42 CFR Part 2 in the Field: Substance-Use Disorder Confidentiality That HIPAA Doesn't Cover

Most EMS agencies know HIPAA cold. They train on it at orientation, build their ePCR workflows around it, audit for it. And then 42 CFR Part 2 walks in through the back door of a transport from a detox center, and half the assumptions they operate on stop being true.

This article is about the gap between HIPAA and Part 2, how it shows up during EMS transport, and the ePCR documentation habits that turn a routine call into a compliance problem nobody saw coming.

What 42 CFR Part 2 Covers That HIPAA Does Not

HIPAA sets a floor. Treatment, payment and operations are broadly permitted without specific authorization. If you are an EMS agency treating a patient, HIPAA gives you room to share what you need to share to get the job done.

Part 2 is stricter and it covers records from any federally assisted program that holds itself out as providing substance-use disorder diagnosis, treatment, or referral. That includes dedicated SUD clinics, detox centers, residential treatment facilities, and any program that receives federal funding in any form including Medicare and Medicaid reimbursement.

The key difference is consent. Under HIPAA, you can disclose information for TPO without explicit written authorization from the patient. Under Part 2, you need specific written consent that names who gets the information and what can be shared and includes an expiration date. General HIPAA releases do not satisfy Part 2 requirements.

How Part 2 Shows Up on an EMS Call

Here is the scenario that catches most agencies. Your crew gets dispatched to a detox center for a patient who needs transport to an emergency department. The patient is awake and oriented. They sign the standard transport consent form. The crew documents the call, drops the patient at the ED. Everything looks routine.

Here is where the problem starts: the pickup location itself and the facility name. The name of the facility is Part 2 protected, and when the patient came from Sunrise Recovery Center, the fact that they were there implies a substance-use disorder diagnosis. Putting that facility name in the ePCR narrative means the entire transport record now carries Part 2 protections that go beyond HIPAA.

And the consent the patient signed at the bedside is probably a standard HIPAA authorization, which does not authorize the Part 2 disclosure. The crew did not get a Part 2 specific consent for the transport. The facility may not have provided one. The result is a record that was collected and shared without the legally required authorization.

The crew phones and social media framework article covers how to handle PHI on personal devices. Part 2 adds another layer. If a crew member texts a Part 2 protected detail about a transport to a supervisor, that text is a disclosure that requires specific written consent. The normal HIPAA treatment exception does not cover it.

The Re-disclosure Trap

This part trips up agencies that know the basics. Under Part 2, if you receive a Part 2 protected record, you cannot redisclose it to anyone else unless the original consent specifically authorized that redisclosure.

So when your billing service processes that transport claim, they are receiving Part 2 protected information. If the patient's original consent did not list the billing company as an authorized recipient, the disclosure to the billing service is a violation. The agency is liable even though the billing service is a normal business associate under HIPAA. Part 2's redisclosure rule overrides the HIPAA business associate framework.

Same thing applies when the ePCR gets shared with a receiving hospital, a QA reviewer, or a state NEMSIS repository. Each transfer of the information requires either a separate consent or a specific exception in the regulation. The treatment exception in Part 2 is narrower than the HIPAA treatment exception. It generally requires that the disclosure be made to medical personnel for treatment in a bona fide emergency.

ePCR Documentation Patterns That Create Liability

Most EMS documentation happens in a structured ePCR that was designed for HIPAA compliance. Part 2 operates on a different set of rules, and the system likely has no features to tag a record as Part 2 protected.

Facility names in narratives. Writing "transported patient from [facility name]" in the narrative is the most common violation. The facility name identifies the patient as having a SUD. Even if the call involved an unrelated medical complaint, the association with the facility triggers Part 2. Some agencies get around this by documenting the pickup address without the facility name, but the dispatcher notes or CAD records still link the unit to that address.

Detailed SUD history in the PCR. When a patient volunteers a history of treatment at specific programs, dropping that into an ePCR that goes out to billing services and state reporting and QA creates a disclosure chain that is almost certainly not consented. The clinical impulse is to document completely. The regulatory reality is that detailed SUD history in a general ePCR without Part 2 controls is a violation waiting to be found.

The TPO assumption applied to SUD records. Clinicians learn that HIPAA allows disclosure for treatment. They carry that logic into Part 2 territory without realizing the rules changed. The assumption that a signature on a standard consent form covers everything is the root cause of most Part 2 violations in EMS.

There is a link between this documentation problem and the ePCR offboarding gap. When a clinician leaves your agency and their ePCR access stays active for days or weeks, every Part 2 protected record they can view is an unauthorized disclosure if the consent only covered treating providers.

How to Build a Part 2 Workflow for EMS

The fix is procedural. The ePCR cannot reliably flag Part 2 records for you, so the workflow has to happen before the documentation starts.

Train crews to identify Part 2 scenarios. Any transport originating from a facility that provides SUD treatment triggers Part 2. That means detox centers, residential treatment programs and methadone clinics, and behavioral health facilities with SUD units. Crews need to recognize these pickup points and flag them in the same way they flag a trauma activation.

Develop a separate Part 2 consent form. The standard EMS transport consent is not sufficient. Design a separate form that meets Part 2's requirements. It has to name the specific entities authorized to receive the information, state the purpose of the disclosure, and include an expiration date plus the required prohibition on redisclosure. The patient has to sign it before transport or the disclosure cannot happen.

Limit documentation to what is required for the transport. The ePCR for a Part 2 transport should document the medical justification for the transport without including the facility name or the SUD diagnosis unless it is clinically necessary for the receiving provider. Some agencies use a generic pickup location field and keep the Part 2 specific information in a separate access controlled section that is not shared with billing or reporting.

Audit your redisclosure chain. Map every downstream recipient of a Part 2 record. Billing, state reporting, QA, receiving facilities, and medical control. Each one needs either explicit consent from the patient or a valid exception. If the billing service gets the record, the consent has to name the billing service.

Frequently Asked Questions

Does HIPAA cover substance-use disorder records?

Yes, but Part 2 adds protections that are stricter than HIPAA. Where the two regulations conflict, Part 2 rules apply to records from SUD treatment programs. A general HIPAA authorization does not satisfy Part 2 requirements.

Can I mention the name of a rehab facility in my ePCR?

Doing so can violate Part 2 because the facility name identifies the patient as having a substance-use disorder. If the ePCR is shared with billing or state reporting without a Part 2 specific consent, the disclosure is unauthorized. Check your agency's legal guidance on how to document transfers from SUD facilities.

What happens if I share a Part 2 record under the HIPAA TPO exception?

You may be in violation of federal law. Part 2 does not have the same broad treatment, payment and operations exceptions as HIPAA. Unauthorized disclosure can lead to legal penalties and fines, plus exclusion from federal healthcare programs. The agency bears the liability.

Do ePCR vendors support Part 2 compliance?

Most ePCR vendors built their systems for HIPAA not Part 2. Few offer data tagging, role based access controls that distinguish Part 2 records from general PHI, or audit trails that track Part 2 specific consent compliance. Ask your vendor directly whether their platform handles Part 2 isolation and access control.

Does Part 2 apply to EMS transport from an emergency department?

Generally no, because the ED is not a SUD program on its own. But if the ED has a SUD consultation service or the patient is transferred to a SUD specific unit, the records associated with that handoff may trigger Part 2 protections. A safe rule: Part 2 applies whenever the information identifies the patient as having received SUD treatment.

---

Part 2 is the regulation nobody in EMS trained on, and agencies that know their HIPAA obligations backward still get caught by the disclosure rules and consent requirements that Part 2 adds on top. The fix does not require a new ePCR system. You need to recognize the scenarios and update the consent workflow while training crews on flagging Part 2 transports before the documentation starts.

-- Steven