A health provider that provides treatment for substance use disorders, including opioid abuse, needs to determine whether it is subject to 42 CFR Part 2 (i.e., a “Part 2 program”) and whether it is a covered entity under HIPAA. Generally, the Part 2 rules provide more stringent privacy protections than HIPAA, including in emergency situations. If an entity is subject to both Part 2 and HIPAA, it is responsible for complying with the more protective Part 2 rules, as well as with HIPAA. HIPAA is intended to be a set of minimum federal privacy standards, so it generally is possible to comply with HIPAA and other laws, such as 42 CFR Part 2, that are more protective of individuals’ privacy.
For example, HIPAA permits disclosure of protected health information (PHI) for treatment purposes (including in emergencies) without patient authorization, and allows PHI to be used or disclosed to lessen a threat of serious and imminent harm to the health or safety of the patient or others (which may occur as part of a health emergency) without patient authorization or permission. Because HIPAA permits, but does not require, disclosures for treatment or to prevent harm, if Part 2 restricts certain disclosures during an emergency, an entity subject to both sets of requirements could comply with Part 2’s restrictions without violating HIPAA.
For more information about applying 42 CFR Part 2 in an emergency, see https://www.samhsa.gov/about-us/who-we-are/laws-regulations/confidentiality-regulations-faqs.