Spruce Now Supports 42 CFR Part 2 Communications
-
Spruce Health
- July 9, 2026
A newly updated Business Associate Agreement brings formal Qualified Service Organization support to Spruce, with clear guardrails on what data qualifies.
At Spruce, we’re dedicated to powering efficient, compliant, state-of-the-art medical communication: all in a single, easy-to-use platform. Thousands of behavioral health and substance use disorder (SUD) treatment organizations rely on us every day for secure, HIPAA-compliant communication on a SOC 2 Type II audited platform: coordinating care, communicating with patients, and keeping sensitive conversations protected. For many of these offices, there’s growing focus on navigating the complexities of 42 CFR Part 2, or simply ‘Part 2’ as it’s more commonly known.
Part 2 is one of the most demanding regulations in healthcare, specifically governing the confidentiality of SUD patient records, and is stricter than HIPAA in important ways. Supporting the vital work of behavioral health offices and SUD treatment centers nationwide is a priority for Spruce, and we’re committed to helping our customers carry out their important work to the fullest extent possible.
We’re pleased to share a significant update: our standard Business Associate Agreement (BAA) and terms of service for organizations now include new terms that allow qualifying organizations to use Spruce for certain SUD-related communications. Cloud-based communication platforms have historically struggled to support Part 2 data at all. This is a meaningful step forward for the growing number of behavioral health and SUD treatment organizations who count on Spruce for compliant patient communication. Spruce’s updated BAA now lets qualifying organizations bring protected care and communications directly into our secure platform.
What’s changed
Recent changes in federal regulation have made it feasible for Spruce to more completely support organizations that handle Part 2 data. In concrete terms, we’ve updated our BAA to include a formal Qualified Service Organization (QSO) provision, which means:
- If your organization is a Part 2 program, and the data you handle qualifies under the conditions below, Spruce can now act as a Qualified Service Organization with respect to that data.
- We’ve added specific definitions and guardrails to our Terms of Service to make it clear exactly what is, and isn’t, covered.
Important considerations
This update is grounded in a broader shift in federal law. It doesn’t mean that every type of SUD-related data can be sent through Spruce without restriction. To comply with new federal requirements, support applies only to data that meets all of the following conditions:
- The information constitutes Protected Health Information (PHI) under HIPAA.
- It is subject to a single, valid, unexpired patient consent covering all future uses and disclosures for treatment, payment, and healthcare operations (TPO) purposes.
- It is used and disclosed solely for TPO purposes.
- It is covered under your organization’s BAA with Spruce.
Data that doesn’t meet these criteria (for example, SUD records without the specific consent described above, or records intended for uses outside of TPO) should not be used with Spruce. For compliance purposes, organizations are also responsible for marking relevant communications as Part-2-responsive within Spruce. Full instructions are in our Terms of Service for Organizations (Specific Situations Addendum).
Organizations with broader or more complex Part 2 needs should talk with their team about whether Spruce is the right fit for other use cases. We encourage you to review our full terms of service for organizations, including the specific situations addendum, our terms of service for patients, and our privacy policy for the full, current terms.
Frequently asked questions:
What is 42 CFR Part 2?
42 CFR Part 2 is a federal regulation that protects the confidentiality of substance use disorder (SUD) patient records. It’s one of the most demanding regulations in healthcare, and it’s stricter than HIPAA in important ways, specifically governing how SUD treatment information can be used and disclosed.
What is changing under 42 CFR Part 2?
Recent changes in federal regulation have made it feasible for cloud-based platforms like Spruce to more completely support Part 2 programs. Spruce has updated its Business Associate Agreement to include a formal Qualified Service Organization (QSO) provision, letting qualifying organizations use Spruce for certain SUD-related communications that meet specific eligibility conditions.
What is the difference between HIPAA and 42 CFR Part 2?
Part 2 is stricter than HIPAA in important ways. It specifically governs the confidentiality of SUD patient records and requires more specific patient consent than general HIPAA rules, which is why not all SUD-related data can be handled the same way as standard PHI.
What counts as valid consent under 42 CFR Part 2?
Data must be covered by a single, valid, unexpired patient consent for treatment, payment, and healthcare operations (TPO) purposes, used and disclosed solely for those TPO purposes, and covered under your organization’s BAA with Spruce. SUD records without this specific consent, or intended for uses outside of TPO, don’t qualify.