I’m a dentist in private practice. I received patient information related to a federally funded Part 2 substance use disorder treatment program. What are my obligations concerning this information?
What is Part 2? A Part 2 Program refers to programs and activities “relating to substance use disorder education, prevention, training, treatment, rehabilitation, or research, which is conducted, regulated, or directly or indirectly assisted by any department or agency of the United States.”1 The Part 2 Rules2 are federal regulations that address the confidentiality of “[r]ecords of the identity, diagnosis, prognosis, or treatment of any patient which are maintained in connection with the performance”3 of such programs and activities. The Part 2 Rules apply to Part 2 Programs, and to other lawful holders of Part 2 patient records, such as certain dental practices.
What is the purpose of the Part 2 Rules? The purpose of the Part 2 Rules is to help protect the confidentiality of patients in federally funded treatment programs for substance use disorders.1 The rules help address concerns that people may be deterred from entering a substance use disorder treatment program due to fear of discrimination and prosecution.
How is Part 2 different than HIPAA? In many ways, a dental practice must protect Part 2 records under the rules similar to those that protect patient information under HIPAA. For example, the HIPAA Breach Notification Rule4 applies to Part 2 records held by a dental practice, requiring a dental practice to send notice of a breach of unsecured patient information to affected individuals, the U.S. Department of Health and Human Services, and in some cases, the media. However, there are a few important differences between the Part 2 Rules and HIPAA. Here are some examples of those differences:
- Consent. With certain exceptions, a Part 2 records comes with a patient consent form permitting the Part 2 Program to disclose the patient’s information. Any further disclosure of the Part 2 record must include the consent or a clear explanation of the scope of the consent. There are two kinds of consent under Part 2:
- A “general consent” permits the dental practice to use and disclose the Part 2 Record for purposes of treatment, payment or health care operations. When a Part 2 record with a general consent is received, the dental practice may use and disclose the information as permitted by the HIPAA Privacy Rule5 and as described in its HIPAA Notice of Privacy Practices.
- If the consent is a “specific consent,” the dental practice must only use and disclose the information as expressly permitted in the consent.
- Legal proceedings. The rules for the use and disclosure of Part 2 records in civil, criminal, administrative, or legislative proceeding are more stringent than HIPAA. Part 2 records may not be used or disclosed in such proceedings unless (1) the patient has consented using a specific, Part 2 compliant consent to the use or disclosure, or (2) a court orders the use or disclosure after meeting all Part 2 requirements. This restriction on disclosure applies to testimony that describes the information in the Part 2 record, as well as to the record itself, and it applies whether the proceedings are at the Federal, State or local level. This restriction is different from the HIPAA rules, which permit disclosures for legal proceedings in certain circumstances (see Section 164.512 of the HIPAA Privacy Rule, available at .
- Formal policies and procedures. A dental practice that holds a Part 2 record must have in place formal policies and procedures to reasonably protect against unauthorized uses and disclosures of information and to protect against reasonably anticipated threats or hazards to the security of the information. Many of the required provisions are similar to requirements in the HIPAA Security Rule6. Segregating the Part 2 records is not required. The policies and procedures must address the following:
(i)Paper records, including:
(A) Transferring and removing such records;
(B) Destroying such records, including sanitizing the hard copy media associated with the paper printouts, to render the patient identifying information non-retrievable;
(C) Maintaining such records in a secure room, locked file cabinet, safe, or other similar container, or storage facility when not in use;
(D) Using and accessing workstations, secure rooms, locked file cabinets, safes, or other similar containers, and storage facilities that use or store such information; and
(E) Rendering patient identifying information de-identified in accordance with the requirements of the HIPAA Privacy Rule () such that there is no reasonable basis to believe that the information can be used to identify a particular patient.
(ii) Electronic records, including:
(A) Creating, receiving, maintaining, and transmitting such records;
(B) Destroying such records, including sanitizing the electronic media on which such records are stored, to render the patient identifying information non-retrievable;
(C) Using and accessing electronic records or other electronic media containing patient identifying information; and
(D) Rendering the patient identifying information de-identified in accordance with the requirements of the HIPAA Privacy Rule () such that there is no reasonable basis to believe that the information can be used to identify a patient.
Notice of Privacy Practices. As of February 16, 2026, dental practices must include in their HIPAA Notice of Privacy Practices (NPP) certain information about patient information from Part 2 programs. Here is sample language:
SUD Treatment Information. If we receive or maintain any information about you from a substance use disorder treatment program that is covered by 42 CFR Part 2 (a “Part 2 Program”) through a general consent you provide to the Part 2 Program to use and disclose the Part 2 Program record for purposes of treatment, payment or health care operations, we may use and disclose your Part 2 Program record for treatment, payment and health care operations purposes as described in this Notice. If we receive or maintain your Part 2 Program record through specific consent you provide to us or another third party, we will use and disclose your Part 2 Program record only as expressly permitted by you in your consent as provided to us. In no event will we use or disclose your Part 2 Program record, or testimony that describes the information contained in your Part 2 Program record, in any civil, criminal, administrative, or legislative proceedings by any Federal, State, or local authority, against you, unless authorized by your consent or the order of a court after it provides you notice of the court order.
Penalties. Penalties for violating the Part 2 rules align with the civil and criminal penalties that apply to HIPAA violations. Civil penalties can reach thousands of dollars or in some cases over one million dollars. Criminal penalties can result in fines or even jail time.
Disclaimer:
The Part 2 Rules are complex and nuanced. This resource provides a general overview, but there are exceptions and conditions too detailed to address here. This material is educational only, does not constitute legal advice, and addresses only federal, not state, law. Dentists should contact a qualified attorney in the appropriate jurisdiction for legal advice pertaining to compliance with the Part 2 Rules and other applicable laws and regulations.
Reviewed 1/27/2026
References:
- Fact Sheet 42 CFR Part 2 Final Rule, U.S. Department of Health and Human Services,
- Fact Sheet 42 CFR Part 2 Final Rule, U.S. Department of Health and Human Services,
- For information about the HIPAA Breach Notification Rule, see Breach Notification Rule, U.S. Department of Health and Human Services,
- For more information about the HIPAA Privacy Rule, see Summary of the HIPAA Privacy Rule, U.S. Department of Health and Human Services,
- For information about the HIPAA Security Rule, see Summary of the HIPAA Security Rule, U.S. Department of Health and Human Services,