Single consent for TPO
One written consent can now cover all future treatment, payment, and operations uses. Your intake consent has to be rewritten to capture it, and most legacy forms do not.
The 2024 Final Rule rewrote how SUD records are consented, disclosed, and enforced, and the compliance date was February 16, 2026. Adentris audits your consent workflows, record segmentation, disclosure practices, staff readiness, and vendor agreements against the current rule. You get gap findings mapped to rule citations, a remediation plan your team can execute, and continuous monitoring after the baseline so the next gap never reaches an auditor.
Alignment with HIPAA sounds like relief. In practice it raised the stakes: familiar mechanics, but real penalties and new patient rights that most programs have not operationalized.
One written consent can now cover all future treatment, payment, and operations uses. Your intake consent has to be rewritten to capture it, and most legacy forms do not.
Once consented for TPO, recipients may redisclose under HIPAA rules. The old blanket prohibition notice is obsolete; the new notice requirements are different and specific.
Civil and criminal penalties now follow the HIPAA/HITECH framework, tiered up to seven figures per violation category per year. Before 2024, Part 2 enforcement was rare. That era is over.
Part 2 records now sit under HITECH-style breach notification. A mis-sent SUD record is a reportable event with clocks, notices, and documentation duties.
Accounting of disclosures and the right to request restrictions. Both require logs and workflows that most SUD programs have never kept.
A new protected category modeled on psychotherapy notes, with its own consent requirements and its own segmentation expectations inside the EHR.
Part 2 exposure rarely comes from malice. It comes from a 2019 consent form still in the intake packet, an EHR that shows SUD notes to every user, and a payor request answered by a well-meaning biller.
Intake forms, TPO consent language, revocation handling, minor and mandated-treatment edge cases. Checked element by element against the 2024 requirements.
Who can see SUD records, where counseling notes live, how Part 2 data flows into shared charts, HIEs, and referral packets. Reviewed by screen-share walkthrough.
How requests from payors, courts, families, and other providers are actually handled, and whether the accounting-of-disclosures obligation can be met today.
Written policies against actual practice. Spot checks with intake, billing, and clinical staff on the scenarios that generate violations.
Every vendor touching Part 2 data, mapped against existing QSOAs and BAAs. Gaps flagged with template language to close them.
Notification duties, clocks, and templates under the HITECH-aligned framework, plus a tabletop scenario for the most likely incident in your workflow.
Adentris operates 42 CFR Part 2-aware infrastructure for multi-site SUD networks every day, with SOC 2 Type I and Type II attestations and all inference inside Microsoft Azure under BAA. The same rule engine that reviews charts continuously in Documentation Compliance powers the assessment, which is why findings come with citations instead of opinions, and why monitoring keeps running through Compliance Intelligence after the report lands.
Federally assisted SUD programs, which in practice covers most treatment providers: DEA registration for buprenorphine, Medicare or Medicaid participation, tax-exempt status, or federal funding each qualify. Lawful holders who receive Part 2 records downstream carry obligations too.
The rule aligned Part 2 with HIPAA in several places: a single consent now covers future treatment, payment, and operations uses; redisclosure follows HIPAA once consented; breach notification follows the HITECH framework; patients gained rights to an accounting of disclosures and to request restrictions; and enforcement moved to HIPAA-style civil and criminal penalties. The compliance date was February 16, 2026. It has passed.
First findings inside one week of receiving the document set. The full report with remediation plan lands within two to three weeks depending on the number of programs, locations, and EHR environments in scope. Monitoring starts as soon as the baseline closes.
Current consent forms and workflows, privacy policies and notices, disclosure logs if kept, a vendor list with existing QSOAs or BAAs, staff training materials, and a walkthrough of how SUD records live in your EHR. A screen-share session covers the segmentation review; no system access is required.
No. Adentris delivers a compliance assessment with findings mapped to specific rule citations and operational fixes. It is designed to be handed to your counsel and compliance committee. Many customers run our findings and their attorney's review in parallel.
You get a risk-ranked remediation plan with owners, and monitoring takes over: the Adentris platform checks consent presence, redisclosure notices, and documentation segmentation as part of everyday chart review. Problems surface when they appear, not at the next annual review.
One scope call, one document set, one week to first findings. Bring your counsel; we work well together.