What 42 CFR Part 2 Actually Means for Your Marketing

Ask a generic marketing agency about HIPAA and they'll nod confidently. Ask the same agency about 42 CFR Part 2 and you'll get a blank stare. That blank stare is exactly the problem.

42 CFR Part 2 is a federal rule that governs how substance use disorder (SUD) records can be used, shared, and disclosed. It pre-dates HIPAA, it's stricter than HIPAA, and it applies specifically to the people you're trying to help: anyone in or seeking treatment for substance use. If your treatment center receives federal funding (and almost all of them do, directly or indirectly), you're covered by it. So is anyone who handles patient data on your behalf — including your marketing agency.

Most agencies don't know that. That's not just an awkward sales-call moment. It's a regulatory exposure that ends careers and shuts down facilities.

The 30-Second Version of the Rule

42 CFR Part 2 says you cannot disclose information that would identify someone as a person seeking or receiving SUD treatment — to anyone, for any purpose — without written patient consent that meets very specific criteria. That includes marketing. That includes testimonials. That includes retargeting pixels. That includes pulling intake data into a CRM that doesn't sign a Qualified Service Organization Agreement (QSOA).

This isn't a vibe. It's a federal regulation enforced by SAMHSA and HHS, with civil and criminal penalties on the table.

What This Means for Your Marketing — Concretely

Here are the marketing practices that violate 42 CFR Part 2 — and that most behavioral health agencies still do every single day:

Posting client testimonials without proper written consent that meets Part 2 requirements. A signed media release isn't enough. The consent has to be Part 2-specific, time-limited, and revocable.
Running retargeting pixels on your "thank you" or "intake confirmation" pages. That pixel fires the moment someone identifies themselves as a person seeking SUD treatment — to Meta, Google, TikTok, and any ad network you've installed.
Sending intake data to a CRM, scheduling tool, or analytics platform without a QSOA in place. If your CRM vendor isn't bound by Part 2, you've just disclosed protected information.
Using past patient stories or photos in case studies — even with names removed — if the patient could be identifiable to anyone who knows them.
Storing call recordings in third-party tools (Calendly, Aircall, generic CRMs) without confirming the vendor is Part 2-compliant.

HIPAA gets the headlines. 42 CFR Part 2 is what actually catches treatment centers in audits — because the consent standard is so much higher than the standard for general medical records.

The 2024 SAMHSA Update Made It Worse for Agencies

SAMHSA's 2024 rule update aligned parts of 42 CFR Part 2 with HIPAA — but it kept the stricter consent standard for marketing and fundraising. Translation: even the partial alignment doesn't get marketers off the hook. The marketing rules still require explicit, separate, written consent that names the disclosure purpose and the recipient.

If your current agency is using generic "media release" forms from a template website, those forms almost certainly do not meet the Part 2 standard. If your agency hasn't even raised the conversation, that's a tell.

$1M+

Maximum civil penalty per Part 2 violation Plus reputational damage, federal funding risk, and the operational fallout of an SAMHSA audit. The math gets ugly fast.

Silver padlock representing confidentiality

What a Part 2-Aware Marketing Stack Actually Looks Like

Marketing that respects 42 CFR Part 2 doesn't have to be boring. It has to be careful. Here's what changes:

No tracking pixels on intake or admissions confirmation pages. You can still measure conversions — through server-side tracking that strips identifiers before sending events to ad platforms.
Patient stories handled with a separate, Part 2-compliant consent process. No generic release forms. The consent names every channel the story will appear in and has a clear revocation path.
CRM and call-tracking vendors signed to a Qualified Service Organization Agreement (QSOA) or a HIPAA Business Associate Agreement that explicitly covers Part 2.
Call recordings stored in compliant systems — not in whatever scheduling tool your sales team grabbed off ProductHunt.
An audit trail showing who saw what data, when. If SAMHSA asks, you can answer in minutes.

Why Most Agencies Get This Wrong

The honest answer: behavioral health is a tiny niche inside the marketing world. Most agencies treat treatment centers like dental practices or law firms — interchangeable B2C local-services businesses. They don't read SAMHSA guidance. They don't know what a QSOA is. They install pixels on every page because that's what they do for every other client.

The result is that the agency's "best practices" are your liability. And when something goes wrong, the operator is the one whose license is on the line — not the agency.

The Bottom Line

If you're running a substance use treatment program, 42 CFR Part 2 is one of the most important rules in your entire compliance stack — and your marketing is one of the easiest places to violate it. The good news: getting it right doesn't cost you growth. It just means working with people who know the rule exists.

If your current agency can't tell you how they handle 42 CFR Part 2, that's the conversation. Not next quarter. This week.