42 CFR Part 2 compliance at DIAL3D.

Summary

42 CFR Part 2 ("Part 2") is the federal rule that governs the confidentiality of substance use disorder (SUD) patient records held by federally-assisted treatment programs. It is stricter than HIPAA in several respects, and applies in addition to HIPAA for programs that diagnose, treat, or refer patients with SUDs.

DIAL3D is built to be 42 CFR Part 2 capable. The disclosure language, consent capture, and recordkeeping requirements are handled inside the AI voice and chat scripts. We sign a Qualified Service Organization Agreement (QSOA) with every customer that holds Part 2 records, in addition to the standard BAA.

Disclosure handling

Before the AI voice agent or chat agent asks any question that would elicit substance-use specific information, the script reads a short, plain-language notice that (a) identifies DIAL3D as operating on behalf of the treatment program, (b) discloses that information shared will be protected by 42 CFR Part 2, and (c) advises the caller they can decline at any point.

The disclosure language is reviewed by counsel and is configurable per program if your compliance team requires specific phrasing. The version of the disclosure used on each call is recorded in the call metadata for audit.

Consent capture

Patient consent to share Part 2 records — for example, to send VOB results to a payor or to write benefits into a CRM — is captured affirmatively during the call. The consent question, the patient's response, and the timestamp are recorded in the call recording and written as a structured consent record to the customer's CRM.

Consent is granular: the patient can consent to share with the payor without consenting to share with referral sources, or vice versa. Patients may revoke consent during the call; the agent acknowledges the revocation, re-routes without losing context, and records the revocation in the structured consent record.

Recordkeeping

Call recordings, transcripts, and structured consent records are stored in customer-tenant-isolated storage on the customer's retention policy. Default retention is 90 days; many Part 2 programs extend this to align with their underlying record retention obligations.

Patient requests for access to or correction of records are routed to the customer's designated Part 2 compliance contact via the admin console.

Qualified Service Organization Agreement (QSOA)

DIAL3D operates as a Qualified Service Organization (QSO) under 42 CFR § 2.11. A QSOA is signed during onboarding for every customer that is a federally-assisted Part 2 program, in addition to the standard BAA. The QSOA permits DIAL3D to receive Part 2 information in the course of providing the service, and binds DIAL3D to maintain the confidentiality of that information consistent with the rule.

What this page does not do

This page describes how DIAL3D supports 42 CFR Part 2 compliance for our customers. It is not legal advice. Each customer's Part 2 obligations depend on its own program structure, the records it holds, the consents it has captured, and the disclosures it makes outside the DIAL3D platform. We strongly recommend reviewing your Part 2 program with counsel.