With the opioid epidemic reaching crisis status in the United States, there’s been a lot of conversation in the healthcare industry about substance abuse treatment.  While there’s an increasing need for substance abuse treatment facilities (commonly called Part 2 clinics due to the regulation citation of 42 CFR Part 2), there are distinct patient privacy and confidentiality differences between a “regular” Covered Entity versus a Part 2 program.  We’ve outlined some key considerations for you below to determine how to work with a Business Associate like ScanSTAT if you fall into a Part 2 category and are regulated by SAMHSA.

Covered Entities versus Part 2 Programs

Covered Entities are required to obtain certain assurances from partner organizations (such as Business Associates like ScanSTAT) that create, receive, maintain, or transmit patients’ electronic protected health information (PHI) relative to the safeguarding and permitted uses and disclosures of PHI.  However, the type of services the Covered Entity provides to its patients controls what type of agreement needs to be in place between the Covered Entity and the other party.

While most healthcare professionals are familiar with the more well-known relationship between a Covered Entity and a Business Associate governed by a Business Associate Agreement (BAA), some Covered Entities are required to abide by additional confidentiality protections above and beyond the requirements of the HIPAA Privacy Rule.[i]

Healthcare providers that 1) receive federal funding[ii] and 2) hold themselves out as providing substance abuse treatment[iii] are governed by 42 CFR Part 2 (Part 2 Programs).  A traditional BAA alone is not sufficient to protect patient confidentiality for a Part 2 Program.  A third-party services provider such as a Release of Information vendor like ScanSTAT is labeled as a Qualified Services Organization (QSO) when working with a Part 2 Program.  This relationship is required to be controlled by a Qualified Services Organization Agreement (QSOA).[iv]  However, should the Part 2 Program also be a Covered Entity as defined by the Privacy Rule,[v] the service provider is also a Business Associate of the Part 2 Program and will also need the contractual provisions that are required in a BAA to be formalized in an agreement between the parties.  This hybrid agreement is often referred to as a Business Associate/Qualified Services Organization Agreement.

Why different standards?

The federal regulations governing Part 2 Programs preexist our current framework for thinking of patient privacy, HIPAA.  Part 2 has its origins in the 1970s drug revolution.  There was a perceived need to safeguard substance abuse treatment records in a manner more stringent than other medical records to avoid the stigma of substance abuse and the fear by those seeking help for addiction of prosecution.  The goal was to encourage people to seek treatment.  With the rise of substance abuse, 42 CFR Part 2 has become a frequently discussed topic again.  More recently, the Substance Abuse and Mental Health Services Administration (SAMHSA) has provided updated regulations causing Part 2 clinics to review their agreements with outside entities.

Business Associate Agreements

The most common agreement between a Covered Entity and its third-party service provider is the BAA.  BAA is more common terminology to healthcare providers than the term QSOA simply because a vast majority of Covered Entities do not qualify as Part 2 Programs, and therefore, Covered Entities are using BAAs much more frequently than QSOAs.

There are certain required elements of a BAA such as 1) establish permitted and required uses and disclosures of PHI by the Business Associate; 2) provide that the Business Associate will not use or further disclose the information other than as permitted by the BAA or as otherwise required by law; and 3) require the Business Associate to implement appropriate safeguards to prevent unauthorized use or disclosure of PHI.[vi]  There are additional best practices that may be recommended by your legal counsel for managing a Covered Entity’s relationship with its Business Associates such as incorporating a disclaimer of agency relationship and including language disclaiming that that the agreement is not intended to benefit third parties.

Qualified Services Organization Agreements

Third-party service providers must become qualified to service Part 2 Programs.  This is achieved through the entity entering into a written agreement with the Part 2 Program in which it acknowledges that it is bound by the Part 2 confidentiality regulations and agrees to resist in judicial proceedings any efforts to obtain unauthorized access to patient identifying information related to substance use disorder diagnosis, treatment, or referral for treatment that may come into its possession.[vii]

For Part 2 Programs that are also Covered Entities, it is good practice to have an agreement in place with your third-party service providers that qualify as Business Associates and Qualified Services Organizations to execute an agreement that incorporates the requirements of a BAA as well as those additional requirements of a QSOA.  If you are working with a Release of Information vendor like ScanSTAT, make sure you have a QSOA in place.  ScanSTAT does execute QSOAs with our qualified clients.


Many healthcare organizations are working to treat those with substance abuse.  If your organization is endeavoring to do the same and needs help navigating the complex compliance issues with substance abuse treatment records fulfillment, we can help! Please schedule a call with us to see how we fulfill Part 2 requests.

This is for informational purposes only and does not constitute legal advice. Seek your own legal counsel to ensure compliance with federal and state law.


[i] 45 CFR Part 164, Subpart E

[ii] “Federally assisted” as defined by 42 CFR § 2.12(b)

[iii] “Program” as defined by 42 CFR § 2.11

[iv] 42 CFR § 2.12(c)(4)

[v] 45 CFR § 160.103

[vi] https://www.hhs.gov/hipaa/for-professionals/covered-entities/sample-business-associate-agreement-provisions/index.html

[vii] 42 CFR §2.11

Share This