Navigating Confidentiality in First Responder Deflection

CoE-PHI Resource Updated in 2025 Describing How Privacy Laws Apply to First Responders

This resource has been updated in 2025 to reflect the 2024 Final Rule changes to 42 CFR Part 2.

First responders often gain access to sensitive information about people’s substance use disorders (SUDs) and related treatment. Protecting the privacy of this information is key to these individuals’ recovery and is also required by law.

This resource explains the limited circumstances under which two federal privacy laws, 42 CFR Part 2 (Part 2) and the Health Insurance Portability and Accountability Act (HIPAA), apply to SUD information obtained by first responders. It also describes how these laws permit first responders to share SUD information.

Key Points

  • First responders only are required to follow HIPAA if they are a “covered entity.” To be a covered entity, they need to provide healthcare and transmit health information electronically for certain transactions, such as billing.
  • Part 2 only applies to “Part 2 programs” and “lawful holders.” First responders will rarely be a Part 2 program, which generally is a federally-assisted provider of SUD treatment services.
  • First responders who receive patient records from a Part 2 program will become a “lawful holder.” As a lawful holder, they must follow Part 2’s privacy and security restrictions for that information.

CoE-PHI Team Authors

Jacqueline Seitz, JD

Ashleigh Giovannini, JD

Sally Friedman, JD

Navigating Confidentiality in First Responder Deflection (PDF 1.73 MB)
Topics
Format
  • PDF

Type

Laws

Author

  • CoE-PHI
Date
2025

Related Resources