HIPAA for behavioral health

HIPAA compliance for behavioral health: the highest-protection specialty with the lowest compliance rates.

Psychotherapy notes, telehealth sessions, and substance abuse records carry the strictest protections in all of HIPAA. Most solo and small-group behavioral health practices have never implemented the safeguards the regulation demands.

Behavioral health-specific requirements

HIPAA imposes higher standards on behavioral health than any other practice type.

Behavioral health sits at the intersection of three regulatory frameworks: the HIPAA Privacy and Security Rules, the enhanced psychotherapy note protections under Section 164.508, and — for practices treating substance use disorders — the additional restrictions of 42 CFR Part 2. No other healthcare specialty navigates this level of regulatory complexity.

Psychotherapy Note Protections (Section 164.508)

HIPAA creates a unique category for psychotherapy notes — defined as a therapist's personal notes analyzing or documenting the contents of a counseling session. These notes must be stored separately from the medical record. Access must be restricted beyond standard role-based controls. Disclosure requires individual patient authorization that is separate from any general consent for treatment, payment, or healthcare operations. No other ePHI category in HIPAA carries this level of protection.

Telehealth Technical Safeguards

Every telehealth session transmits ePHI in real time. HIPAA requires the telehealth platform to provide end-to-end encryption, unique user authentication, automatic session timeout, and audit logging of connection metadata. The practice must have a signed BAA with the telehealth vendor. Cloud recordings of sessions, if any, must be encrypted at rest and subject to the same access controls as the clinical record. Post-COVID enforcement discretion has ended — these requirements are being actively enforced.

42 CFR Part 2 — Substance Abuse Records

Practices that provide substance abuse diagnosis, treatment, or referral are subject to 42 CFR Part 2 in addition to HIPAA. Part 2 requires written patient consent for each specific disclosure. The consent must name the recipient, the purpose, the specific information to be disclosed, and an expiration date. Each disclosure must include a written prohibition on re-disclosure. Violations carry separate penalties. Many behavioral health practices treating anxiety or depression also encounter substance use — triggering Part 2 without the practice's awareness.

Crisis Communication and Emergency Disclosures

Behavioral health practitioners regularly face situations involving imminent danger to the patient or others. HIPAA permits limited disclosure in emergencies, but the conditions are narrow: the disclosure must be necessary to prevent or lessen a serious and imminent threat, directed to a person reasonably able to prevent the threat, and documented immediately. The practice must have a written policy defining emergency disclosure protocols, and staff must be trained on the distinction between permitted emergency disclosure and impermissible breach.

Common behavioral health violations

Four violations that put behavioral health practices at the highest enforcement risk.

Mixing psychotherapy notes with general medical records

Under HIPAA section 164.508, psychotherapy notes receive extraordinary protection — more than any other category of health information. These notes cannot be disclosed without specific, written patient authorization, even to other treating providers or insurance companies. Yet many behavioral health practitioners store session notes in the same system as general treatment records, with the same access controls. When a billing coordinator or front desk staff member can view session notes, you have a violation that goes beyond standard ePHI exposure. The regulatory threshold here is higher than for any other specialty.

Telehealth platforms without BAAs or end-to-end encryption

The telehealth explosion since 2020 brought millions of therapy sessions onto video platforms. The temporary enforcement discretion that relaxed telehealth requirements during COVID-19 has ended. Every telehealth session is an ePHI transmission that requires end-to-end encryption, access controls, and a signed Business Associate Agreement with the platform provider. Using standard Zoom (not Zoom for Healthcare), FaceTime, or Google Meet for therapy sessions is a violation — regardless of patient consent. The platform itself must meet HIPAA technical requirements.

Substance abuse records shared without 42 CFR Part 2 authorization

If your practice treats patients with substance use disorders, patient records are subject to 42 CFR Part 2 — a federal regulation that imposes even stricter confidentiality requirements than HIPAA. Part 2 records cannot be re-disclosed without specific patient consent, cannot be used in legal proceedings against the patient, and require a prohibition on re-disclosure notice with every authorized release. Many behavioral health practices that treat co-occurring disorders are subject to Part 2 without realizing it. A single improper disclosure can trigger both HIPAA and Part 2 enforcement actions simultaneously.

Solo practice with no documented security infrastructure

The majority of behavioral health providers in the United States are solo practitioners or small group practices with two to five clinicians. Most have no IT staff, no dedicated compliance officer, and no formal security infrastructure. The HIPAA Security Rule does not scale its requirements based on practice size. A solo therapist working from a home office has the same obligation to conduct risk assessments, implement access controls, encrypt ePHI, train staff, and document everything as a hospital-based behavioral health department. The gap between obligation and implementation in solo behavioral health practice is the widest in healthcare.

Built for behavioral health

Compliance infrastructure designed for how behavioral health practices actually operate.

Patient Protect was built for independent practices — including solo therapists, small counseling groups, and multi-disciplinary behavioral health clinics. The platform addresses the specific regulatory complexity that behavioral health faces, starting at $39/month with no long-term contracts.

Segregated access controls for psychotherapy notes

Patient Protect implements role-based access that distinguishes between general treatment records and psychotherapy notes. Billing staff, front desk personnel, and even other treating providers can be restricted from session notes while maintaining appropriate access to treatment summaries, scheduling, and financial records. The audit trail documents every access attempt — successful or denied — creating the evidence OCR expects.

Telehealth compliance verification

The platform evaluates your telehealth tools against HIPAA technical requirements — encryption standards, BAA status, session logging, and data storage. When a telehealth vendor changes its terms of service or security configuration, you are alerted before it becomes a compliance gap. For practices using multiple platforms (individual sessions, group therapy, intake), each is tracked independently.

Solo practitioner compliance workflow

Most HIPAA platforms assume you have an IT department and a compliance team. Patient Protect assumes you are a solo therapist managing your own practice. Risk assessments, policy documentation, training modules, and security monitoring are built into a workflow that a single clinician can manage without technical expertise. $39/month replaces the $3,000-to-$5,000 annual cost of a compliance consultant.

Encrypted secure messaging

Replace unencrypted email, SMS, and voicemail with a HIPAA-compliant communication channel for appointment confirmations, session reminders, referral coordination, and prescription follow-ups. Every message is encrypted in transit and at rest, logged for audit purposes, and accessible only to authorized users. For behavioral health, where patient communication often contains the most sensitive information in healthcare, this eliminates the most common daily violation.

FAQ

Common questions about behavioral health HIPAA compliance.

Do psychotherapy notes have different HIPAA protections than other records?

Yes. Psychotherapy notes receive the highest level of protection under HIPAA. Section 164.508 requires specific, individual patient authorization before psychotherapy notes can be disclosed — even to other treating providers, insurance companies, or in response to subpoenas. This authorization must be separate from general consent forms. Most behavioral health EHR systems do not enforce this separation by default.

Is my telehealth platform HIPAA compliant?

A telehealth platform is only HIPAA compliant if it provides end-to-end encryption, supports a signed Business Associate Agreement, offers unique user authentication, and maintains session audit logs. Consumer-grade video tools — standard Zoom, FaceTime, Google Meet, Skype — do not meet these requirements. The temporary enforcement discretion during COVID-19 has ended. OCR is actively enforcing telehealth compliance requirements.

Does HIPAA apply to solo therapists in private practice?

Yes. There is no practice-size exemption in HIPAA. A solo therapist who transmits any health information electronically — filing insurance claims, using a telehealth platform, storing records in a cloud-based EHR — is a covered entity with full compliance obligations. The risk assessment, security safeguards, staff training, and documentation requirements apply identically regardless of practice size.

What is 42 CFR Part 2 and does it apply to my behavioral health practice?

42 CFR Part 2 is a federal regulation that provides additional confidentiality protections for substance abuse treatment records — beyond what HIPAA requires. It applies to any federally assisted program that provides substance abuse diagnosis, treatment, or referral. If your behavioral health practice treats substance use disorders, even as a secondary diagnosis, Part 2 likely applies. Violations carry separate penalties from HIPAA.

See all FAQs →

Next step

Your patients trust you with the most sensitive information in healthcare. Verify that trust is protected.

The free risk assessment evaluates your telehealth security, record segregation, vendor coverage, and access controls. Five minutes. Built for behavioral health.

Check Your Risk Compare plans