42 CFR Part 2 in 2026: AI Voice Agents and Substance-Use Confidentiality

42 CFR Part 2 is HIPAA's stricter sibling. If you handle substance-use disorder records with an AI agent, the rules are tighter, the penalties are real, and the consent model is different.

What the rule says

flowchart TD
  In[Patient interaction] --> MinNec{Minimum necessary?}
  MinNec -->|yes| Process[AI process]
  MinNec -->|no| Reject[Block + log]
  Process --> Encrypt[(AES-256 at rest)]
  Encrypt --> DB[(PostgreSQL)]
  Process --> Audit[(Audit trail)]
  DB --> Right[Right of access §164.524]

42 CFR Part 2 protects records of substance use disorder (SUD) diagnosis, treatment, or referral when held by federally assisted SUD treatment programs. The February 8, 2024 Final Rule, effective April 16, 2024, with full compliance required by February 16, 2026, harmonizes Part 2 with HIPAA on several fronts: a single patient consent can authorize all future TPO uses and disclosures; consent content rules now mirror HIPAA authorization rules; the HIPAA Breach Notification Rule extends to Part 2 records. Critical differences remain: Part 2 still prohibits redisclosure without specific consent or court order, and Part 2 records cannot be used in legal proceedings against the patient without consent or a qualifying court order. As of September 2025, OCR has explicit authority to enforce Part 2 alongside HIPAA.

What it means for AI voice/chat agents

A voice agent that handles intake or scheduling for an SUD treatment clinic is processing Part 2-protected records. Three things change relative to a standard HIPAA workflow.

First, consent capture must be bulletproof and durable. The agent cannot rely on implicit "you called us" consent. It needs to capture and store explicit consent, with the elements required by Part 2 (identity of the program, recipients, purpose, expiration, signature equivalent, right to revoke, redisclosure prohibition).

Second, redisclosure is locked down. A standard HIPAA setup might pass a transcript or summary downstream for analytics or marketing. Under Part 2, every downstream system needs its own consent or it cannot receive the record. AI features like "share this summary with the patient's primary care physician" require either a specific consent for that disclosure or are blocked.

Third, the breach analysis is the same as HIPAA's now, but the legal-proceedings prohibition still applies. An AI vendor whose audit logs are subpoenaed cannot just hand them over for SUD records — the Part 2 specific procedures must be followed.

CallSphere implementation

CallSphere's behavioral-health workflow at /lp/behavioral-health and /industries/behavioral-health ships with Part 2 turned on by default for SUD-treating practices. The agent captures explicit consent at the start of the relationship with the full Part 2 content elements, stores the consent in our healthcare_voice database, and tags every downstream artifact (transcript, summary, audit log) with a Part 2 flag. Tools that would redisclose to a non-consented party are blocked at the data layer, not just by system prompt. The audit trail records consent capture, consent revocation, and every disclosure with the legal basis. Our customers in the substance-use space have used this pattern across thousands of calls to meet the February 2026 compliance deadline without engineering extra plumbing themselves.

Build/audit checklist

1. Identify every SUD-treating program in your customer base and tag them as Part 2 entities.
2. Build a Part 2 consent capture flow inside the AI voice agent with all required elements.
3. Store consent records with version, date, scope, expiration, and revocation status.
4. Tag every downstream artifact (transcript, recording, embedding, summary) with a Part 2 flag.
5. Block redisclosure to non-consented downstream systems at the data layer.
6. Add a Part 2-specific breach playbook on top of your HIPAA breach playbook.
7. Train workforce on the legal-proceedings prohibition and subpoena response procedure.
8. Document consent revocation handling — a revocation must propagate to every downstream system within a defined window.
9. Confirm February 16, 2026 compliance deadline obligations are fully implemented and signed off.

FAQ

Does the BAA cover Part 2? Not automatically. Many BAAs reference HIPAA only. For Part 2 records, we add a Part 2 addendum to the BAA that addresses Qualified Service Organization Agreement (QSOA) terms.

Can AI summarize an SUD intake call? Yes, but only with a BAA-covered model, with consent that explicitly authorizes the purpose, and with redisclosure controls in place. The summary itself is a Part 2 record.

What happens if a patient revokes consent? The system must stop processing the record for the revoked purposes, propagate revocation to downstream systems, and document the action. Our agent automates this within minutes.

Are AI vendors directly subject to Part 2? Yes, when they process Part 2 records on behalf of a Part 2 program — and OCR's expanded enforcement authority since September 2025 reaches them.

Sources

• HHS 42 CFR Part 2 Final Rule fact sheet: https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/fact-sheet-42-cfr-part-2-final-rule/index.html
• 42 CFR Part 2 (eCFR): https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
• Federal Register Confidentiality of SUD Patient Records (Feb 16, 2024): https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-records
• HHS Understanding Part 2: https://www.hhs.gov/hipaa/part-2/index.html