HIPAA, 42 CFR Part 2, and Substance Use Disorder Information — Consents, Controls, and Conflicts in the Rules

01:00 PM ET | 10:00 AM PT | 12:00 PM CT Duration 90 Minutes

Webinar Includes : All the training handouts , certificate ,Q/A and 90 mins Live Webinar

"Presented By Top HIPAA Expert Jim Sheldon-Dean (Founder and director of compliance services at Lewis Creek Systems, LLC)"

This session focuses on the issues of managing health information when it may involve substance use disorder treatment information. HIPAA allows a number of disclosures without consent that SAMHSA prohibits without consent. We will explain how HIPAA and 42 CFR Part 2 are similar and how they’re different, and what are the additional considerations when substance use disorder information is involved. We will discuss the latest guidance from HHS and SAMHSA about harmonization of HIPAA and 42 CFR Part 2, as well as recent changes to Part 2 and new legislation affecting the sharing of information for treatment when substance use disorder information is involved.


With the current epidemic of opioid abuse, there has been a great deal of publicity around the release of information and the necessity to share information with family and friends to facilitate recovery.  The rules remain in place as-is, but are expected to change under new law.  HIPAA allows such releases under some circumstances, while a consent is required under 42 CFR Part 2.  HHS has issued guidance on how to deal with the regulations in the face of the crisis, but the inconsistencies and difficulties remain.  In this session we will review the guidance and learn how it helps explain some of the rules.

For much of healthcare, HIPAA sets the standards for how to manage uses and disclosures of patient information, known as Protected Health Information (PHI).  But when it comes to information related to the treatment of substance use disorders, regulations of the Substance Abuse and Mental Health Services Administration (SAMHSA) under 42 CFR Part 2 prevail.  These rules apply to information collected under SAMHSA, which may be difficult to separate from "regular" PHI in your records, and there are special rules for disclosure and re-disclosure of substance abuse treatment information.    

Learning Objectives

At the conclusion of the session, participants will be able to:

1. Understand what organizations or programs may be subject to 42 CFR Part 2.

2. Know how to treat Substance Use Disorder information as opposed to “regular” health information.

3. Understand the requirements for consent to release under 42 CFR Part 2 and how they have been changing.

4. Discuss issues in separating Part 2 data from other data in a medical record.

Why you should attend

Attendees will learn how the rules on Substance Use Disorder information can affect records storage and release processes, and how the HIPAA and SAMHSA rules are different and similar.  There are some significant differences between the HIPAA and 42 CFR Part 2 rules that need to be understood, especially when it comes to involving family and friends in an individual’s treatment, which HIPAA allows, but Part 2 does not.  Meanwhile there have been some significant changes to the Part 2 rules that make some sharing of information for treatment purposes easier, and new legislation to deal with substance use disorders is being adopted.  Recent significant changes to the rules and expected changes under new law will be presented and explained.

We will discuss these key issues, and the future of Part 2 information handling, in this important session.

Areas Covered

•       What HIPAA allows, what SAMHSA requires, and the differences will be explained.
•       We will examine how to determine if the services you provide place you under 42 CFR Part 2.
•       We will explore the means for making sure substance abuse treatment information receives the appropriate               protections.
•       The consent and release requirements under 42 CFR Part 2 will be explained.
•       Re-release of information released under 42 CFR Part 2 will be discussed.
•       Sharing of information with family and friends in an overdose incident will be explored.
•       The latest guidance from the US Department of Health and Human Services as well as recent and new laws               on harmonization of SAMHSA and HIPAA will be explained.

Who will Benefit

Attendees should include Compliance Officers, Privacy and Security Officers, and leadership and staff in health information management, information security, and patient relations, as well as staff in patient intake and front-line patient relations and any others that are involved in, interested in, or responsible for, patient communications, information management, and privacy and security of Protected Health Information under HIPAA, including:
•       Compliance director
•       CEO
•       CFO
•       Privacy Officer
•       Security Officer
•       Information Systems Manager
•       HIPAA Officer
•       Chief Information Officer
•       Health Information Manager
•       Healthcare Counsel/lawyer
•       Office Manager
•       Contracts Manager

Industries who can attend

This 90-minute online course is intended for professionals in the Healthcare Industry.

Speaker Profile

Jim Sheldon-Dean

Jim Sheldon-Dean is the founder and director of compliance services at Lewis Creek Systems, LLC, a Vermont-based consulting firm founded in 1982, providing information privacy and security regulatory compliance services to a wide variety of health care entities. 

Sheldon-Dean serves on the HIMSS Information Systems Security Workgroup, has co-chaired the Workgroup for Electronic Data Interchange Privacy and Security Workgroup, and is a recipient of the WEDI 2011 Award of Merit. He is a frequent speaker regarding HIPAA and information privacy and security compliance issues at seminars and conferences, including speaking engagements at numerous regional and national healthcare association conferences and conventions and the annual NIST/OCR HIPAA Security Conference in Washington, D.C. 

Sheldon-Dean has more than 30 years of experience in policy analysis and implementation, business process analysis, information systems and software development. His experience includes leading the development of health care related Web sites; award-winning, best-selling commercial utility software; and mission-critical, fault-tolerant communications satellite control systems. In addition, he has eight years of experience doing hands-on medical work as a Vermont certified volunteer emergency medical technician. Sheldon-Dean received his B.S. degree, summa cum laude, from the University of Vermont and his master’s degree from the Massachusetts Institute of Technology.

Back to Top