42 CFR Part 2 and Cloud Storage: What Behavioral Health Providers Must Know in 2026

Q: What are the criminal penalties for violating 42 CFR Part 2?

Violations of 42 CFR Part 2 carry criminal penalties under 42 U.S.C. § 290dd-2(f): fines up to $500 for a first offense and up to $5,000 for each subsequent offense. These penalties apply to any person who violates the confidentiality provisions, including staff members who improperly disclose records.

Behavioral health providers treating substance use disorders operate in one of the most heavily regulated data environments in healthcare. In addition to HIPAA, they are subject to 42 CFR Part 2 — a federal regulation that governs the confidentiality of substance use disorder (SUD) patient records with protections that go significantly beyond what HIPAA requires. The 2024 amendments to 42 CFR Part 2 aligned some provisions more closely with HIPAA, but the regulation remains distinctly stricter in its consent requirements, re-disclosure prohibitions, and criminal penalty structure.

For behavioral health providers choosing cloud storage, this dual regulatory framework creates specific requirements that most generic HIPAA cloud storage guides do not address. Understanding what 42 CFR Part 2 actually requires — and how it differs from HIPAA — is essential for selecting infrastructure that keeps your organization compliant and your patients protected.

What is 42 CFR Part 2?

42 CFR Part 2 — formally titled "Confidentiality of Substance Use Disorder Patient Records" — is a federal regulation that restricts the disclosure of records identifying a patient as having or having had a substance use disorder. It applies to any federally assisted program that holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment. This includes federally funded SUD treatment programs, opioid treatment programs (OTPs), and any program receiving federal assistance that provides SUD services.

The regulation exists because Congress recognized that the stigma associated with substance use disorders creates a unique barrier to treatment: people will not seek help if they fear their records will be disclosed to employers, law enforcement, or family members without their consent. 42 CFR Part 2 was designed to provide a level of confidentiality strong enough to overcome that barrier.

Who Is Subject to 42 CFR Part 2?

Federally funded SUD treatment programs

Opioid treatment programs (OTPs) registered with DEA

Programs receiving any federal assistance (grants, contracts, tax-exempt status)

General medical facilities with identified SUD units or programs

Solo practitioners who hold themselves out as SUD treatment providers

How 42 CFR Part 2 differs from HIPAA

The most important distinction between 42 CFR Part 2 and HIPAA is the consent requirement for disclosure. Under HIPAA, covered entities may disclose protected health information for treatment, payment, and healthcare operations (TPO) without patient consent. Under 42 CFR Part 2 (prior to the 2024 amendments), disclosure for any purpose — including to other treating providers — required specific patient consent. The 2024 amendments created a pathway for TPO-style disclosures with a single consent, but the consent must still be explicit and documented.

Requirement	HIPAA	42 CFR Part 2
Disclosure for treatment (TPO)	Permitted without consent	Requires patient consent (post-2024 amendments: single consent allowed)
Re-disclosure by recipient	Permitted under HIPAA rules	Prohibited without separate patient consent
Disclosure to law enforcement	Permitted in limited circumstances	Prohibited except under court order
Psychotherapy notes	Heightened protection, separate consent	All SUD records have heightened protection
Criminal penalties	Civil penalties only (HHS enforcement)	Criminal penalties up to $5,000 per violation
Breach notification	Required within 60 days	Required; HIPAA breach rules apply
Patient right of access	Yes, within 30 days	Yes, consistent with HIPAA

The re-disclosure prohibition is particularly significant for cloud storage. Under HIPAA, a business associate receiving PHI may re-disclose it to subcontractors under a chain of BAAs. Under 42 CFR Part 2, re-disclosure of SUD records to any party — including subcontractors — requires separate patient consent or a specific legal exception. This means that a cloud storage vendor handling SUD records cannot simply pass those records to a subcontractor data center without a compliant consent structure.

Criminal Penalties Apply

Unlike HIPAA, which carries civil penalties enforced by HHS, violations of 42 CFR Part 2 carry criminal penalties under 42 U.S.C. § 290dd-2(f): up to $500 for a first offense and up to $5,000 for each subsequent offense. These penalties apply to individual staff members who improperly disclose records — not just the organization.

The 2024 amendments: what changed

The 2024 amendments to 42 CFR Part 2, effective February 16, 2024, made the most significant changes to the regulation since its original enactment. The amendments were designed to reduce barriers to care coordination while preserving the core confidentiality protections that make the regulation distinctive.

Single consent for TPO disclosures: Patients may now provide a single consent that covers all future disclosures for treatment, payment, and healthcare operations — eliminating the requirement for a separate consent for each disclosure. The consent must still be explicit and documented.

Expanded care coordination: The amendments allow SUD records to flow more freely within integrated care settings — including accountable care organizations and health information exchanges — when the patient has provided a qualifying consent.

Aligned breach notification: The 2024 amendments aligned 42 CFR Part 2 breach notification requirements with HIPAA's Breach Notification Rule, simplifying compliance for organizations subject to both frameworks.

Re-disclosure prohibition preserved: Despite the other changes, the prohibition on re-disclosure without patient consent remains in effect. Recipients of 42 CFR Part 2 records may not re-disclose them to third parties without a compliant consent or legal exception.

Research and audit exceptions clarified: The amendments clarified the circumstances under which SUD records may be disclosed for research, audit, and evaluation purposes — aligning these exceptions more closely with HIPAA's research framework.

What your cloud storage must do for 42 CFR Part 2 compliance

The infrastructure requirements for 42 CFR Part 2 compliance build on HIPAA's baseline and add specific capabilities to support the consent-based disclosure framework and re-disclosure prohibition. Here is what to look for when evaluating cloud storage for a behavioral health or SUD treatment practice.

Signed BAA with specific 42 CFR Part 2 provisions: The BAA with your cloud storage vendor should explicitly address 42 CFR Part 2's re-disclosure prohibition. A standard HIPAA BAA may not be sufficient.

Encryption at rest and in transit: AES-256 encryption for stored SUD records and TLS 1.2+ for all data in transit. The same standard as HIPAA, applied to a higher-stakes data type.

Role-based access controls with consent tracking: Access to SUD records should be limited to staff with a documented need. The system should support tracking of which disclosures have been authorized by patient consent.

Full audit logging: Every access to an SUD record should be logged with timestamp, user identity, and purpose. This is the documentation needed to demonstrate compliance with both HIPAA and 42 CFR Part 2 in an audit.

Re-disclosure controls: The platform should not allow SUD records to be shared with third parties outside the organization without a documented consent or legal exception. This is a capability that standard file sharing platforms do not provide.

Breach notification support: The platform should support breach detection and notification consistent with HIPAA's Breach Notification Rule, which now applies to 42 CFR Part 2 violations as well.

AXIS CloudSync provides HIPAA-compliant cloud storage with a same-day BAA, encryption, role-based access controls, and full audit logging — the infrastructure foundation that behavioral health providers need for both HIPAA and 42 CFR Part 2 compliance. Plans start at $18 per user per month with no long-term contract required.

Built for Behavioral Health's Compliance Complexity

AXIS CloudSync provides encrypted, audit-ready cloud storage with a same-day BAA — designed for behavioral health providers managing HIPAA and 42 CFR Part 2 obligations simultaneously. Starting at $18/user/month.

Start Free Trial

Frequently Asked Questions

Who is subject to 42 CFR Part 2?

42 CFR Part 2 applies to federally assisted programs that hold themselves out as providing, and provide, alcohol or drug abuse diagnosis, treatment, or referral for treatment. This includes federally funded SUD treatment programs, opioid treatment programs (OTPs), and any program receiving federal assistance that provides SUD services.

Can 42 CFR Part 2 records be shared with other treating providers?

Under the 2024 amendments, patients may provide a single consent that allows disclosure to all treating providers for treatment, payment, and healthcare operations. However, this consent must still be explicit and documented. Re-disclosure to non-covered parties remains prohibited without separate consent.

What are the criminal penalties for violating 42 CFR Part 2?

Violations carry criminal penalties under 42 U.S.C. § 290dd-2(f): fines up to $500 for a first offense and up to $5,000 for each subsequent offense. These penalties apply to any person who violates the confidentiality provisions, including individual staff members.

Does a cloud storage vendor need a BAA for 42 CFR Part 2 records?

Yes. Cloud storage vendors handling SUD records on behalf of a covered program are business associates under HIPAA and require a signed BAA. The BAA should specifically address the additional restrictions of 42 CFR Part 2, including the prohibition on re-disclosure.

Back to Blog