HIPAA Compliance Checklist for Mental Health Providers

Psychotherapy notes (personal observations recorded during a session) must be stored separately from the patient's clinical record. They cannot be included in the designated record set and require a separate, specific authorization for disclosure — even to the patient's insurance company.

Include your EHR, telehealth platform, encrypted messaging tools, cloud storage, and any personal devices used for patient communication. Document every identified risk and your mitigation plan.

If you treat patients for substance use disorders, their records receive extra protection under 42 CFR Part 2. Disclosure requires patient written consent that names the specific recipient, purpose, and expiration date. General HIPAA authorizations are not sufficient.

Consumer video tools (FaceTime, Skype, standard Zoom) are not HIPAA-compliant. Use platforms that offer a BAA and end-to-end encryption: Zoom for Healthcare, Doxy.me, SimplePractice Telehealth, or TherapyNotes. Keep the signed BAA on file.

State laws vary on whether parents can access a minor's mental health records. In many states, minors 12+ can consent to outpatient mental health treatment without parental consent, and the provider may deny parents access to those records. Document your state's rules and your practice policy.

Solo practitioners may serve as their own officer but must document the designation. The officer is responsible for policy development, staff training, and breach response coordination.

A general HIPAA release does not authorize disclosure of psychotherapy notes. You need a separate, specific authorization form that clearly identifies the notes being released and cannot be combined with other authorizations.

Laptops, tablets, smartphones — if any device stores or accesses ePHI, enable full-disk encryption. This includes personal devices used for after-hours patient calls or secure messaging.

Standard SMS and email are not encrypted. Use a HIPAA-compliant patient portal or encrypted messaging system for appointment reminders, session follow-ups, and prescription coordination.

HIPAA permits disclosure to prevent serious and imminent threat to health or safety (45 CFR 164.512(j)). Staff must know when mandatory reporting obligations (child abuse, elder abuse, danger to self or others) override confidentiality, and how to document the disclosure.

Mental health breaches are especially sensitive. Define how you will investigate, assess harm, notify patients within 60 days, and document corrective actions. Consider offering credit monitoring for breaches involving SSNs or financial data.

Front-desk staff should have access to scheduling and billing data but not clinical session notes. Configure role-based access in your EHR to enforce this separation.

Mental health records are frequently subpoenaed in custody disputes, disability claims, and criminal cases. A valid court order differs from a subpoena — know the difference. HIPAA permits disclosure in response to a court order but limits what a subpoena alone can compel.

Soundproofing between therapy rooms and waiting areas prevents incidental disclosure. White noise machines, solid-core doors, and check-in procedures that do not require patients to state their reason for visit aloud are all reasonable safeguards.

Every vendor who stores, processes, or transmits PHI on your behalf needs a signed BAA. Common oversights: transcription services, online scheduling tools, cloud storage for session recordings.

HIPAA requires policies to be retained for 6 years, but state laws often require clinical records to be kept for 7-10 years (longer for minors). Define retention periods for each record type, destruction methods, and responsible personnel.

Assign a calendar date for annual policy review. Document all changes, re-train affected staff, and retain prior versions for the six-year retention period.