HIPAA for behavioral health

HIPAA Compliance for Therapists

Behavioral health practices handle some of the most sensitive patient data in healthcare. Psychotherapy notes, substance abuse records, and 42 CFR Part 2 protections add layers of compliance that require specialized attention. Whether you already work with a compliance vendor or are evaluating for the first time, Patient Protect adds a security-first layer for behavioral health.

See your HIPAA score — free See pricing

Active breach prevention·Starting at $39/mo·No contracts

HIPAA in practice

What HIPAA actually looks like for behavioral health & therapy practices.

The regulatory framework, the enforcement patterns OCR has historically cited, the non-HIPAA standards that apply, the gaps audits routinely surface, and the record-retention overlay where state law stacks on HIPAA’s six-year minimum.

Regulatory framework

Mental health practices operate under HIPAA as covered entities through standard electronic transactions — claims submission, eligibility verification, e-prescribing where applicable. State mental health confidentiality laws apply on top and frequently impose stricter standards than HIPAA. Programs treating substance use disorder under federal-assistance criteria are subject to 42 CFR Part 2, which has stricter consent, redisclosure, and breach-notification rules than HIPAA. State professional licensure boards (LMFT, LCSW, LPCC, psychology) layer additional record-keeping and disclosure rules.

OCR enforcement patterns

OCR's enforcement record in mental health includes cases involving disclosure of psychiatric records to family members without authorization, psychotherapy notes accessed beyond minimum-necessary, unsecured patient communication via personal-device texting and email, missing breach notification on incidents involving fewer than 500 individuals (the small-incident reporting requirement is often missed), and inadequate workforce training on the specific disclosure rules that apply to mental health records.

Specialty-specific standards beyond HIPAA

42 CFR Part 2 for substance use disorder programs imposes a separate compliance framework that overlaps with HIPAA but is not satisfied by HIPAA compliance alone. Section 164.524(a)(1)(i) creates a special protection for psychotherapy notes — the right-of-access exclusion only applies when notes are maintained separately from the rest of the record. State-by-state duty-to-warn laws for threats of harm to self or others create disclosure obligations that intersect with HIPAA's permissive disclosure provisions under §164.512(j). State mental health confidentiality statutes vary widely in scope.

Common compliance gaps

Audits and incidents in mental health practice routinely surface psychotherapy notes mixed into the general patient record (loses the §164.524 protection), informal patient communication via personal-device SMS and email, group therapy session records mishandled (every member of the group has independent rights), supervision and case-consultation platforms operating without BAAs, missing 42 CFR Part 2 protocols where the practice treats SUD under federal-assistance criteria, and inadequate documentation of duty-to-warn disclosures.

Retention overlay

State law stacked on HIPAA’s six-year floor.

HIPAA requires six-year retention of policy documentation; state mental health record-retention laws frequently require longer periods (some states impose seven to fifteen years post-discharge or post-last-encounter). 42 CFR Part 2 has its own retention framework for SUD records. Psychotherapy notes maintained separately under §164.524(a)(1)(i) protection can be retained or destroyed under different rules than the general record — practices choosing to destroy psychotherapy notes per the clinician's discretion should document the policy explicitly. Long-term retention obligations for minors typically run until age of majority plus statute-of-limitations period.

Reference summary, not legal advice. This page summarizes how HIPAA and adjacent regulatory frameworks apply to behavioral health & therapy practicesbased on Patient Protect’s reading of the relevant CFR provisions, OCR enforcement record, and state statutes. Operators with specific compliance questions should consult a qualified HIPAA attorney. Patient Protect is a HIPAA compliance platform; we are not a law firm and do not provide legal advice.

Where to start

The five-step path to compliant operation.

In order. Each step is the foundation the next one rests on. A therapist that completes the five below has cleared the operational core of HIPAA compliance.

Run a risk analysis modeling the mental-health-specific threat surface
Risk analysis under §164.308(a)(1)(ii)(A) covering EHR (SimplePractice, TherapyNotes, Theranest), telehealth platform, secure messaging, payment processor, group therapy session recording or note-storage systems, and supervision/case-consultation platforms. Methodology aligned with NIST SP 800-30.
Establish 42 CFR Part 2 compliance where applicable
If the practice treats substance use disorder under federal-assistance criteria, Part 2 applies on top of HIPAA. Build the consent, redisclosure, and breach-notification protocols Part 2 requires — separate from HIPAA equivalents. Patient Protect's policy generation produces both layers.
Architect psychotherapy notes for the §164.524(a)(1)(i) exclusion
Psychotherapy notes must be stored separately from the rest of the patient record to qualify for the right-of-access exclusion. Document the separation architecturally in the EHR plus operationally in the practice's record-handling policy. Notes mixed into the general record lose both the legal protection and the access-log distinction.
Sign BAAs across the mental-health vendor stack
EHR, telehealth platform, secure messaging tool, payment processor, e-prescribing service if used, supervision/case-consultation platform, scheduling system. Each is a BA; each requires a current signed agreement under §164.308(b)(1).
Train staff on social engineering and clinical-record disclosure scenarios
Generic HIPAA training is necessary but not sufficient for mental health practices. Staff face specific pressure points: family members requesting patient information, employers seeking treatment records, insurance utilization reviewers requesting more than minimum-necessary. Training should cover these scenarios and the documented response protocol for each.

The real risk

Where behavioral health & therapy practices are most exposed.

Psychotherapy notes require protections beyond standard ePHI

Under HIPAA, psychotherapy notes have heightened protections — they cannot be disclosed even with a standard patient authorization in many cases. Your compliance program needs to distinguish between clinical notes and psychotherapy notes. The penalty for mishandling them is severe.

Telehealth platforms may not be HIPAA compliant

Zoom, Doxy.me, SimplePractice — if your telehealth vendor doesn't have a signed BAA and end-to-end encryption, every session is a potential breach. The COVID-era enforcement discretion has ended. OCR is actively auditing telehealth compliance.

42 CFR Part 2 adds federal substance abuse protections

If you treat substance use disorders, patient records carry additional federal protections under 42 CFR Part 2. Disclosure rules are stricter than standard HIPAA. Make sure your compliance program explicitly addresses Part 2 requirements — they go beyond standard HIPAA frameworks.

Solo practitioners carry the same HIPAA burden as hospitals

A solo therapist handling 40 patients is a covered entity with the same 45+ HIPAA requirements as a health system. No IT department, no compliance officer, no legal team — but the same regulatory exposure and the same potential fines.

What HIPAA requires

Regulatory requirements specific to behavioral health & therapy practices.

Psychotherapy Note Protections

Separate storage and access controls for psychotherapy notes as defined under §164.508(a)(2). Authorization requirements beyond standard ePHI consent.

Telehealth Security

BAAs with all telehealth platform vendors. End-to-end encryption for video sessions. Documented security configurations for remote sessions.

Substance Abuse Records (42 CFR Part 2)

Additional consent requirements for substance abuse treatment records. Restrictions on re-disclosure. Separate audit trails for Part 2-protected information.

Minimum Necessary Standard

Policies limiting ePHI access to the minimum necessary for each staff role. Particularly critical in behavioral health where clinical sensitivity is highest.

Your state, your rules

State-specific HIPAA rules for behavioral health & therapy practices.

HIPAA is federal — but your state layers additional breach notification deadlines, AG reporting requirements, and privacy laws on top. Select your state to see what applies to your practice.

Select your state

How Patient Protect helps

Built for behavioral health & therapy practices, not hospital systems.

Risk assessment for behavioral health

SRA wizard covers telehealth, psychotherapy notes, and substance abuse record workflows specific to therapy practices. Not a generic healthcare questionnaire.

BAA tracking for telehealth vendors

Track agreements with Zoom, SimplePractice, TherapyNotes, and every other vendor. Get expiration alerts. Know your compliance status before OCR asks.

Secure patient communication

Stop using personal email and texts for appointment reminders and session follow-ups. BAA-gated messaging keeps clinical information inside your compliance perimeter.

Workforce training modules

HIPAA training designed for therapy practice staff — including reception, billing, and clinical roles. Completion documented automatically for audit readiness.

42 CFR Part 2 overlay for substance use disorder confidentiality

Mental health practices treating SUD face a stricter confidentiality framework than HIPAA alone. The platform's policy generation handles 42 CFR Part 2's specific consent, redisclosure, and breach notification rules in addition to HIPAA — most generic compliance vendors treat them identically and miss the gap.

Psychotherapy notes handled per §164.524(a)(1)(i)

Psychotherapy notes are explicitly excluded from the right-of-access rule when maintained separately from the rest of the record. The platform supports the separate-storage architecture required, plus the access-log distinction between psychotherapy notes and the broader record — without which the practice loses both the legal protection and the audit defense.

How we compare

See exactly what you get that competitors don't offer.

Every major compliance platform covers risk assessments and policy templates. The difference is what happens after the paperwork is done.

What to ask

Patient Protect

Risk assessment that satisfies §164.308(a)(1)

A readiness quiz is not a risk analysis.

Full SRA wizard mapped to NIST CSF with live scoring

Auto-generated policies with workforce acknowledgment

HIPAA requires documented proof your staff reviewed them.

48 policies from your risk profile, versioned acknowledgment

Staff training with delivery tracking

§164.308(a)(5) — sending a PDF is not sufficient.

80+ modules, completion tracking, audit-ready records

Full BAA lifecycle management

Expired BAAs are a top enforcement target.

E-signature, renewal alerts, Vendor Risk Scanner

Yes on all 10. Now run the checklist on the rest.

From $39/mo · No long-term contracts.

Start free trial See pricing

Pricing

Enterprise-grade compliance. Independent-practice pricing.

No contracts · No setup fees · Cancel anytime

Core

$39/mo

Risk assessments, policies, BAA management, training, and compliance scoring.

Start 14-day free trial

Recommended

Pro

$99/mo

Everything in Core plus secure messaging, breach intelligence, live diagnostics, and AI compliance assistant.

Start 14-day free trial

See full feature comparison →

FAQ

Common questions about HIPAA compliance for behavioral health & therapy practices.

Do solo therapists need HIPAA compliance software?

Yes. Solo practitioners are covered entities under HIPAA with identical regulatory requirements. OCR does not reduce obligations based on practice size. A single therapist handling patient records faces the same 45+ HIPAA requirements — and the same fine schedule — as a hospital system.

How does Patient Protect handle psychotherapy notes?

Patient Protect's risk assessment and policy framework addresses the heightened protections required for psychotherapy notes under §164.508(a)(2), including separate authorization requirements, access controls, and disclosure restrictions that go beyond standard ePHI handling.

Is telehealth HIPAA compliant?

Telehealth can be HIPAA compliant — but only with the right configuration. Your platform vendor must sign a BAA, sessions must use end-to-end encryption, and you need documented policies for remote access. The COVID-era enforcement discretion ended — OCR is actively auditing telehealth compliance.

What does HIPAA compliance cost for a therapy practice?

Behavioral health compliance consultants typically charge $4,000–$10,000 per year. Patient Protect starts at $39/month ($468/year) with no contracts — covering risk assessments, policies, BAA management, telehealth compliance documentation, and ongoing monitoring.

Are psychotherapy notes treated differently than other mental health records under HIPAA?

Yes. Section 164.524(a)(1)(i) excludes psychotherapy notes from the patient right of access when those notes are kept separately from the rest of the record. The exclusion only applies if the practice actually maintains the notes in a separate file or system — notes mixed into the general medical record lose the protection. Patient Protect's architecture supports the separate-storage requirement explicitly.

When does 42 CFR Part 2 apply on top of HIPAA?

42 CFR Part 2 applies to federally-assisted programs that hold themselves out as providing substance use disorder diagnosis, treatment, or referral. Mental health practices treating co-occurring SUD typically fall under both Part 2 and HIPAA. Part 2 requires more-restrictive consent for disclosure than HIPAA, has a stricter redisclosure rule, and treats consent revocation differently. Compliance with HIPAA does not satisfy Part 2.

Can therapists text or email patients?

Plain SMS and standard email are not HIPAA-compliant for PHI. Therapists may communicate via lower-security channels for non-PHI logistics (appointment confirmations without diagnosis content) under documented patient consent under §164.522. Clinical communication, treatment-plan changes, or any content tied to mental health condition or treatment requires a HIPAA-compliant secure messaging platform.

See all FAQs →

“

Patient Protect is intuitive, proactive, and affordable — exactly what small clinics like ours need to keep patient data safe and stay on the right side of HIPAA.

Dr. Thomas E Murray, D.D.S.Patient Protect Member Since 2017

Also built for

Dentists Chiropractors Optometrists Physical Therapists Medical Practices Telehealth Dermatology Pediatrics Psychiatry Urgent Care DPC Practices GLP-1 Clinics HRT / TRT Clinics Concierge Practices Med Spas

Next step

Your patients trust you with their most sensitive data.

Make sure your compliance protects them. Free risk assessment — no login required.