without appropriate access controls.

AUDIT-C and substance use screening

When AUDIT-C results are collected as part of SUD intake or diagnosis, those records may be subject to 42 CFR Part 2. Your clinical director configures how substance use intake data is handled — Intakeful surfaces the configuration option; your practice sets the policy.

Data Handling Principles

What data Intakeful handles and how

Patient intake data

Demographic information, chief complaint, screening responses and scores, insurance information provided at intake. Stored encrypted. Access is role-scoped (front desk operational access / clinical full access).

Practice configuration data

Routing thresholds, screening tool configuration, staff role assignments, EHR integration credentials. Stored encrypted. Only accessible by authorized practice administrators.

Audit and event logs

All intake events, access events, triage routing decisions, and configuration changes are logged with user ID and timestamp. Logs are immutable and retained per your practice's configured retention policy.

Breach notification design

Intakeful's infrastructure monitoring is designed to detect anomalous access patterns. In the event of a suspected breach involving PHI, Intakeful will notify covered entity practice administrators within 60 days of discovery, consistent with HIPAA Breach Notification Rule design obligations for Business Associates.

Patient Rights

Patient data rights — HIPAA and beyond

Under HIPAA, patients have rights regarding their PHI. Intakeful is designed to support your practice's ability to respond to patient rights requests. Your practice — as the covered entity — is responsible for responding to individual rights requests. Intakeful provides data export and access tools to support that process.

  • Right of access to PHI
  • Right to request amendment of PHI
  • Right to an accounting of disclosures
  • Right to request restrictions on use and disclosure
  • Right to confidential communications
  • Data export available for portability requests

State licensing note

Behavioral health licensing and confidentiality requirements vary significantly by state: telehealth rules, mental health parity implementation, substance use treatment licensing, and state-specific consumer health data laws (e.g., Washington My Health MY Data Act). Intakeful does not provide compliance advice for state-specific rules. Please consult qualified legal counsel for your state's requirements.

Access controls and audit logging

Intakeful maintains a complete audit log of all patient record access, triage routing events, and configuration changes. Logs include user identifier, timestamp, and action type. Logs are available to practice administrators for HIPAA compliance review and are retained per your configured retention period.

Questions about compliance design?

Talk to us about your practice's specific compliance context

We're happy to walk through how Intakeful handles substance use intake data, 42 CFR Part 2 configuration options, and BAA availability for your practice.

Contact Us Privacy Policy