HIPAA Compliance for Therapists and Behavioral Health Practices: The Complete 2026 Guide

Therapists, psychologists, counselors, and behavioral health practices are covered entities under HIPAA — subject to the same Privacy Rule, Security Rule, and Breach Notification Rule that govern hospitals and large health systems. The obligations are identical. The resources typically available to implement them are not.

What makes behavioral health unique in the compliance landscape is not the volume of regulations — it is the sensitivity of the data they govern. Mental health records, psychotherapy notes, substance abuse treatment records, and trauma histories represent the most personal category of protected health information that exists. A breach of a dental practice exposes insurance IDs and X-rays. A breach of a therapy practice exposes diagnoses, treatment plans, session notes, and disclosures made in the privacy of a clinical relationship.

Attackers know this. Dark-market pricing for mental health records reflects it. And HIPAA's architects knew it too — which is why behavioral health records receive specific, heightened protections that most therapists have never been trained to recognize.

This guide covers everything an independent therapy or behavioral health practice needs to know about HIPAA compliance in 2026: what the law requires, where the highest-risk areas are, what the vendor landscape looks like, how 42 CFR Part 2 adds a separate layer for substance abuse records, and the step-by-step path to full compliance.

---

Why Behavioral Health Faces the Most Complex HIPAA Landscape

Independent therapy practices face three compounding challenges that no other healthcare specialty deals with in quite the same combination.

The sensitivity problem. Mental health and substance abuse records are among the most sensitive categories of PHI. They can affect employment, child custody decisions, insurance coverage, security clearances, and personal relationships in ways that medical records rarely do. Patients who trust a therapist with their most private experiences have a specific and reasonable expectation that this information will be protected with more care than a billing address.

The solo practice problem. A significant proportion of therapists practice independently — a single clinician, no administrative staff, no IT infrastructure, no compliance officer. HIPAA does not reduce its requirements for solo practices. The Security Rule applies in full. The BAA requirement applies in full. The risk analysis requirement applies in full. The solo therapist who sees 35 patients a week and manages her own scheduling, billing, and clinical documentation is operating a covered entity with 45+ regulatory requirements and no team to implement them.

The telehealth transition problem. The COVID-19 pandemic shifted a significant portion of therapy practice to virtual delivery — and the emergency enforcement discretion that temporarily relaxed HIPAA requirements for telehealth platforms ended in 2023. Therapists who adopted consumer video platforms during the pandemic and never transitioned to compliant alternatives are now operating in violation. OCR is actively auditing telehealth compliance.

---

The Special Status of Psychotherapy Notes Under HIPAA

This is the most important and most commonly misunderstood element of HIPAA compliance for therapists.

HIPAA distinguishes between two categories of mental health records: general mental health information in a patient's medical record (diagnosis, treatment plan, medication, appointment history) and psychotherapy notes as specifically defined by the Privacy Rule.

Psychotherapy notes, under 45 CFR §164.501, are defined as notes recorded by a mental health professional that "document or analyze the contents of a conversation during a private counseling session or a group, joint, or family counseling session" — and that are kept separate from the rest of the patient's medical record.

The key phrase is "kept separate." Psychotherapy notes are only subject to the heightened protections if they are maintained in a separate file from the general treatment record. If a therapist keeps session notes in the main chart alongside diagnoses, treatment plans, and billing information, those notes are treated as standard ePHI — not as psychotherapy notes with special protections.

When psychotherapy notes do qualify for the heightened protection, the rules are significantly stricter:

Disclosure requires specific written authorization (§164.508(a)(2)). A general treatment authorization does not cover psychotherapy notes. Insurance companies, other providers, and even the patient's other treating clinicians cannot receive psychotherapy notes without a specific authorization that explicitly states what notes are being released and for what purpose.

Exceptions to the authorization requirement are narrow. A therapist can use their own psychotherapy notes without patient authorization. A supervisor training the therapist can access them. Disclosures required by law (court orders, mandatory reporting) are permitted. Beyond these, virtually every other disclosure requires explicit authorization.

The access request right is limited. Patients have a general right to access their medical records under HIPAA. Psychotherapy notes are an explicit exception — covered entities are permitted to deny patient access to psychotherapy notes.

What most therapy practices get wrong: Many therapists keep session notes, treatment plans, diagnoses, and clinical impressions in a single chart without distinguishing psychotherapy notes from the general record. This means their session notes are not technically "psychotherapy notes" under HIPAA — which removes the heightened protections but also means they must be produced in response to standard authorization requests, including insurance audits and legal requests, that a properly maintained psychotherapy note file could withstand.

The practical recommendation for most therapy practices: maintain a clear separation between the general treatment record (which insurance and other providers may access via standard authorization) and session process notes (which require psychotherapy note authorization). Document the separation practice in your privacy policies.

---

The 42 CFR Part 2 Layer: What Therapists Who Treat Substance Use Disorders Must Know

If your practice treats patients for substance use disorders — addiction, alcohol use disorder, drug dependency, co-occurring disorders — your records are subject to a second federal privacy framework that operates separately from and in addition to HIPAA.

42 CFR Part 2 governs the confidentiality of substance use disorder patient records at any federally-assisted program. "Federally-assisted" is broadly defined and applies to most licensed clinical practices. The rules differ from standard HIPAA in several critical ways:

The prohibition on disclosure is broader. Under Part 2, records related to substance use disorder diagnosis, treatment, or referral generally cannot be disclosed without patient consent — even to other treating providers, even in medical emergencies, with specific limited exceptions. Standard HIPAA permits many treatment-purpose disclosures without individual authorization. Part 2 does not.

Re-disclosure is specifically prohibited. Information disclosed with patient consent under Part 2 cannot be re-disclosed by the recipient without additional patient consent. This prohibition must be stated explicitly in any disclosure notice.

Court orders follow special procedures. A standard court subpoena or court order that would compel disclosure under HIPAA does not automatically override Part 2 protections. Part 2 requires a specific court order that follows a defined procedure before records can be released.

The 2024 updates aligned Part 2 more closely with HIPAA — allowing disclosures for treatment, payment, and healthcare operations with patient consent — but the consent requirement itself remains stricter than standard HIPAA.

What this means for therapy practices:

If your practice treats co-occurring disorders — which describes a significant portion of behavioral health practices — you must:

• Maintain awareness of which patient records are subject to Part 2 protections
• Obtain Part 2-compliant consent before disclosures of substance use disorder records
• Include the required prohibition notice on any consented disclosures
• Train staff on the distinction between standard HIPAA records and Part 2-protected records
• Ensure your EHR or practice management system can segregate and handle Part 2 records appropriately

Most HIPAA compliance platforms do not address 42 CFR Part 2 at all. This is a meaningful gap for any behavioral health practice that treats addiction or substance use disorders.

---

Telehealth Compliance for Therapists: The Post-COVID Reality

The transition to telehealth created a compliance problem that the therapy community has been slow to fully address. During the COVID-19 public health emergency, OCR exercised enforcement discretion that temporarily permitted the use of non-HIPAA-compliant video platforms for telehealth — including FaceTime, Zoom without a BAA, and consumer video calling applications. That discretion ended May 11, 2023.

Since that date, every telehealth therapy session must comply with the full requirements of the HIPAA Security Rule:

• The video platform vendor must have a signed BAA with the practice
• The platform must provide end-to-end encryption for sessions
• Session recordings (if made) must be stored in a HIPAA-compliant environment with a signed BAA
• Chat messages and text-based communications during sessions are ePHI and must be treated accordingly
• The device used to conduct sessions must be encrypted and password-protected

Platform BAA status — what therapists need to know:

Zoom: The free and standard Zoom plan does not include a BAA and is not HIPAA-compliant for therapy sessions. The Zoom for Healthcare plan includes a BAA. If you use Zoom, verify which plan you are on and execute the BAA before any clinical sessions.

Doxy.me: Doxy.me was built specifically for healthcare telehealth and offers a BAA. The free tier includes BAA availability. Verify your account status and execute the BAA if you haven't.

SimplePractice: SimplePractice's telehealth feature is integrated with their platform and is covered under their BAA with subscribers. Verify the BAA is current and reflects your current subscription.

TherapyNotes: TherapyNotes includes telehealth functionality with BAA coverage. Same verification recommended.

Google Meet, Microsoft Teams (free), FaceTime, Skype, WhatsApp: None of these platforms offer HIPAA-compliant BAAs for clinical use. Use of these platforms for therapy sessions that involve ePHI is a violation. Period.

The session recording problem: Many therapists who record sessions for supervision, documentation, or client access store recordings in Google Drive, Dropbox, or iCloud — consumer cloud storage services that offer no BAA and provide no HIPAA compliance. Every stored recording in a non-compliant location is unsecured ePHI. The entire history of stored recordings represents a potential breach if that cloud account is compromised.

---

The Behavioral Health Vendor BAA Checklist

For every vendor on this list, a therapy practice should have a signed, current BAA in place before sharing any ePHI:

Practice Management and EHR

• SimplePractice
• TherapyNotes
• TheraNest (Therapy Brands)
• Luminare Health (formerly Medicat)
• ICANotes
• Valant
• Opus EHR
• CarePaths

Telehealth Platforms

• Zoom for Healthcare (verify it is the Healthcare plan)
• Doxy.me
• Mend
• VSee
• Spruce Health (if used for video)
• Any EHR-integrated telehealth feature

Patient Communication and Scheduling

• Spruce Health (messaging)
• Klara
• Luma Health
• Appointment reminder services
• Any secure messaging platform

Billing and Claims

• Your billing service if third-party
• Clearinghouses (Availity, Change Healthcare, etc.)
• Credit card processors that handle patient invoicing with PHI

Cloud Storage and Backup

• Any service storing session recordings
• Clinical documentation backup
• HIPAA-compliant cloud storage (Google Workspace with BAA, Microsoft 365 with BAA, etc.)
• Note: Standard Google Drive, iCloud, and Dropbox — no BAA available

Supervision and Consultation

• Any platform used for clinical supervision that involves case discussion with patient identifiers
• Consultation groups that use shared platforms for case presentation

IT and Support

• Managed IT provider if used
• Anyone with remote access to systems containing ePHI

---

Group Practices: The Supervision and Trainee Access Problem

Group therapy practices and practices that employ or supervise trainees face specific compliance challenges that solo practitioners do not.

Trainee access to client records: Graduate students, practicum students, and supervised associates require access to client records as part of their training. HIPAA requires that access be limited to the minimum necessary for each individual's role. A trainee seeing a specific client should have access to that client's records. They should not have access to the entire caseload of the practice.

This minimum necessary principle is frequently violated in group practices by the practical convenience of giving everyone the same access level. When a trainee or intern leaves the practice, their access must be immediately revoked — which requires individual credential management, not shared logins.

Supervision notes and recordings: Session recordings made for supervision purposes are ePHI. Supervision notes that reference client information are ePHI. The platform used for supervision (Zoom, phone calls, shared documents) must comply with HIPAA requirements if client identifiers are involved. "De-identified" discussion is not always as de-identified as it appears — a distinctive presentation discussed in a supervision group can identify a client to others in the group.

Group therapy documentation: Progress notes from group therapy sessions that identify participants to each other require careful handling. Participants in a group generally know who else is present — but HIPAA's minimum necessary standard still applies to how the practice documents, stores, and protects group session records.

---

How OCR Audits Behavioral Health Practices

OCR investigates therapy practices through the same three pathways as all covered entities: random audits, patient complaints, and breach notifications. For behavioral health practices, patient complaints are a disproportionate trigger — because the sensitivity of the information and the intimacy of the therapeutic relationship means patients are more likely to notice and report when their information is mishandled.

When OCR investigates a behavioral health practice, they typically request:

• Current Security Risk Analysis covering all ePHI systems, including telehealth platforms
• Business Associate Agreements for all applicable vendors
• Evidence of separate handling for psychotherapy notes (if claimed)
• Policies and procedures governing telehealth security
• Workforce training records with individual completion dates
• Evidence of access controls appropriate to staff roles
• Mobile device policies if staff use personal devices for clinical communication
• Incident response documentation if a breach is under investigation

The findings most commonly cited in behavioral health enforcement actions are consistent with the broader pattern: missing or outdated risk analyses, inadequate BAAs (particularly for telehealth vendors), and missing workforce training documentation.

---

Step-by-Step: How to Become HIPAA Compliant as a Therapy Practice

Step 1: Determine and Document Your Covered Entity Status

Every therapist who transmits health information electronically is a covered entity. Document this in writing — a brief statement acknowledging your status, signed and dated. If you practice under a group practice entity, the group entity is the covered entity; individual practitioners are workforce members.

Step 2: Designate Security and Privacy Officers

For solo practices, this is you. For group practices, designate specific individuals by name. Document the designation formally. The Security Officer is accountable for ensuring technical and administrative safeguards are implemented. The Privacy Officer is accountable for ensuring patient rights are respected and disclosures are authorized.

Step 3: Audit Your Telehealth Platform

If you use any video platform for therapy sessions, verify today:

• Does the vendor offer a BAA?
• Is your account on a plan that includes BAA coverage?
• Have you actually executed the BAA (signed, not just agreed to terms)?
• Does the platform provide end-to-end encryption for sessions?

If any of these answers is no, you are currently conducting non-compliant telehealth sessions. This is not a forward-looking concern — it is a current, ongoing violation that accumulates with every session.

Step 4: Conduct a Security Risk Analysis

The SRA for a therapy practice must cover: your EHR or practice management system, your telehealth platform, any email used for patient communication, your devices (laptop, phone, tablet), any cloud storage of session recordings or clinical documentation, and your backup solution.

The analysis must document: what ePHI you hold, where it lives, what threats exist to each location, what controls are in place, what the residual risk is, and what your plan is for addressing unacceptable risks.

Step 5: Execute BAAs With Every Applicable Vendor

Use the checklist above. Start with your EHR, your telehealth platform, and your billing service — the three most critical relationships. Then work through the full list. Do not share ePHI with any vendor that cannot provide a BAA.

Step 6: Establish Your Psychotherapy Notes Policy

Decide how you will handle session process notes. If you want psychotherapy note protections to apply, establish and document a clear separation practice: psychotherapy notes in a separate, clearly labeled file; everything else in the general treatment record. Train yourself and any staff on the distinction.

Step 7: Address 42 CFR Part 2 If Applicable

If your practice treats substance use disorders:

• Identify which patient records are subject to Part 2
• Obtain Part 2-compliant consent before any disclosures of those records
• Include required prohibition notices in disclosures
• Train staff on Part 2 requirements
• Ensure your EHR can handle Part 2 record segregation

Step 8: Train Your Workforce

Solo practitioners need self-directed HIPAA training with documentation. Group practices need individualized training records for every workforce member — including trainees and supervised associates. Training must cover: the basics of HIPAA Privacy and Security Rules, your specific policies and procedures, telehealth security requirements, and how to report a suspected breach.

Step 9: Secure Your Communication Channels

Establish a HIPAA-compliant patient messaging platform for all clinical communication. Stop using personal email and personal device texting for patient contact that involves ePHI. If you use appointment reminder services, verify BAA status.

Step 10: Build Your Incident Response Procedure

Document what you will do if you discover a breach: how you will assess it, how you will contain it, who you will notify (affected patients, HHS, potentially media for large breaches), and how you will document the response. The 60-day notification clock starts at discovery, not at resolution.

---

The Solo Therapist Reality

Solo practitioners in therapy and behavioral health face a specific version of this challenge that group practices do not: there is no one else. No compliance officer, no IT department, no colleague to delegate the risk assessment to.

The most important insight for solo therapists: HIPAA compliance for a solo practice does not require a compliance team. It requires a platform that handles the technical controls architecturally and walks you through the documentation requirements systematically.

A solo therapist using the right platform can have a documented Security Risk Analysis, signed BAAs with all applicable vendors, workforce training records (for themselves), and ongoing compliance monitoring — in a single working session, without a consultant, without a lawyer, without building a binder from scratch.

Patient Protect is built for exactly this practice profile. Starting at $39/month, no contracts, setup in under two hours.

Map your ePHI data flows →

See the complete platform for therapists →

Related: HIPAA Violations in Therapy Practices: What OCR Enforces and What Most Therapists Get Wrong →

---

This guide reflects HIPAA requirements under 45 CFR Parts 160 and 164 as of April 2026, including the 2025 Security Rule updates and 2024 42 CFR Part 2 updates. It is provided for informational purposes and does not constitute legal advice. Consult a qualified compliance professional for guidance specific to your practice.