Why 42 CFR Part 2 matters for mental health app founders right now

Mental health and behavioral health apps occupy a specific position in the US regulatory landscape. Most founders in this space understand HIPAA. Fewer understand that a second federal law — one that is stricter in specific, architecturally significant ways — applies to any platform that touches substance use disorder records.

42 CFR Part 2 is a federal regulation that has governed the confidentiality of substance use disorder treatment records since the 1970s. Its original purpose was straightforward: to protect patients from having their addiction treatment records used against them in legal proceedings, employment decisions, or other contexts where disclosure could cause serious harm. Fear of exposure was keeping people from seeking treatment. Part 2 was designed to remove that fear by creating protections that go beyond what HIPAA provides.

As mental health platforms expand their scope, integrate with clinical workflows, and begin handling records that include SUD treatment data, Part 2 increasingly applies to the systems they build and the data they process.

Enforcement for the updated Part 2 rules began on February 16, 2026. If your platform handles SUD-related records in any form, the question is no longer whether Part 2 applies — it is whether your architecture is ready for it.

Who 42 CFR Part 2 actually applies to

This is where most technology vendors go wrong. Part 2 is not a general mental health privacy law. It applies specifically to federally assisted programs that provide substance use disorder diagnosis, treatment, or referral for treatment. A general anxiety management app or a teletherapy platform that does not handle SUD records is not a Part 2 program.

The scope becomes relevant in several common scenarios for mental health and behavioral health technology vendors. Employee Assistance Programs that handle SUD referrals are typically in scope. Platforms that integrate with federally funded SUD treatment providers become subject to Part 2 requirements when they receive Part 2 records. K-12 mental health platforms operating within school-based SUD programs can fall under federal assistance requirements. Behavioral health platforms selling into hospital systems often receive Part 2 records as part of broader clinical data flows.

The practical test is not the nature of your product — it is whether your system receives, processes, or transmits records from a Part 2 program. If it does, Part 2 requirements attach to how you handle that data, regardless of what else your platform does. The regulation also extends to Qualified Service Organizations — a category that explicitly includes health IT vendors and business associates that handle Part 2 records on behalf of a program.

What the 2024 Final Rule changed — and what it didn't

The 2024 Final Rule brought Part 2 meaningfully closer to HIPAA. Single patient consent for treatment, payment, and healthcare operations is now permitted. Breach notification requirements now align with the HIPAA Breach Notification Rule. Enforcement authority has been transferred to the HHS Office for Civil Rights, the same body that enforces HIPAA, following a delegation issued in August 2025.

Despite this alignment, three distinctions remain that have direct implications for how you build.

Disclosure in legal proceedings is fundamentally more restricted. Under HIPAA, certain disclosures to law enforcement are permitted without patient consent. Under Part 2, a warrant or subpoena is not sufficient. Disclosure in civil, criminal, administrative, or legislative proceedings requires either the patient's specific written consent or a court order that meets the requirements set out in 42 CFR 2.65 — and those two consents cannot be combined with consent for any other purpose. This is not a procedural difference. It is an architectural one. Your system cannot be designed to respond to standard legal hold processes the way a HIPAA-only system might, and your legal response workflow needs to reflect that distinction.

SUD counseling notes are a new, structurally distinct protected category. The 2024 Final Rule created a definition for SUD counseling notes — notes by an SUD or mental health professional documenting or analyzing the contents of a private or group SUD counseling session. The analogy in HIPAA is psychotherapy notes, and HHS confirms the definition is nearly identical. Critically, the notes must be physically separated from the rest of the patient's SUD and medical record to qualify for this heightened protection. If they are not separated in your system, they do not meet the definition and do not receive the additional protections. This has a direct implication for how you structure data at the schema level — it is not enough to apply consent tags, the notes must be structurally distinguished in the record.

The re-disclosure prohibition travels with the data. When Part 2 records are disclosed to a third party, that party inherits the re-disclosure restrictions. Every disclosure made with patient consent must be accompanied by a copy of the consent or a clear explanation of its scope, along with a statement that the records are protected under Part 2 and cannot be further disclosed without authorization. For a technology vendor, this means the re-disclosure prohibition must be embedded in every sub-processor agreement. It is not enough to comply yourself — you are responsible for ensuring your downstream vendors understand and honor the same restrictions.

The three architectural decisions 42 CFR Part 2 changes

Understanding the legal differences between Part 2 and HIPAA is necessary. Translating them into system design is where most platforms run into difficulty — and where security reviews expose the gap.

Data segmentation at the record level. The HIPAA Security Rule does not require technical segmentation of mental health data from other health data. Part 2 requires that SUD records be identifiable as Part 2-protected so that the correct consent controls can be applied at the point of access or disclosure.

The 2024 Final Rule clarified that physical segregation of records is not required — but your system must be able to identify which records carry Part 2 protections and enforce consent checks before any access or disclosure occurs. In practice, this means data classification at ingestion, consent state tracking at the record level, and query-time enforcement that can block or allow access based on whether valid Part 2 consent exists for the requesting party and purpose.

For SUD counseling notes specifically, structural separation in the record is required for the heightened protection to apply at all. ONC developed the Data Segmentation for Privacy (DS4P) standard specifically to address this problem — it is worth reviewing as an implementation reference.

Consent-aware audit logging. The HIPAA Security Rule requires audit controls that record and examine activity in systems containing ePHI — who accessed what, and when. Part 2 adds a layer that most HIPAA-compliant audit implementations do not address: your audit trail needs to capture what consent was in place at the time of access, what the stated purpose was, and whether the disclosure fell within the scope of that consent.

Standard HIPAA-compliant logging captures access events. Part 2-compliant logging captures consent evaluation outcomes alongside those events. For a hospital or K-12 security reviewer, the difference is significant. They are not only asking whether you log access — they are asking whether your logs can demonstrate that every access was within the patient's consented scope and purpose. If your logging captures the event but not the consent evaluation, you cannot make that demonstration.

Sub-processor agreements that address re-disclosure. A standard HIPAA Business Associate Agreement establishes that your sub-processors will handle PHI appropriately under HIPAA. For Part 2 records, that is insufficient. Every agreement with a party that receives Part 2 records must explicitly address the re-disclosure prohibition and include confirmation that the receiving party will not further disclose those records except as Part 2 permits. This is a specific contractual requirement — a BAA that does not address Part 2 does not satisfy it. If you use third-party model providers, analytics vendors, or cloud infrastructure partners that touch Part 2 data, each of those relationships needs to be reviewed.

What healthcare and K-12 security reviews actually ask for

Mental health and behavioral health platforms selling into K-12 school systems, enterprise HR channels, or hospital-affiliated programs are encountering security reviews that go well beyond standard HIPAA questionnaires. The questions that surface specifically around Part 2 are precise.

Reviewers want to know whether the platform can identify which records are Part 2-protected. They want to understand how the system enforces consent restrictions at the point of access, not just at the point of intake. They want to see evidence that sub-processor agreements reflect the re-disclosure prohibition. They want documentation that audit logs capture consent state alongside access events. And for platforms handling SUD counseling notes, they want to confirm that those notes are structurally separated in the record and subject to separate consent workflows.

These are not questions that a compliance automation platform answers. Vanta or Drata will help you document that controls exist. They will not validate whether consent enforcement logic holds under realistic access patterns, whether your data segmentation correctly identifies Part 2 records at ingestion, or whether your audit trail captures the consent evaluation outcome rather than just the access event.

That validation requires independent healthcare penetration testing that exercises the specific data flows and access control logic Part 2 imposes — not just the standard HIPAA attack surface.

HIPAA compliance alone is not enough for behavioral health platforms

As HHS makes clear, Part 2 imposes obligations that go beyond what HIPAA requires, and the two frameworks must be satisfied independently. The 2024 Final Rule brought them closer together but did not collapse them. The consent model is different. The audit requirements are different. The legal proceedings restrictions are categorically stricter. The downstream contractual obligations are different.

Being HIPAA-compliant does not make a system Part 2-compliant. For a behavioral health or mental health platform entering regulated sales channels, that gap becomes visible the moment a security reviewer asks a question HIPAA cannot answer.

Where Sekurno fits

The gap that consistently causes deals to stall is not missing policy documentation. It is the inability to demonstrate that the system behaves as claimed under real conditions.

Sekurno works with behavioral health and mental health SaaS vendors preparing for hospital, K-12, or enterprise HR security reviews. That means HIPAA penetration testing that covers the full data flow including SUD record handling, consent enforcement logic, audit trail integrity, and sub-processor risk — combined with readiness assessments that map your architecture against Part 2's specific requirements rather than stopping at HIPAA.

The output is not a certificate. It is the documented, independently validated evidence that answers the precise questions a security reviewer will ask.

If you are preparing for a security review or building a platform that handles behavioral health data, contact us to discuss where your current architecture stands.