Most healthcare cybersecurity guidance focuses on HIPAA. For Federally Qualified Health Centers that provide substance use disorder treatment, medication-assisted treatment (MAT), or behavioral health services with a substance use component, HIPAA is not the only privacy framework that applies.
42 CFR Part 2 — the federal confidentiality regulations for substance use disorder patient records — imposes requirements that are stricter than HIPAA in specific ways. The intersection of 42 CFR Part 2 and HIPAA creates a dual compliance obligation that has direct cybersecurity implications: which data must be most protected, how access is controlled, what breach notification looks like, and how records may be shared.
Understanding both frameworks — and how to build a cybersecurity program that satisfies both — is essential for any FQHC providing substance use services.
What 42 CFR Part 2 Covers
42 CFR Part 2 protects the records of patients receiving substance use disorder treatment at federally assisted programs. For FQHCs, "federally assisted" includes any program that receives Section 330 grant funding — which applies to virtually all FQHCs.
The records protected under Part 2 include any information that:
- Identifies a patient as having or having had a substance use disorder
- Is maintained in connection with a federally assisted substance use disorder treatment program
- Could be used to identify the patient as a current or past recipient of substance use disorder treatment
The breadth of this definition means that any documentation of substance use disorder treatment — EHR notes, prescriptions for MAT medications (buprenorphine, methadone), counseling session records, referral notes, billing codes — is potentially protected under 42 CFR Part 2.
How 42 CFR Part 2 Is Stricter Than HIPAA
Disclosure Limitations
HIPAA permits disclosure of PHI for treatment, payment, and health care operations without patient authorization (within defined limits). 42 CFR Part 2 requires patient authorization for most disclosures — including disclosures for treatment purposes that HIPAA would allow without authorization.
A hospital requesting records from your FQHC for a patient who was treated for opioid use disorder may need specific 42 CFR Part 2 authorization before those records can be disclosed — even for routine care coordination.
Breach Notification Specificity
Under HIPAA, a breach of PHI triggers notification to affected individuals and HHS. Under 42 CFR Part 2 as updated in 2024, a breach of Part 2 records triggers HIPAA-aligned breach notification procedures — but the records must be identified as Part 2-protected in the notification process.
Access Segregation
Many FQHCs with integrated behavioral health must consider whether their EHR can segregate Part 2-protected records from general medical records — allowing access for authorized users (behavioral health staff) while restricting access for unauthorized users (general medical staff) even within the same EHR system.
Not all EHR systems support Part 2 record segregation. Understanding your EHR's capabilities and configuring access controls accordingly is a compliance obligation.
The Cybersecurity Implications of Dual Coverage
Access Control Must Be Finer-Grained
A general medical record at an FQHC may be accessible to any clinical staff member with a legitimate treatment relationship. A 42 CFR Part 2 substance use disorder record must be restricted to authorized staff even within the clinical team.
This requires:
- EHR role-based access configuration that specifically restricts Part 2 record access to authorized behavioral health staff
- Audit logging that separately tracks access to Part 2-protected records
- User awareness training that explicitly addresses Part 2 restrictions
Breach Response Has Additional Steps
If a cybersecurity incident results in unauthorized access to records that include Part 2-protected information:
- The breach notification must identify whether Part 2-protected records were involved
- Legal counsel with 42 CFR Part 2 expertise should be engaged alongside standard HIPAA breach counsel
- The disclosure notification to affected individuals must address both HIPAA and Part 2 protections
Vendor Selection Requires Part 2 Awareness
Your EHR vendor, billing service, and any technology partner that handles records including Part 2-protected information must be aware of Part 2 restrictions. Business associate agreements with Part 2-aware vendors should address how Part 2 records are handled, disclosed, and protected.
Not all healthcare IT vendors are familiar with 42 CFR Part 2. Vendors who have never worked with substance use disorder treatment programs may not be appropriate business associates for FQHCs with integrated behavioral health services.
Building a Dual-Compliant Cybersecurity Program
A cybersecurity program that satisfies both HIPAA and 42 CFR Part 2 for an FQHC providing substance use services includes:
Tiered access controls in the EHR. Configure the EHR to identify Part 2-protected records and restrict access to authorized behavioral health staff. Test and verify the configuration. Document the access control architecture.
Separate audit logging for Part 2 records. Where possible, configure audit logging to identify access events specifically involving Part 2-protected records. This supports both compliance monitoring and breach response.
Specialized staff training on 42 CFR Part 2. Standard HIPAA training does not adequately address Part 2 restrictions. Behavioral health staff, front desk staff who handle substance use referrals, and billing staff who code substance use treatment must receive specific Part 2 training — covering what information is protected, what disclosures are permitted, and what to do if an unauthorized disclosure occurs.
Incident response with Part 2 specificity. Your incident response plan should include specific procedures for incidents involving Part 2-protected records — including the engagement of specialized legal counsel and the additional notification obligations.
Vendor due diligence for Part 2 awareness. When engaging EHR vendors, billing services, or IT providers, specifically ask about their 42 CFR Part 2 experience and how they handle Part 2-protected records.
The 2024 Changes to 42 CFR Part 2 — What FQHCs Need to Know
SAMHSA issued significant updates to 42 CFR Part 2 in 2024, effective February 2024. The most important change for FQHCs: the updated rule aligns more closely with HIPAA for treatment, payment, and health care operations disclosures — reducing (but not eliminating) the burden of consent requirements for internal health system disclosures.
The alignment makes integrated care coordination easier within health systems but does not eliminate Part 2 protections. External disclosures still require patient consent. Re-disclosure restrictions still apply. The dual compliance framework remains in place.
FQHCs should review their current Part 2 policies and consent procedures against the 2024 updates and confirm that their EHR configuration reflects the current regulatory requirements.
Protect both HIPAA and 42 CFR Part 2 records with a cybersecurity program built for FQHCs. ShieldForce understands the dual compliance obligations of community health centers serving substance use disorder patients.
Explore Community Health Center Solutions →
Get a free HIPAA assessment that addresses your full compliance scope — including Part 2.
Schedule Your Free Assessment → | View Pricing →
Related reading: FQHCs Are the Most Under-Defended Target in Healthcare Cybersecurity | The 2026 HIPAA Security Rule for FQHCs | FQHC Cybersecurity Budget Guide