HIPAA BAA Requirements for Addiction Treatment Programs

By BAA Generator Editorial  ·  Updated Apr 20, 2026  ·  5 min read

Addiction treatment facilities occupy a uniquely complex position in the healthcare compliance landscape. Unlike most healthcare providers who operate under a single federal privacy framework, programs that treat substance use disorders must simultaneously comply with HIPAA and 42 CFR Part 2 — a separate, stricter federal confidentiality regulation designed specifically to protect SUD treatment records. Every vendor relationship that touches patient data must be evaluated against both frameworks.

Why Addiction Treatment Programs Are HIPAA Covered Entities

Addiction treatment facilities are healthcare providers under HIPAA when they transmit health information electronically in connection with covered transactions. This applies to:

• Residential treatment programs (RTPs) submitting claims to insurers
• Outpatient treatment programs (OTPs) and intensive outpatient programs (IOPs)
• Medication-assisted treatment (MAT) clinics prescribing buprenorphine, methadone, or naltrexone
• Partial hospitalization programs (PHPs) for substance use
• Detoxification facilities with clinical staff

Programs that accept only self-pay and never submit electronic transactions may technically fall outside HIPAA's covered entity definition — but this is rare in practice, and any facility using EHR software that transmits data electronically should operate as if HIPAA applies.

42 CFR Part 2: The Stricter Framework for SUD Records

42 CFR Part 2 (commonly called "Part 2") is a federal regulation that predates HIPAA and imposes additional confidentiality protections on records created by federally assisted substance use disorder treatment programs. Key restrictions include:

• SUD records generally cannot be disclosed without patient written consent, even to other treating providers outside the program
• Recipients of Part 2 records are prohibited from redisclosing them without a new patient authorization
• Law enforcement cannot access Part 2 records through the public health or law enforcement exceptions available under HIPAA
• Court orders for Part 2 records require a specific legal process beyond standard HIPAA requirements

The Substance Abuse and Mental Health Services Administration (SAMHSA) issued a final rule in 2024 that aligned Part 2 more closely with HIPAA, allowing patients to provide a single general consent for treatment, payment, and healthcare operations — eliminating the need for separate authorizations for routine care coordination. However, the 2024 rule retained stricter protections for law enforcement access and legal proceedings. BAAs with vendors who access SUD records should specifically reference Part 2 obligations and prohibit redisclosure.

Vendors Addiction Treatment Programs Typically Need BAAs With

SUD-Specific EHR Platforms

Kipu Health, BestNotes, Netsmart, Welligent, and TreatmentX are purpose-built for addiction treatment settings and offer HIPAA BAAs. These platforms understand the clinical workflows of residential treatment, IOP, and MAT settings. When evaluating a BAA from an EHR vendor, check whether it addresses 42 CFR Part 2 specifically — many standard BAA templates were drafted for general healthcare and may not reference Part 2 obligations.

Medication-Assisted Treatment Platforms and Pharmacy Partners

MAT clinics coordinating buprenorphine or methadone dispensing with pharmacies or pharmacy benefit managers share PHI with those vendors. A pharmacy or PBM receiving prescription records tied to a patient's OUD treatment is handling Part 2-protected SUD records and is a business associate. BAAs with these vendors should include Part 2 provisions.

Toxicology and Laboratory Services

Urine drug screening and toxicology testing is routine in addiction treatment. Laboratories receiving specimens linked to identifiable patients are business associates. If the lab report ties a patient to a SUD treatment program, the results may also be Part 2-protected. Obtain BAAs with all laboratory vendors receiving patient-identified samples.

Billing Companies and Clearinghouses

Addiction treatment billing is complex — involving prior authorizations, utilization reviews, and payer-specific rules for residential vs. outpatient levels of care. Outsourced billing companies and clearinghouses receive claim data containing patient diagnoses and treatment history. All require signed BAAs before any PHI is shared.

Common Vendor BAA Table for Addiction Treatment

Common Compliance Gaps in Addiction Treatment

The most frequent compliance gaps seen in addiction treatment settings: (1) executing a standard HIPAA BAA with vendors accessing SUD records without addressing Part 2 — a gap that leaves the program exposed even if HIPAA requirements are met; (2) not obtaining BAAs with toxicology labs because the relationship predates the organization's formal compliance program; (3) using consumer-grade telehealth tools without BAAs for continuing care or MAT sessions; and (4) failing to obtain BAAs with credentialing and staffing vendors who access staff health screening records.

See our related guide on BAA requirements for behavioral health organizations for mental health-specific guidance. For a general framework on when vendor BAAs are required, see when do you need a HIPAA BAA.

Frequently Asked Questions

Do addiction treatment centers need HIPAA BAAs?

Yes. Addiction treatment facilities are HIPAA covered entities when they transmit health information electronically in connection with covered transactions. They must execute BAAs with every vendor handling PHI. SUD records are additionally protected under 42 CFR Part 2, meaning BAAs with vendors accessing those records must reflect both regulatory frameworks.

What is 42 CFR Part 2 and how does it affect BAAs?

42 CFR Part 2 is a federal regulation protecting substance use disorder treatment records with stricter confidentiality requirements than HIPAA. It restricts disclosure without patient consent and prohibits redisclosure. BAAs with vendors accessing SUD records should specifically address Part 2 obligations. The 2024 final rule aligned some Part 2 provisions with HIPAA but retained stricter protections for law enforcement access.

What EHRs for addiction treatment sign BAAs?

Kipu Health, BestNotes, Netsmart, Welligent, and TreatmentX all offer HIPAA BAAs for addiction treatment settings. When reviewing a vendor BAA, confirm whether it addresses 42 CFR Part 2 specifically — general-purpose BAA templates often do not. Contact the vendor's compliance team to discuss Part 2 provisions if they are not included in the standard agreement.

Do medication-assisted treatment clinics need BAAs with pharmacy benefit managers?

Yes. MAT clinics sharing prescription data with PBMs for buprenorphine, methadone, or naltrexone are disclosing PHI that is also protected under 42 CFR Part 2. The PBM is a business associate requiring a BAA, and that BAA should include Part 2 provisions prohibiting redisclosure of the SUD treatment records they receive.