Services · 42 CFR Part 2 Compliance Monitoring

The Part 2 deadline passed in February.
Is your program actually compliant?

The 2024 Final Rule rewrote how SUD records are consented, disclosed, and enforced, and the compliance date was February 16, 2026. Adentris audits your consent workflows, record segmentation, disclosure practices, staff readiness, and vendor agreements against the current rule. You get gap findings mapped to rule citations, a remediation plan your team can execute, and continuous monitoring after the baseline so the next gap never reaches an auditor.

2024 Final Rule scope Findings cite the rule Baseline in one week, monitoring after
What changed

The 2024 Final Rule moved Part 2 onto HIPAA rails.

Alignment with HIPAA sounds like relief. In practice it raised the stakes: familiar mechanics, but real penalties and new patient rights that most programs have not operationalized.

Single consent for TPO

One written consent can now cover all future treatment, payment, and operations uses. Your intake consent has to be rewritten to capture it, and most legacy forms do not.

Redisclosure follows HIPAA

Once consented for TPO, recipients may redisclose under HIPAA rules. The old blanket prohibition notice is obsolete; the new notice requirements are different and specific.

HIPAA-grade enforcement

Civil and criminal penalties now follow the HIPAA/HITECH framework, tiered up to seven figures per violation category per year. Before 2024, Part 2 enforcement was rare. That era is over.

Breach notification applies

Part 2 records now sit under HITECH-style breach notification. A mis-sent SUD record is a reportable event with clocks, notices, and documentation duties.

New patient rights

Accounting of disclosures and the right to request restrictions. Both require logs and workflows that most SUD programs have never kept.

SUD counseling notes

A new protected category modeled on psychotherapy notes, with its own consent requirements and its own segmentation expectations inside the EHR.

Where programs fail

The violations are boring.
The penalties are not.

Part 2 exposure rarely comes from malice. It comes from a 2019 consent form still in the intake packet, an EHR that shows SUD notes to every user, and a payor request answered by a well-meaning biller.

  • 01
    Legacy consent formsMissing the elements the 2024 rule requires, which makes every disclosure under them questionable.
  • 02
    Missing redisclosure noticesRecords leave the program without the required notice language attached.
  • 03
    Payor disclosures without consentBilling teams answering records requests as if Part 2 records were ordinary PHI.
  • 04
    EHR segmentation gapsSUD records visible to users and care settings that consent never covered.
  • 05
    No QSOAs with vendorsBilling companies, IT vendors, and analytics tools touching Part 2 data on a BAA alone, or on nothing.
  • 06
    No breach playbookNo clocks, no notice templates, no decision tree for the day a record goes to the wrong fax number.
What we check

Six workstreams. Every finding cites the rule.

Consent workflow, end to end

Intake forms, TPO consent language, revocation handling, minor and mandated-treatment edge cases. Checked element by element against the 2024 requirements.

Record segmentation in the EHR

Who can see SUD records, where counseling notes live, how Part 2 data flows into shared charts, HIEs, and referral packets. Reviewed by screen-share walkthrough.

Disclosure practices and logs

How requests from payors, courts, families, and other providers are actually handled, and whether the accounting-of-disclosures obligation can be met today.

Policies and staff readiness

Written policies against actual practice. Spot checks with intake, billing, and clinical staff on the scenarios that generate violations.

Vendor inventory and QSOAs

Every vendor touching Part 2 data, mapped against existing QSOAs and BAAs. Gaps flagged with template language to close them.

Breach readiness

Notification duties, clocks, and templates under the HITECH-aligned framework, plus a tabletop scenario for the most likely incident in your workflow.

Deliverables

What lands on your desk.

  • Gap assessment mapped to rule citations. Every finding names the requirement it fails, so counsel and compliance can verify independently.
  • Risk-ranked findings register. Ordered by enforcement exposure and likelihood, not alphabetically.
  • Remediation plan with owners. Consent form fixes, EHR configuration changes, QSOA templates, training gaps. Sequenced and assigned.
  • Board-ready summary. One page: where the program stands, what closes first, what it costs to ignore.
Process

Four steps to a monitored program.

  1. 01
    Scope call. Programs, locations, EHR environments, and the incidents or requests that worry you most.
  2. 02
    Document set + walkthrough. Consents, policies, vendor list, training materials, and a screen-share segmentation review. No system access needed.
  3. 03
    Assessment against the Final Rule. Adentris analysts plus the platform's rule engine work the six streams in parallel.
  4. 04
    Report, remediation, monitoring on. Findings walkthrough with your compliance lead and counsel, then continuous checks take over.

Checked by the team that runs Part 2 architecture in production.

Adentris operates 42 CFR Part 2-aware infrastructure for multi-site SUD networks every day, with SOC 2 Type I and Type II attestations and all inference inside Microsoft Azure under BAA. The same rule engine that reviews charts continuously in Documentation Compliance powers the assessment, which is why findings come with citations instead of opinions, and why monitoring keeps running through Compliance Intelligence after the report lands.

FAQ

Common questions.

Not here? Talk to sales →

01 Who has to comply with 42 CFR Part 2?

Federally assisted SUD programs, which in practice covers most treatment providers: DEA registration for buprenorphine, Medicare or Medicaid participation, tax-exempt status, or federal funding each qualify. Lawful holders who receive Part 2 records downstream carry obligations too.

02 What changed in the 2024 Final Rule?

The rule aligned Part 2 with HIPAA in several places: a single consent now covers future treatment, payment, and operations uses; redisclosure follows HIPAA once consented; breach notification follows the HITECH framework; patients gained rights to an accounting of disclosures and to request restrictions; and enforcement moved to HIPAA-style civil and criminal penalties. The compliance date was February 16, 2026. It has passed.

03 How long does the baseline assessment take?

First findings inside one week of receiving the document set. The full report with remediation plan lands within two to three weeks depending on the number of programs, locations, and EHR environments in scope. Monitoring starts as soon as the baseline closes.

04 What do you need from us?

Current consent forms and workflows, privacy policies and notices, disclosure logs if kept, a vendor list with existing QSOAs or BAAs, staff training materials, and a walkthrough of how SUD records live in your EHR. A screen-share session covers the segmentation review; no system access is required.

05 Is this legal advice?

No. Adentris delivers a compliance assessment with findings mapped to specific rule citations and operational fixes. It is designed to be handed to your counsel and compliance committee. Many customers run our findings and their attorney's review in parallel.

06 What happens after the baseline?

You get a risk-ranked remediation plan with owners, and monitoring takes over: the Adentris platform checks consent presence, redisclosure notices, and documentation segmentation as part of everyday chart review. Problems surface when they appear, not at the next annual review.

Find the gaps before a complaint does. Citations included.

One scope call, one document set, one week to first findings. Bring your counsel; we work well together.