42 CFR Part 2 for Behavioral Health Operators: Marketing, Advertising, Intake, and the 2024 Final Rule

Every treatment center operator I talk to has the same story about 42 CFR Part 2.

They have heard the regulation referenced a dozen times in attorney emails, vendor sales calls, and compliance trainings, but nobody has ever sat them down and explained what it actually requires for the day-to-day work of running a marketing program.

The result is a kind of low-grade compliance anxiety where the operator knows there is a rule that matters, knows the penalties are real, and has no clear sense of what they are supposed to do about it.

That gap matters more in 2025 than it did five years ago. The 2024 final rule rewrote significant portions of Part 2, the Office for Civil Rights inherited primary enforcement, and the consent and disclosure framework now sits closer to HIPAA than it ever has.

Ad platforms have tightened policies in parallel. The compliance stack a treatment center needs in place today, across admissions operations, marketing, and intake, is not the same stack it needed in 2020.

This guide is written for operators, not lawyers. It explains what 42 CFR Part 2 covers, who it applies to, what the 2024 update actually changed, and how each piece flows downstream into the systems your marketing, admissions, and intake teams touch every day.

What 42 CFR Part 2 Actually Is and What It Regulates

42 CFR Part 2 is the federal regulation that protects the confidentiality of substance use disorder treatment records.

It was originally written in 1975 to encourage people to seek SUD treatment without fear that the existence of a treatment record could be used against them in employment, custody, criminal, or immigration proceedings.

The text of Part 2 covers any information that would identify a patient as having a substance use disorder, sought treatment for one, or received treatment from a Part 2 program. That definition is broad on purpose.

It captures clinical notes, intake forms, CRM entries, call recordings, and hashed audience identifiers in ad platforms.

The regulation’s core mechanic is consent. A Part 2 program cannot disclose patient information to a third party without the patient’s written consent, with a small set of exceptions for medical emergencies, audits, research, and court orders that meet specific procedural standards.

The consent must be in writing, must name the recipient, must describe the information being disclosed, and must include an expiration condition. Verbal authorization is not consent under Part 2.

The penalties for violation are real. The 2024 update brought Part 2 violations under the HIPAA penalty structure, which means civil monetary penalties scale from roughly $100 per violation for unknowing violations to over $50,000 per violation for willful neglect that is not corrected.

Penalties are capped at $1.5 million per identical violation per calendar year, and state attorneys general have parallel enforcement authority.

Who 42 CFR Part 2 Covers: Part 2 Programs vs General Healthcare

This is the question that trips up most operators. Part 2 does not apply to every healthcare provider, and it does not apply to every program that happens to treat patients with substance use disorders. It applies to a specific category called Part 2 programs.

A Part 2 program is an individual or entity that holds itself out as providing, and actually provides, substance use disorder diagnosis, treatment, or referral for treatment, and receives federal assistance in any form.

Federal assistance is interpreted broadly and includes Medicare and Medicaid certification, federal tax exempt status, federal grants, or DEA registration to dispense controlled substances.

A primary care practice that occasionally screens for substance use is generally not a Part 2 program. A hospital emergency department that treats overdoses is not a Part 2 program for the ED encounter itself, though specific SUD specialty units inside the hospital often are.

A behavioral health practice that treats co-occurring disorders is a Part 2 program for the SUD portion of its work, even if the broader practice is governed by HIPAA for everything else.

The practical test for operators is this. If your organization advertises addiction treatment, detox, medication assisted treatment, or substance use therapy as a service line, and you bill Medicare, Medicaid, or accept insurance plans regulated by federal programs, you are almost certainly a Part 2 program.

The default assumption should be that you are covered.

The 2024 Final Rule: What Changed and Why

The Department of Health and Human Services finalized the most significant update to 42 CFR Part 2 in decades on February 8, 2024, with the rule taking effect April 16, 2024, and a compliance deadline of February 16, 2026, for most provisions.

The update was driven by two pressures. The first was the CARES Act of 2020, which directed HHS to align Part 2 more closely with HIPAA.

The second was a long running concern that the old Part 2 consent regime made it nearly impossible to coordinate SUD care with the rest of a patient’s healthcare team.

The 2024 rule made several material changes. A single patient consent now authorizes use and disclosure of SUD records for all future treatment, payment, and healthcare operations, removing the prior requirement to obtain a fresh consent for each disclosure.

Re-disclosure restrictions were modernized so that downstream recipients who receive records under that consent are bound by HIPAA’s restrictions on most uses, with specific additional Part 2 protections preserved for legal proceedings.

Enforcement shifted. The HHS Office for Civil Rights, which already enforces HIPAA, now also enforces Part 2 with the same penalty framework. Patient rights expanded to include a HIPAA-style right to request restrictions, an accounting of disclosures, and a notice of privacy practices that explicitly addresses Part 2 protections.

The marketing implications of the 2024 rule are easy to miss because they are not stated as marketing rules. The rule explicitly restricts the use of Part 2 records for fundraising and marketing without specific consent, and it explicitly imports HIPAA’s prohibition on the sale of protected information.

For a treatment center, that means the entire ad tech stack, the CRM that feeds it, and the data partners on the receiving end are all in scope.

How 42 CFR Part 2 Affects Treatment Center Marketing

The most common operator question is whether 42 CFR Part 2 prevents a treatment center from marketing. It does not. Part 2 prevents specific things from happening with patient information, not the act of marketing itself. The distinction matters because it tells you where to focus.

You can run paid search, paid social, organic search, content marketing, email marketing, direct mail, outdoor, broadcast, and influencer campaigns as a Part 2 program. What you cannot do is use protected information collected during the course of treatment to power those campaigns.

The line runs between prospective patients who have not yet identified themselves as patients, and current or former patients whose status is now part of a Part 2 record. Our paid media capability is built around that line.

Testimonials are the cleanest example. A patient who completes treatment cannot appear in a testimonial, on a website, in a brochure, or in a paid ad without specific written consent that meets the Part 2 standard. The fact that the patient is willing to share their story is not consent.

The consent must name the recipient of the disclosure, describe the information disclosed, and include an expiration. A generic media release signed during admission is unlikely to qualify.

Retargeting is the second example. If a prospective patient visits your site, fills out an intake inquiry, and then becomes a patient, the moment they become a patient their visit history becomes part of a Part 2 record.

Continuing to retarget that person across ad platforms using cookies, hashed emails, or device IDs is a disclosure of treatment status to those platforms, even if the ad creative itself does not mention treatment.

The cleanest answer is to suppress patients from retargeting audiences at the CRM level the moment intake converts.

Referral source marketing is the third. Sharing patient outcome data, even in aggregate, with referring providers or partners is a disclosure of Part 2 records if the data could be reasonably re-identified. Most treatment centers underestimate how easily small cohort sizes break aggregation.

How 42 CFR Part 2 Affects Paid Advertising Specifically

Paid advertising is where 42 CFR Part 2 collides most directly with how modern ad platforms work, and where most treatment centers have unaddressed exposure. The exposure has three shapes.

The first is audience signals. Custom audiences, lookalike audiences, and conversion-based audience optimization on Meta, Google, TikTok, and most other platforms work by sending user identifiers and event data from your systems to the platform.

If those events include patients, or if those identifiers map to patients, the upload itself is a disclosure of treatment status under Part 2.

The platform now knows that the user identified by a particular hashed email or phone number is a patient at your facility, even if your audience name is innocuous.

The second is tracking pixels. Standard implementations of the Meta Pixel, Google Ads tag, TikTok Pixel, and similar third party scripts fire on every page a visitor loads, including patient portal pages, thank you pages after intake forms, and confirmation pages after appointment booking.

When those events fire, they transmit URL, referrer, IP address, and often hashed identifiers to the ad platform. On a Part 2 program’s website, those events can be disclosures.

The third is conversion APIs. Server-side conversion APIs like Meta CAPI and Google Enhanced Conversions are sometimes sold as a privacy solution, but they are not a compliance solution by default. A treatment center using CAPI without a HIPAA-compliant intermediary is sending the same patient-identifying signals through a different transport.

Our work on HIPAA-compliant configurations for Meta ad platforms and on the Meta Conversions API specifically for treatment centers walks through the practical fixes.

The defensible posture on paid advertising in 2025 looks like this. All third party trackers on the site are routed through a HIPAA-compliant tag manager or BAA-covered intermediary that strips identifiers before they reach the ad platform.

Conversion events fire only on pre-intake actions like form submissions, and identifiers are suppressed or hashed at the source. Custom audience uploads exclude any record that has been touched by a Part 2 disclosure.

Retargeting suppression is automated from the CRM the moment a contact becomes a patient. Account-level data retention is set to the minimum the platform allows.

How 42 CFR Part 2 Affects Intake and Patient Communications

Intake is where Part 2 exposure compounds fastest because intake is where prospective patients become Part 2 patients. The moment of conversion is also the moment when most operational systems start touching protected information without anyone updating the compliance posture.

The intake form is the first artifact to audit. The form itself, the platform it lives on, the database it writes to, the CRM that ingests the record, and any third party scripts running on the page all need to be in scope.

A standard WordPress contact form built without compliance in mind sends submissions through unencrypted email, stores them in plaintext in the WordPress database, and fires marketing pixels on the thank-you page. Each of those is a potential Part 2 disclosure.

Phone calls are the second artifact. Most treatment centers record inbound admissions calls for quality and training. Those recordings contain detailed disclosures of treatment seeking. The recording platform, the storage location, the staff with access, and the retention period all need to satisfy Part 2.

A vendor that is HIPAA-compliant is not automatically Part 2 compliant.

Voicemail and SMS are the third. The standard SMS workflow that confirms a tour appointment, reminds a patient of an intake call, or follows up on a missed appointment is a disclosure of treatment-seeking status to the patient’s mobile carrier and to any platform in the SMS delivery chain.

Most carriers and most SMS platforms are not BAA-covered for Part 2 purposes. The fix is usually a combination of opt-in language at the consent step, content restrictions on what can be sent over SMS, and a HIPAA-aware messaging platform with the right contractual posture.

42 CFR Part 2 vs HIPAA: Where the Rules Diverge

The 2024 final rule narrowed the gap between Part 2 and HIPAA, but it did not close it. Operators who assume HIPAA compliance is sufficient for Part 2 are wrong on several specific points.

The consent standard is stricter under Part 2. HIPAA permits use and disclosure of protected health information for treatment, payment, and operations without specific consent.

Part 2 requires written consent for any disclosure to a third party, with the new caveat that a single written consent can now cover future TPO disclosures.

The form, content, and expiration requirements of Part 2 consent are more prescriptive than HIPAA’s authorization requirements.

The legal proceedings standard is stricter. Part 2 records cannot be used in criminal, civil, or administrative proceedings against the patient without a court order that meets a specific procedural standard, even if the patient signs an authorization. HIPAA has no equivalent restriction.

This protection is preserved in the 2024 update and is one of the most important reasons Part 2 still exists as a separate regulation.

The breach notification rules are similar but not identical. The 2024 update imported HIPAA’s breach notification framework into Part 2, which simplifies the operator workflow when a breach involves both HIPAA and Part 2 data. The reporting deadlines and content requirements now align.

The marketing rules are stricter under Part 2 in practice. HIPAA’s marketing definition permits some communications about treatment alternatives, refill reminders, and case management without authorization.

Part 2 imports HIPAA’s definitions but applies the consent requirement to a broader range of identifiable uses, particularly anything that touches a Part 2 record outside the original program. Our reference page on HIPAA marketing compliance fundamentals covers the HIPAA side; Part 2 layers on top.

The Compliance Stack: Forms, Email, CRM, Phone Recording, SMS

A defensible 42 CFR Part 2 compliance posture is a stack, not a single product or policy. Each layer has a specific failure mode, and the stack is only as strong as the weakest layer.

The intake form layer needs to use a form platform that is HIPAA-compliant, that signs a BAA, that transmits over TLS, that stores submissions encrypted at rest, and that does not load third party marketing scripts on the form page.

The page that hosts the form needs the same protections. A common mistake is putting a compliant form on a page that loads a non-compliant chat widget, an analytics script that captures form field content, or a session replay tool.

The email layer needs a compliant transactional sender for any patient-facing communication, separate from the marketing email platform. Most marketing email platforms are not BAA-covered. The lists themselves need to be segmented so that current and former patients are flagged and excluded from any list that flows into ad platforms.

The CRM is the central artifact. A compliant CRM with the right configuration is the difference between a defensible program and a brittle one.

The CRM needs role-based access control, audit logging, encryption at rest, a signed BAA from the vendor, and integrations to downstream systems that respect the same posture.

Critically, the CRM needs a patient status field that gets flipped the moment a contact converts, and that flip needs to propagate to ad platform suppression lists, email marketing lists, and any reporting destinations.

The phone recording layer needs a compliant call platform, encrypted storage, role-based access, and a retention schedule that matches the program’s clinical and legal needs. Most treatment centers retain call recordings longer than necessary, which expands their breach exposure without operational benefit.

The SMS layer needs an explicit opt-in at the consent step, a messaging platform with the right compliance posture, content restrictions on what messages can include, and the same patient status flag enforcement that the email layer uses.

Common 42 CFR Part 2 Compliance Failures

These are the failures we see most often in audits.

1. Marketing pixels on intake confirmation pages. The Meta Pixel, Google Ads tag, or TikTok Pixel fires on the thank-you page after an intake form, sending event data tied to the user’s identifier to the ad platform. Fix by removing the pixel from any post-conversion page or by routing conversion events through a HIPAA-compliant server-side intermediary that strips identifiers.
2. Lookalike audiences seeded from patient lists. A marketing team uploads a list of recent patients to Meta or Google to build a lookalike audience. The upload itself is a disclosure of treatment status. Fix by using only top-of-funnel inquiry data (pre-intake) as audience seed, or by using non-identifying signals like ad engagement.
3. Retargeting that does not suppress patients. A prospect visits the site, becomes a patient, and continues to see retargeting ads for months. Fix with automated CRM-driven suppression lists synced to every ad platform on a daily or hourly cadence.
4. Testimonials sourced from informal media releases. A patient agrees on a phone call to be in a testimonial, signs a general release at admission, and is featured in a campaign. Fix with a specific written consent that names the use, the recipient, and the expiration, separate from the admission paperwork.
5. Call recordings stored on non-compliant platforms. The admissions team uses a general-purpose call center tool without a BAA. Fix by migrating to a healthcare-grade call platform or by suppressing recording on SUD-related queues.
6. Contact forms on pages with chat widgets or session replay tools. The form is compliant, but the page is not, because a non-compliant third party script can capture form content before submission. Fix by removing or replacing the non-compliant scripts on every page that contains a patient-facing form.
7. SMS reminders sent through general-purpose marketing platforms. Appointment reminders flow through a platform that does not sign a BAA and does not have the right compliance posture. Fix by moving SMS for current and prospective patients to a healthcare-compliant messaging platform.
8. Referral partner data exchanges without consent. Treatment centers share outcome data with referring providers in good faith, but without specific written consent that meets the Part 2 standard. Fix with a consent form executed at admission that names referring providers and the categories of information that will be shared.
9. Aggregate reporting that re-identifies small cohorts. Outcomes reports with small denominators can re-identify patients. Fix by enforcing minimum cohort sizes in any external report.
10. Email lists that do not segment current and former patients. Marketing emails go to a list that includes patients, treating the patient relationship as a marketing channel. Fix with a hard segmentation rule and a patient status field that is the source of truth.

The 30-Day Operator Compliance Audit

For an operator who wants a starting point, here is a 30-day audit that covers the highest risk surfaces.

Week 1: forms and tracking. Inventory every form on the public website, the patient portal, and any landing pages. For each form, document the platform, the storage destination, the BAA status, the page-level scripts, and the conversion events that fire on submission.

Pull a copy of every active ad pixel and trace where its events are firing. Identify and remove or remediate any tracker on a page that touches patient identifiers. Our breakdown of common compliance failures in rehab Google Ads covers the paid search side of this audit.

Week 2: CRM and data flow. Map every system that receives data from the intake form. For each integration, confirm BAA coverage, encryption posture, and access controls.

Confirm that the CRM has a patient status field, that the field flips automatically on conversion, and that the flip propagates to email lists and ad platform suppression lists. Document any system that still receives patient data without a BAA.

Week 3: phone, voicemail, and SMS. Inventory every channel that carries patient communications. For phone, confirm that the recording platform is BAA-covered, that storage is encrypted, that access is logged, and that retention is bounded.

For voicemail, confirm that voicemails containing patient identifiers are not transcribed by third parties without coverage. For SMS, confirm that the platform is BAA-covered, that opt-in language meets Part 2 consent requirements, and that message content restrictions are enforced.

Week 4: consent forms and policies. Pull every consent form the program uses at intake, at discharge, and at any point in between. Confirm that each form meets the Part 2 standard for the disclosures it authorizes. Update the notice of privacy practices to reflect the 2024 final rule.

Confirm that the consent for marketing use, if used, is specific, named, and bounded. Brief the admissions team on the updated consent language and the operational steps that flow from each consent. Our admissions operations capability page covers the operational tooling that makes this sustainable.

According to the Substance Abuse and Mental Health Services Administration’s confidentiality regulations FAQ, the consent requirement is the central mechanic of Part 2, and the agency has consistently treated the consent form as the controlling document in enforcement disputes.

The 30-day audit framework above is built around that reality. Get the consent right, and the rest of the stack follows.

The Department of Health and Human Services published the final rule in the Federal Register on February 16, 2024, with a compliance deadline of February 16, 2026, for most provisions.

Operators who use the audit window before the deadline to harden their stack will be in a substantially stronger position than those who wait for enforcement to clarify the edges.

Frequently Asked Questions

Where to Go From Here

42 CFR Part 2 is one of the highest-impact compliance surfaces a treatment center operator can address in 2025. The 2024 final rule sets a hard compliance deadline. The penalty framework is now meaningful.

The ad platforms are tightening their own policies in parallel, and the operators who get their stack right will have a real competitive advantage in patient acquisition cost, in trust signals, and in operational resilience.

If you want a partner that has built the compliance posture across admissions operations, paid media, and content for treatment centers nationwide, book an intro meeting and we will walk you through a 30-day audit on your specific stack.

Preston Powell is the CEO and Founder of Webserv, a digital marketing agency specializing in patient acquisition for addiction treatment centers and behavioral health facilities. He has built an ecosystem of companies including Webserv, Revenue Logic, and Blackbook that address patient acquisition, insurance reimbursements, and financial sustainability.

Preston is passionate about helping treatment centers grow ethically and sustainably, serving 200+ facilities nationwide while maintaining a patient-first approach to behavioral healthcare.