HIPAA for psychiatry practices

HIPAA Compliance for Psychiatry & Counseling

Psychiatry and counseling practices handle some of the most protected data in healthcare — psychotherapy notes, 42 CFR Part 2 substance abuse records, and prescribing data for controlled substances. Whether you already work with a compliance vendor or are evaluating for the first time, Patient Protect adds a security-first layer for behavioral health.

See your HIPAA score — free See pricing

Active breach prevention·Starting at $39/mo·No contracts

HIPAA in practice

What HIPAA actually looks like for psychiatry & counseling practices.

The regulatory framework, the enforcement patterns OCR has historically cited, the non-HIPAA standards that apply, the gaps audits routinely surface, and the record-retention overlay where state law stacks on HIPAA’s six-year minimum.

Regulatory framework

Psychiatric practices operate under HIPAA as covered entities through standard electronic transactions — claims, eligibility, e-prescribing including controlled substances under DEA EPCS. 42 CFR Part 2 applies separately to programs treating substance use disorder under federal-assistance criteria. State mental health confidentiality laws apply on top, frequently with stricter standards than HIPAA. Section 164.524(a)(1)(i) creates a specific protection for psychotherapy notes when maintained separately from the general record. State pharmacy boards govern controlled-substance prescribing. State medical boards impose practice and supervision rules.

OCR enforcement patterns

OCR's psychiatric enforcement record includes cases of psychotherapy notes mixed with the general record (losing the §164.524 protection), controlled-substance prescribing audit trail gaps, treatment record disclosure to family members without authorization, and disclosure errors during insurance utilization review. The DEA has been active in EPCS enforcement; the combination of OCR HIPAA enforcement and DEA prescribing enforcement creates a dual-framework risk for psychiatric practices that prescribe controlled substances.

Specialty-specific standards beyond HIPAA

Section 164.524(a)(1)(i) psychotherapy notes protection requires separate-storage architecture. 42 CFR Part 2 for substance use disorder programs. State mental health confidentiality laws (the spectrum is wide; some states impose substantially stricter requirements than HIPAA). DEA EPCS for Schedule II prescribing (stimulants for ADHD, certain mood-stabilizing medications). State controlled-substance e-prescribing requirements. Duty-to-warn variations by state intersecting with HIPAA's permissive disclosure under §164.512(j).

Common compliance gaps

Recurring gaps in psychiatric practice compliance: psychotherapy notes architecture not properly implemented (notes mixed into the general EHR record), EPCS not fully deployed for Schedule II prescribing where required, supervisor-supervisee record sharing scenarios without documented framework, 42 CFR Part 2 not implemented where the practice treats SUD under federal-assistance criteria, state mental health confidentiality requirements not layered on top of HIPAA training, and inadequate documentation of duty-to-warn disclosures.

Retention overlay

State law stacked on HIPAA’s six-year floor.

HIPAA's six-year minimum; state psychiatric record laws frequently require longer (some states impose seven to fifteen years post-discharge or post-last-encounter). 42 CFR Part 2 has its own retention rules separate from HIPAA. Psychotherapy notes maintained separately under §164.524(a)(1)(i) can be retained or destroyed under different rules — the practice must document the retention policy explicitly. DEA EPCS audit trail retention is separate. Long-term retention obligations for minor patients typically run until age of majority plus statute-of-limitations period.

Reference summary, not legal advice. This page summarizes how HIPAA and adjacent regulatory frameworks apply to psychiatry & counseling practicesbased on Patient Protect’s reading of the relevant CFR provisions, OCR enforcement record, and state statutes. Operators with specific compliance questions should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.

Where to start

The five-step path to compliant operation.

In order. Each step is the foundation the next one rests on. A psychiatry that completes the five below has cleared the operational core of HIPAA compliance.

Run a risk analysis covering EHR, EPCS, and psychiatric-specific systems
Risk analysis under §164.308(a)(1)(ii)(A) covering EHR, e-prescribing service with EPCS for Schedule II prescribing, telehealth platform if used, secure messaging, lab interfaces for medication monitoring, payment processor, supervision/case-consultation platforms.
Architect psychotherapy notes for §164.524(a)(1)(i) protection
Psychotherapy notes must be stored separately from the rest of the patient record to qualify for the right-of-access exclusion. Configure the EHR to support separate-storage architecturally; document the operational policy that enforces it; train clinicians on the distinction between psychotherapy notes and the broader record.
Establish DEA EPCS compliance for controlled-substance prescribing
Schedule II e-prescribing requires identity proofing, multi-factor authentication, and audit trails distinct from HIPAA's general audit-control requirement. Both frameworks must be satisfied separately — EPCS audit trails partially overlap with §164.312(b) but do not fully replace it.
Sign BAAs across the psychiatric vendor ecosystem
EHR vendor, e-prescribing service with EPCS, telehealth platform, secure messaging, lab partners, payment processor, supervision platforms. Each is a BA under §160.103.
Train clinicians on disclosure scenarios specific to psychiatric practice
Suicidal-ideation reporting under state duty-to-warn laws, custody-related record requests, employer fitness-for-duty inquiries, insurance utilization review, court orders for treatment records. Each has a documented protocol; training under §164.530(b)(1) should cover the framework for each.

The real risk

Where psychiatry & counseling practices are most exposed.

Psychotherapy notes have protections beyond standard ePHI

Under HIPAA, psychotherapy notes cannot be disclosed even with a standard patient authorization in many cases. They must be stored separately from the medical record and require their own specific authorization for release. Most EHR systems don't enforce this separation architecturally.

42 CFR Part 2 adds federal substance abuse protections

If you treat substance use disorders, patient records carry additional federal protections. Disclosure rules under Part 2 are stricter than standard HIPAA — requiring patient consent for most disclosures, including to other healthcare providers. Make sure your compliance program explicitly addresses Part 2.

E-prescribing controlled substances requires EPCS compliance

Electronic Prescribing of Controlled Substances (EPCS) adds identity verification, two-factor authentication, and audit trail requirements on top of standard HIPAA obligations. Make sure your compliance program explicitly addresses EPCS controls.

Telehealth sessions create long-lived sensitive records

Recorded therapy sessions, chat transcripts, and asynchronous messaging are ePHI with heightened sensitivity. Storage, access controls, and retention policies for psychiatric telehealth records require specific attention beyond standard telehealth compliance.

What HIPAA requires

Regulatory requirements specific to psychiatry & counseling practices.

Psychotherapy Note Protections

Separate storage for psychotherapy notes from the general medical record. Specific authorization requirements for disclosure. Access controls limiting who can view psychotherapy notes within the practice.

42 CFR Part 2 Compliance

Documented procedures for substance abuse records. Patient consent requirements for disclosure. Staff training on Part 2 requirements distinct from standard HIPAA training.

EPCS Compliance

Two-factor authentication for controlled substance prescribing. Identity verification procedures. Audit trails for all e-prescribing activity. Staff training on EPCS requirements.

Telehealth Session Security

Encryption for recorded sessions and transcripts. Access controls on session recordings. Retention and destruction policies for psychiatric telehealth records.

Your state, your rules

State-specific HIPAA rules for psychiatry & counseling practices.

HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.

Select your state

Browse all 50 states

Each state layers its own breach-notification window, AG reporting threshold, and adjacent privacy laws on top of HIPAA. Open a state page for the psychiatry & counseling practices reference summary.

How Patient Protect helps

Built for psychiatry & counseling practices, not hospital systems.

Psychiatry-specific risk assessment

SRA wizard covers psychotherapy note handling, 42 CFR Part 2, EPCS compliance, and telehealth session security — not a generic practice questionnaire.

Policy generation for behavioral health

Auto-generated policies covering psychotherapy note protections, substance abuse record handling, and EPCS procedures — customized to your practice.

Secure messaging with BAA gating

HIPAA-compliant messaging that automatically gates content based on BAA status — critical for practices communicating about sensitive behavioral health information.

Staff training on psychiatric privacy

Training modules covering psychotherapy note protections, Part 2 requirements, EPCS compliance, and handling sensitive behavioral health records.

Schedule II e-prescribing and EPCS compliance

Psychiatric practices prescribing stimulants for ADHD or other Schedule II medications operate under DEA's electronic prescribing of controlled substances framework on top of HIPAA. The platform handles the dual-framework audit-trail and identity-proofing requirements without duplicating record-keeping.

Psychotherapy notes architecture for §164.524(a)(1)(i) protection

Psychotherapy notes maintained separately from the rest of the record qualify for the right-of-access exclusion. Most EHRs handle this through a process that's easy to misconfigure. Patient Protect's policy generation produces the documentation architecture and access-log distinction the protection requires.

How we compare

See exactly what you get that competitors don't offer.

Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.

What to ask

Patient Protect

Risk assessment that satisfies §164.308(a)(1)

A readiness quiz is not a risk analysis.

Full SRA wizard mapped to NIST CSF with live scoring

Auto-generated policies with workforce acknowledgment

HIPAA requires documented proof your staff reviewed them.

48 policies from your risk profile, versioned acknowledgment

Staff training with delivery tracking

§164.308(a)(5) — sending a PDF is not sufficient.

80+ modules, completion tracking, audit-ready records

Full BAA lifecycle management

Expired BAAs are a top enforcement target.

E-signature, renewal alerts, Vendor Risk Scanner

Yes on all 10. Now run the checklist on the rest.

From $39/mo · No long-term contracts.

Start free trial See pricing

Pricing

Enterprise-grade compliance. Independent-practice pricing.

No contracts · No setup fees · Cancel anytime

Core

$39/mo

Risk assessments, policies, BAA management, training, and compliance scoring.

Start 14-day free trial

Recommended

Pro

$99/mo

Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.

Start 14-day free trial

See full feature comparison →

FAQ

Common questions about HIPAA compliance for psychiatry & counseling practices.

Are psychotherapy notes protected differently under HIPAA?

Yes. Psychotherapy notes receive heightened protections under HIPAA — they must be stored separately from the general medical record, require specific patient authorization for most disclosures, and cannot be disclosed simply because a patient authorized release of their medical records. This separation must be enforced in your record-keeping system.

Does 42 CFR Part 2 apply to my practice?

If you provide substance use disorder diagnosis, treatment, or referral services, 42 CFR Part 2 applies. This includes psychiatrists, counselors, and therapists who treat patients with substance use disorders — even if it's not the primary focus of your practice. Part 2 consent requirements are stricter than HIPAA for most disclosures.

What does HIPAA compliance cost for a psychiatry practice?

Patient Protect starts at $39/month with no contracts — covering risk assessments, behavioral health-specific policies, 42 CFR Part 2 compliance, staff training, and continuous monitoring. Whether you use it alongside your existing compliance partner or as a standalone solution.

Are psychiatric records subject to additional protection beyond HIPAA?

Generally no, but several layers apply on top depending on the practice configuration: 42 CFR Part 2 for federally-assisted SUD treatment; state mental health confidentiality laws that often impose stricter standards than HIPAA; Schedule II prescribing rules under DEA. The compliance program that satisfies HIPAA is necessary but not sufficient for most psychiatric practices.

Can psychiatrists discuss patients with consulting colleagues without specific consent?

Treatment-purpose communication between healthcare providers is permitted under §164.506 without specific patient authorization. Treatment-purpose includes peer consultation about a current patient. The communication should still observe minimum-necessary under §164.502(b) and follow the practice's documented disclosure policy. Consultations going beyond treatment-purpose (academic case discussions, training scenarios) typically require de-identification or specific authorization.

How do psychiatric records intersect with insurance utilization review?

Insurance utilization review falls under §164.506's payment-purpose exception — disclosure of clinical information to support coverage decisions is permitted without specific authorization. Psychotherapy notes (when properly maintained separately) are exempt from this disclosure even for utilization review unless specifically authorized. Practices should document which record categories travel with utilization review submissions and which are withheld under the psychotherapy-notes exception.

See all FAQs →

“

Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.

Dr. Thomas E Murray, D.D.S.Patient Protect Member Since 2017

Also built for

Dentists Therapists Chiropractors Optometrists Physical Therapists Medical Practices Telehealth Dermatology Pediatrics Urgent Care DPC Practices GLP-1 Clinics HRT / TRT Clinics Concierge Practices Med Spas

Next step

Psychiatric records carry protections that most HIPAA programs miss.

See your real exposure in five minutes. Free risk assessment — no login required.