RecoveryOS
BlogStart for $1
Industry5 min read

What is 42 CFR Part 2? A Guide for Sober Living Operators

42 CFR Part 2 protects the privacy of people in substance use treatment. Learn what it means for sober living operators and how to stay compliant.

Alec Rodriguez·Founder, RecoveryOS·
Illustration of a padlock with shield representing 42 CFR Part 2 privacy protection

If you run a sober living home, you've probably heard of 42 CFR Part 2. Maybe a referral partner mentioned it. Maybe a state inspector asked about it. Maybe you've never heard of it — and that's a problem.

42 CFR Part 2 is a federal regulation that protects the confidentiality of people receiving substance use disorder (SUD) treatment. If you handle any information about a resident's substance use history, it may apply to you.

What Does 42 CFR Part 2 Actually Say?

In plain language: you cannot share information about a person's substance use treatment without their written consent. This is stricter than HIPAA.

HIPAA allows healthcare providers to share patient information for treatment, payment, and operations without explicit consent. 42 CFR Part 2 does not. Under Part 2, you need written consent before sharing anything — even with other healthcare providers, even for the patient's own treatment.

The regulation covers:

Any records about a patient's substance use disorder diagnosis, treatment, or referral
Information that could identify someone as having a substance use disorder
Both paper and electronic records

Does It Apply to Sober Living Homes?

It depends. 42 CFR Part 2 applies to programs that:

1Receive federal funding (including Medicaid, Medicare, or SAMHSA grants)
2Are "federally assisted" (which includes tax-exempt organizations)
3Hold themselves out as providing substance use disorder treatment or recovery services

Many sober living homes fall into a gray area. If you're a peer-run recovery residence with no clinical services, you may not be covered. If you receive referrals from treatment centers, accept residents through court programs, or describe your services as part of a treatment continuum, you likely are.

The safest approach: treat resident information as if Part 2 applies. The cost of compliance is low. The cost of a violation is not.

What This Means in Practice

For sober living operators, 42 CFR Part 2 compliance means:

Get written consent before sharing anything. If a probation officer calls asking about a resident, you need that resident's signed consent form before you can confirm they live there. If a parent calls, same thing.

Secure your records. Resident information — intake forms, drug test results, incident reports — must be stored securely. Paper files in a locked cabinet. Digital files in encrypted, access-controlled systems.

Limit who has access. Not every staff member needs access to every resident's records. Implement role-based access — house managers see what they need, and nothing more.

Train your team. Everyone who works in your home should understand that resident information is confidential. A house manager mentioning a resident's history at a community meeting is a violation.

Have a breach plan. If information is disclosed improperly, you need a process to identify it, contain it, and notify affected individuals.

Recent Changes (2024 Updates)

In 2024, the federal government updated 42 CFR Part 2 to better align with HIPAA. Key changes:

Part 2 records can now be used for treatment, payment, and health care operations with a single general consent (previously required separate consent for each disclosure)
Patients can now request an accounting of disclosures
Anti-discrimination protections were strengthened — SUD records cannot be used against a person in employment, housing, or legal proceedings

These changes make compliance somewhat easier for sober living operators, but the core principle remains: you need consent, and you need security.

How to Stay Compliant

Here's a simple compliance checklist:

Use consent forms at intake that specifically authorize any disclosures you plan to make (to referral sources, courts, family members)
Store all resident data in encrypted, access-controlled systems
Never share resident information by text message, personal email, or social media
Train every staff member on confidentiality rules at least once per year
Document everything — if you disclosed information, note when, to whom, and which consent form authorized it

RecoveryOS is built with 42 CFR Part 2 in mind. Resident data is encrypted with AES-256, isolated by organization, and accessible only by authorized team members. Consent forms are collected digitally at intake and stored permanently.

Built by operators, for operators.

RecoveryOS handles the busy work so you can focus on what matters — your residents.

Start for $1 →Our story

More from the blog

What is sober living management software — illustration showing automated operations for recovery home operators
Industry8 min read

What is Sober Living Management Software?

Side by side comparison of RecoveryOS and One Step sober living software features and pricing
Comparison4 min read

RecoveryOS vs One Step: Which Sober Living Software is Right for You?

Side by side comparison of RecoveryOS and Sobriety Hub sober living software features and pricing
Comparison4 min read

RecoveryOS vs Sobriety Hub: Sober Living Software Compared