HIPAA Compliance for Mental Health Providers

Mental health providers face stricter HIPAA requirements than most healthcare entities. Psychotherapy notes receive special protections beyond standard PHI rules, and substance abuse records may also be governed by 42 CFR Part 2 — a separate federal law with even tighter restrictions.

Key HIPAA Requirements for Mental Health Providers

• Psychotherapy notes stored separately from the medical record
• Separate written authorization required to disclose psychotherapy notes
• 42 CFR Part 2 compliance for substance use disorder records
• Telehealth platform must be HIPAA-compliant with BAA from vendor
• Minimum Necessary standard strictly applied to disclosures
• Annual staff training on mental health-specific privacy rules

Common Violations & Pitfalls

• Disclosing psychotherapy notes without specific written authorization
• Using non-HIPAA-compliant video platforms (Zoom consumer, FaceTime) for telehealth
• Improper sharing of substance abuse records without 42 CFR Part 2 consent
• Texting patient PHI from personal phones without encryption

More HIPAA Resources

• Complete HIPAA Framework Guide
• HIPAA Penalty Tiers
• HIPAA Breach Notification Penalties
• HIPAA for Dental Practices
• Upcoming HIPAA Compliance Deadlines
• HIPAA Risk Calculator
• Find a HIPAA Compliance Consultant
• Get Weekly Compliance Intelligence Briefs