HIPAA for behavioral health
Behavioral health practices handle some of the most sensitive patient data in healthcare. Psychotherapy notes, substance abuse records, and 42 CFR Part 2 protections add layers of compliance most platforms ignore.
The real risk
Under HIPAA, psychotherapy notes have heightened protections — they cannot be disclosed even with a standard patient authorization in many cases. Most compliance platforms don't distinguish between clinical notes and psychotherapy notes. The penalty for mishandling them is severe.
Zoom, Doxy.me, SimplePractice — if your telehealth vendor doesn't have a signed BAA and end-to-end encryption, every session is a potential breach. The COVID-era enforcement discretion has ended. OCR is actively auditing telehealth compliance.
If you treat substance use disorders, patient records carry additional federal protections under 42 CFR Part 2. Disclosure rules are stricter than standard HIPAA. Most compliance software doesn't address Part 2 requirements at all.
A solo therapist handling 40 patients is a covered entity with the same 45+ HIPAA requirements as a health system. No IT department, no compliance officer, no legal team — but the same regulatory exposure and the same potential fines.
What HIPAA requires
Psychotherapy Note Protections
Separate storage and access controls for psychotherapy notes as defined under §164.508(a)(2). Authorization requirements beyond standard ePHI consent.
Telehealth Security
BAAs with all telehealth platform vendors. End-to-end encryption for video sessions. Documented security configurations for remote sessions.
Substance Abuse Records (42 CFR Part 2)
Additional consent requirements for substance abuse treatment records. Restrictions on re-disclosure. Separate audit trails for Part 2-protected information.
Minimum Necessary Standard
Policies limiting ePHI access to the minimum necessary for each staff role. Particularly critical in behavioral health where clinical sensitivity is highest.
How Patient Protect helps
SRA wizard covers telehealth, psychotherapy notes, and substance abuse record workflows specific to therapy practices. Not a generic healthcare questionnaire.
Track agreements with Zoom, SimplePractice, TherapyNotes, and every other vendor. Get expiration alerts. Know your compliance status before OCR asks.
Stop using personal email and texts for appointment reminders and session follow-ups. BAA-gated messaging keeps clinical information inside your compliance perimeter.
HIPAA training designed for therapy practice staff — including reception, billing, and clinical roles. Completion documented automatically for audit readiness.
How we compare
Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.
| RecommendedPatient Protect$39/ month to start | Compliancy Group$99+/mo | AccountableHQPer-employee | AbydeNot listed | Total HIPAANot listed | |
|---|---|---|---|---|---|
| Core Compliance | |||||
| Risk AssessmentSatisfies §164.308(a)(1) | ✓ | ✓ | ✓ | ✓ | ✓ |
| Policy TemplatesVersioned, workforce acknowledgment | ✓ | ✓ | ✓ | ✓ | ✓ |
| Staff TrainingDelivery, tracking, and documentation | ✓ | ✓ | ✓ | ✓ | ✓ |
| BAA ManagementFull lifecycle, e-sign, PDF | ✓ | ✓ | ✓ | ✓ | ~ |
| Where Others Stop | |||||
| Secure MessagingBAA-gated, ePHI-compliant | ✓ | ✕ | ✕ | ✕ | ✕ |
| Digital ReferralsSend, track, and audit across offices | ✓ | ✕ | ✕ | ✕ | ✕ |
| Real-Time Security PromptsLive alerts for risks and violations | ✓ | ✕ | ✕ | ✕ | ✕ |
| Live DiagnosticsReal-time compliance visibility | ✓ | ✕ | ✕ | ✕ | ✕ |
| ePHI Audit TrailWho accessed what, and when | ✓ | ✓ | ~ | ✓ | ✓ |
| Dynamic Risk ScoringAuto-prioritized, self-updating queue | ✓ | ✓ | ✓ | ~ | ~ |
| Monthly Price | $39to start | $99+ | Per-employee | Not listed | Not listed |
Swipe to compare →
Based on publicly available feature lists and pricing as of 2026. Secure messaging and digital referrals absent from every major compliance competitor.
Pricing
No contracts · No setup fees · Cancel anytime
Core
$39/mo
Risk assessments, policies, BAA management, training, and compliance scoring.
Pro
$99/mo
Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.
FAQ
Yes. Solo practitioners are covered entities under HIPAA with identical regulatory requirements. OCR does not reduce obligations based on practice size. A single therapist handling patient records faces the same 45+ HIPAA requirements — and the same fine schedule — as a hospital system.
Patient Protect's risk assessment and policy framework addresses the heightened protections required for psychotherapy notes under §164.508(a)(2), including separate authorization requirements, access controls, and disclosure restrictions that go beyond standard ePHI handling.
Telehealth can be HIPAA compliant — but only with the right configuration. Your platform vendor must sign a BAA, sessions must use end-to-end encryption, and you need documented policies for remote access. The COVID-era enforcement discretion ended — OCR is actively auditing telehealth compliance.
Behavioral health compliance consultants typically charge $4,000–$10,000 per year. Patient Protect starts at $39/month ($468/year) with no contracts — covering risk assessments, policies, BAA management, telehealth compliance documentation, and ongoing monitoring.
Next step
Make sure your compliance protects them. Free risk assessment — no login required.
