By Sagar Shankaran, Founder of CallSphere
The February 2024 Part 2 Final Rule aligned substance-use confidentiality with HIPAA — but kept harder consent rules. Here is how AI voice agents handle it in 2026.
Key takeaways
42 CFR Part 2 is HIPAA's stricter sibling. If you handle substance-use disorder records with an AI agent, the rules are tighter, the penalties are real, and the consent model is different.
flowchart TD
In[Patient interaction] --> MinNec{Minimum necessary?}
MinNec -->|yes| Process[AI process]
MinNec -->|no| Reject[Block + log]
Process --> Encrypt[(AES-256 at rest)]
Encrypt --> DB[(PostgreSQL)]
Process --> Audit[(Audit trail)]
DB --> Right[Right of access §164.524]42 CFR Part 2 protects records of substance use disorder (SUD) diagnosis, treatment, or referral when held by federally assisted SUD treatment programs. The February 8, 2024 Final Rule, effective April 16, 2024, with full compliance required by February 16, 2026, harmonizes Part 2 with HIPAA on several fronts: a single patient consent can authorize all future TPO uses and disclosures; consent content rules now mirror HIPAA authorization rules; the HIPAA Breach Notification Rule extends to Part 2 records. Critical differences remain: Part 2 still prohibits redisclosure without specific consent or court order, and Part 2 records cannot be used in legal proceedings against the patient without consent or a qualifying court order. As of September 2025, OCR has explicit authority to enforce Part 2 alongside HIPAA.
A voice agent that handles intake or scheduling for an SUD treatment clinic is processing Part 2-protected records. Three things change relative to a standard HIPAA workflow.
Hear it before you finish reading
Talk to a live CallSphere AI voice agent in your browser — 60 seconds, no signup.
First, consent capture must be bulletproof and durable. The agent cannot rely on implicit "you called us" consent. It needs to capture and store explicit consent, with the elements required by Part 2 (identity of the program, recipients, purpose, expiration, signature equivalent, right to revoke, redisclosure prohibition).
Second, redisclosure is locked down. A standard HIPAA setup might pass a transcript or summary downstream for analytics or marketing. Under Part 2, every downstream system needs its own consent or it cannot receive the record. AI features like "share this summary with the patient's primary care physician" require either a specific consent for that disclosure or are blocked.
Third, the breach analysis is the same as HIPAA's now, but the legal-proceedings prohibition still applies. An AI vendor whose audit logs are subpoenaed cannot just hand them over for SUD records — the Part 2 specific procedures must be followed.
CallSphere's behavioral-health workflow at /lp/behavioral-health and /industries/behavioral-health ships with Part 2 turned on by default for SUD-treating practices. The agent captures explicit consent at the start of the relationship with the full Part 2 content elements, stores the consent in our healthcare_voice database, and tags every downstream artifact (transcript, summary, audit log) with a Part 2 flag. Tools that would redisclose to a non-consented party are blocked at the data layer, not just by system prompt. The audit trail records consent capture, consent revocation, and every disclosure with the legal basis. Our customers in the substance-use space have used this pattern across thousands of calls to meet the February 2026 compliance deadline without engineering extra plumbing themselves.
Still reading? Stop comparing — try CallSphere live.
CallSphere ships complete AI voice agents per industry — 14 tools for healthcare, 10 agents for real estate, 4 specialists for salons. See how it actually handles a call before you book a demo.
Does the BAA cover Part 2? Not automatically. Many BAAs reference HIPAA only. For Part 2 records, we add a Part 2 addendum to the BAA that addresses Qualified Service Organization Agreement (QSOA) terms.
Can AI summarize an SUD intake call? Yes, but only with a BAA-covered model, with consent that explicitly authorizes the purpose, and with redisclosure controls in place. The summary itself is a Part 2 record.
What happens if a patient revokes consent? The system must stop processing the record for the revoked purposes, propagate revocation to downstream systems, and document the action. Our agent automates this within minutes.
Are AI vendors directly subject to Part 2? Yes, when they process Part 2 records on behalf of a Part 2 program — and OCR's expanded enforcement authority since September 2025 reaches them.
Written by
Sagar Shankaran· Founder, CallSphere
Sagar Shankaran is the founder of CallSphere, where he builds production AI voice and chat agents deployed across healthcare, hospitality, real estate, and home services. He writes about agentic AI, LLM engineering, and shipping voice agents that handle real calls in production.
See how AI voice agents work for your industry. Live demo available -- no signup required.
Using GPT-Realtime-2 for healthcare voice agents. BAA scope, PHI handling, retention, logging, and why a managed platform usually wins this build.
AI Control Tower is the governance layer for ServiceNow's Project Arc — policy, monitoring, and audit logs for autonomous agents. Here is how it works.
CAISI announced new agreements with Google DeepMind, Microsoft, and xAI in May 2026. What gets tested, what changes for enterprise AI buyers, what to watch.
The 2024 NPRM proposes mandatory penetration tests every 12 months and vulnerability scans every 6 months. Here is how an AI voice agent should be tested in 2026.
AWS HealthScribe became the open scribe layer EHR vendors built on top of in 2026. Here's the API surface, the per-encounter pricing, the BAA terms.
Why Claude salon AI is reshaping voice and chat automation, with concrete patterns for appointment AI in production deployments. A field-tested view from production teams shippi...
© 2026 CallSphere LLC. All rights reserved.