Features · Compliance
Compliance & Security

Part 2 isn't a feature. It's the foundation.

Substance-use records carry federal protections that general-purpose software was never built for. SoberLab enforces 42 CFR Part 2 in the data model — consent-gated, role-segmented, fully audited.

Access snapshotEnforced
Consent verified
PO disclosure · #1042
GRANTED
Record viewed
Staff M.R. · housing scope
LOGGED
Disclosure blocked
No consent on file
BLOCKED
Why it's different

Three pillars, enforced by the platform.

Consent, on record

Every disclosure traces to a signed, current consent — with a defined scope, purpose, and expiry.

Segmented by design

Housing sees housing. Clinical sees clinical. Roles draw the lines automatically, not by honor system.

Audited, always

Who saw what, when, and under which consent — answerable in seconds, exportable on demand.

Consent lifecycle

A consent is a living thing — so we treat it like one.

Signed

Scope, purpose, and recipient captured at intake.

Active

Disclosures allowed strictly within its scope.

Expiring

Staff warned before it lapses — renew or let close.

Expired / revoked

Every disclosure it authorized closes automatically.

The audit trail

When the auditor asks who saw what — the answer takes seconds.

Every access and every disclosure is logged with the user, the time, the scope, and the consent it relied on. Nothing is off the record — including attempts that were blocked.

Immutable, timestamped entries
Blocked disclosures logged too
Exportable for audits & reviews
ACCESS LOGLIVE
09:14consent.verified · #1042 · PO disclosureGRANTED
09:14record.viewed · staff M.R. · housing scopeLOGGED
09:16disclosure.blocked · no consent on fileBLOCKED
09:21report.generated · SPARS Q3READY
Role segmentation

Access follows the role — not the login.

ROLE
HOUSING
CLINICAL
BILLING
House manager
Counselor
Billing specialist
Administrator
Full accessConsent-gatedNo access

Questions, answered.

What is 42 CFR Part 2 — and why does it matter?

It's the federal rule protecting substance-use treatment records, stricter than HIPAA on disclosure. SoberLab enforces it structurally, so compliance isn't left to staff memory.

How is tenant data kept separate?

Each organization's data is isolated at the platform level. Users authenticate with SSO and MFA, and no role can cross an organization boundary.

Can we produce an audit on request?

Yes. The access log is queryable and exportable — filter by resident, user, or date range to answer a disclosure question or hand over a review packet.

Does the AI agent respect Part 2?

Fully. The agent inherits the user's role and the resident's consents, and it cannot make a disclosure the person couldn't make themselves. Blocked attempts are logged.

Compliance you can prove.

We'll walk your compliance lead through consent enforcement and the audit trail — the parts a survey actually tests.