HIPAA Compliance for Mental Health Providers
Mental health providers face stricter HIPAA requirements than most healthcare entities. Psychotherapy notes receive special protections beyond standard PHI rules, and substance abuse records may also be governed by 42 CFR Part 2 — a separate federal law with even tighter restrictions. The convergence of HIPAA, 42 CFR Part 2, state mental health laws, and emerging state parity laws creates a layered compliance obligation that most mental health practices struggle to navigate without regular legal review.
Penalty Range: $145 – $2,190,294 per violation category per year (2026 adjusted)
Compliance Context for Mental Health Providers
Mental health providers operate under a uniquely complex compliance landscape. In addition to HIPAA, they must navigate 42 CFR Part 2 for substance use records, state mental health laws that may be stricter than HIPAA, and emerging state parity laws requiring insurance coverage for mental health at the same level as physical health. The 2023 Final Rule strengthened mental health parity requirements, creating new obligations for providers to document non-discriminatory access to care. OCR has specifically identified mental health providers as enforcement priorities, citing widespread violations in how therapists handle telehealth and patient communications.
Key HIPAA Requirements for Mental Health Providers
- Psychotherapy notes stored separately from the medical record
- Separate written authorization required to disclose psychotherapy notes
- 42 CFR Part 2 compliance for substance use disorder records
- Telehealth platform must be HIPAA-compliant with BAA from vendor
- Minimum Necessary standard strictly applied to disclosures
- Annual staff training on mental health-specific privacy rules
- 42 CFR Part 2 compliance: separate consent process for substance use disorder records with restricted re-disclosure
- Telehealth platform BAA: documented BAA with every telehealth vendor used for patient communications
- Minimum Necessary standard: documented policy for restricting PHI disclosures to the minimum necessary
- 42 CFR Part 2 compliance: separate consent process for substance use disorder records with restricted re-disclosure prohibitions
- Telehealth platform BAA: documented BAA with every telehealth vendor used for patient communications
- Minimum Necessary standard: documented policy for restricting PHI disclosures to the minimum necessary
- Psychotherapy notes protection: documented procedures for separating and separately protecting session notes from the medical record
- Subpoena response protocol: documented procedures for evaluating and responding to subpoenas for mental health records
- Patient restriction requests: documented procedures for implementing and honoring patient-requested restrictions on PHI disclosure
- Mental health parity documentation: documented compliance with DOL mental health parity requirements in treatment records
- State law inventory: documented analysis of all applicable state mental health privacy laws that may be stricter than HIPAA
- Mobile device encryption: documented encryption requirements for therapist mobile devices that access patient records
- Family communication policy: documented procedures for verifying patient authorization before sharing information with family members
- Breach notification for mental health: documented incident response procedures specific to mental health record breaches
- Peer review confidentiality: documented protection for quality assurance and peer review activities related to mental health services
- Consultation documentation: documented procedures for recording and protecting consultations with other providers
- Intake form privacy: documented privacy notices and acknowledgment procedures for new patients at intake
- Staff HIPAA training: documented annual training with emphasis on mental health-specific privacy obligations
- Deceased patient records: documented procedures for managing HIPAA obligations when a patient passes away
- Court-ordered treatment documentation: documented procedures for handling court-mandated disclosures of mental health records
- Crisis intervention records: documented protection protocols for crisis hotline and emergency intervention documentation
- Substance use treatment coordination: documented procedures for coordinating care while maintaining Part 2 confidentiality
- Telehealth technology standards: documented requirements for HIPAA-compliant video platforms meeting Security Rule standards
Common Violations & Pitfalls
- Disclosing psychotherapy notes without specific written authorization
- Using non-HIPAA-compliant video platforms (Zoom consumer, FaceTime) for telehealth
- Improper sharing of substance abuse records without 42 CFR Part 2 consent
- Texting patient PHI from personal phones without encryption
- Telehealth sessions conducted via consumer-grade platforms without a HIPAA-compliant BAA
- 42 CFR Part 2 consent combined with a general HIPAA authorization, violating the single-disclosure rule
Check Your HIPAA Readiness
Take our free 5-minute compliance quiz to see where Mental Health Providers typically fall short.
Take the Quiz →Frequently Asked Questions
What is the difference between psychotherapy notes and the rest of the medical record under HIPAA?
HIPAA distinguishes between psychotherapy notes (separate, more protected) and the rest of the mental health record. Psychotherapy notes are defined as notes recorded by a mental health provider documenting the content of a counseling session, which are separated from the rest of the medical record. They include the provider's subjective impressions, treatment plan, and session details. The rest of the record — diagnoses, medications, attendance, billing information — is not psychotherapy notes. Psychotherapy notes require a specific, separate written authorization for any disclosure, even to other healthcare providers, and cannot be included in the patient's general medical record.
When does 42 CFR Part 2 apply to mental health providers?
42 CFR Part 2 applies when a mental health provider (or any program) is federally assisted and holds itself out as providing, or actually provides, substance use disorder (SUD) treatment. If your practice provides counseling for substance use — even as part of general mental health treatment — Part 2 rules likely apply. Part 2 is significantly stricter than HIPAA: patient consent to disclose Part 2 records must be specific to the single disclosure (no blanket authorizations), the receiving party cannot re-disclose without patient consent, and the patient has the right to suppress their records from certain disclosure. Violations can result in denial of federal funding and criminal penalties.
Can mental health providers use consumer video platforms for telehealth?
No. Consumer-grade video platforms like Zoom (free or consumer accounts), FaceTime, Google Meet, and WhatsApp Video are not HIPAA-compliant because they lack BAAs and are not designed for healthcare use. Mental health providers must use HIPAA-compliant telehealth platforms that provide a signed BAA and meet the Security Rule requirements (encryption, access controls, audit logging). HIPAA-compliant platforms include Doxy.me (with BAA), Zoom for Healthcare, Microsoft Teams for Healthcare, and similar enterprise products. A counselor using FaceTime for telehealth sessions creates a HIPAA violation every time it occurs.
Can a therapist respond to a subpoena for a patient's therapy notes?
Only with a specific written authorization from the patient that is narrowly tailored to the disclosure, OR with a valid court order after an in camera review by a judge. A general subpoena for records is not sufficient to authorize disclosure of psychotherapy notes under HIPAA — the therapist must raise the 'separate authorization' requirement and, if the subpoena is accompanied by a court order, the therapist should consult with legal counsel before responding. Disclosing psychotherapy notes without proper authorization — even in response to a subpoena — is a HIPAA violation.
What are the HIPAA requirements for mental health apps used by patients?
If a mental health provider recommends or prescribes a mental health app to a patient, the provider becomes a covered entity responsible for ensuring that app does not compromise PHI. Any app that stores, processes, or transmits PHI on behalf of a covered entity requires a signed BAA with the app vendor. Providers should assess whether patient-facing apps have a BAA available, whether they are encrypted, and whether data is stored on US-based servers. Apps without BAAs — including popular mental health and mood-tracking apps — should not be used to store or communicate PHI with patients in a HIPAA-covered context.
More HIPAA Resources
- Complete HIPAA Framework Guide
- HIPAA Penalty Tiers 2026: $141 to $2.1M Fine Guide
- HIPAA Breach Notification Penalties 2026: 4-Tier Fine Guide
- HIPAA for Dental Practices
- Upcoming HIPAA Compliance Deadlines
- HIPAA Risk Calculator
- Find a HIPAA Compliance Consultant
- Get Weekly Compliance Intelligence Briefs