HIPAA Compliance for Mental Health Therapists

HIPAA guide for therapists and counselors covering psychotherapy notes, confidentiality, teletherapy, and special protections.

Mental Health Records Under HIPAA

Mental health practitioners — including psychologists, psychiatrists, licensed clinical social workers (LCSWs), licensed professional counselors (LPCs), marriage and family therapists (MFTs), and other behavioral health providers — are covered entities under HIPAA when they transmit health information electronically in connection with standard transactions (45 CFR § 160.103).

Mental health records receive some of the strongest protections under HIPAA due to the sensitive nature of the information they contain. Understanding these protections is critical for compliance and for maintaining the therapeutic relationship.

General Mental Health Records vs. Psychotherapy Notes

HIPAA draws a crucial distinction between general mental health records and psychotherapy notes (45 CFR § 164.501).

General mental health records include:

• Patient demographics and contact information
• Diagnoses and diagnostic codes
• Treatment plans and goals
• Medication prescriptions and management notes
• Session dates and durations
• Results of clinical assessments and tests
• Billing and insurance information
• Correspondence with other providers
• Progress notes that summarize treatment

Psychotherapy notes (sometimes called "process notes") are:

• Notes recorded by the therapist during or after a session
• Used by the therapist to analyze the patient's statements and behavior
• Separated from the rest of the medical record
• Documenting the therapist's impressions, hypotheses, and therapeutic approach
• Not intended to be shared with other providers or used for treatment, payment, or operations

Special Protections for Psychotherapy Notes

Psychotherapy notes receive enhanced protection under HIPAA (45 CFR § 164.508(a)(2)):

• Authorization required: Most uses and disclosures of psychotherapy notes require a specific, written patient authorization — even for treatment, payment, and healthcare operations (with limited exceptions)
• Separate from the medical record: Psychotherapy notes must be stored separately from the general medical record
• Cannot be required by health plans: Insurance companies cannot condition coverage on receiving psychotherapy notes
• Limited exceptions: Authorization is NOT required when:
  • The therapist who wrote the notes uses them for treatment
  • The covered entity uses them for training programs
  • Required by law (court order, mandatory reporting)
  • To defend against a legal action brought by the patient
  • For HHS enforcement activities
  • To avert a serious threat to health or safety

Important distinction: If your clinical notes include information about diagnosis, treatment plans, symptoms, prognosis, and progress, they are likely general mental health records (progress notes), NOT psychotherapy notes — even if recorded during therapy sessions. Psychotherapy notes are specifically the therapist's private analysis and impressions kept separately.

Additional Protections Under 42 CFR Part 2

Substance use disorder (SUD) treatment records receive additional federal protections under 42 CFR Part 2, which is even more restrictive than HIPAA. If your practice provides substance abuse treatment or maintains substance abuse records:

• Patient consent is required for virtually all disclosures, with very limited exceptions
• Consent must be in writing and include specific elements
• Records cannot be re-disclosed by the recipient without additional consent
• Special rules apply for medical emergencies, research, and audit purposes
• Criminal penalties may apply for violations

Recent amendments have aligned 42 CFR Part 2 more closely with HIPAA, but the additional consent requirements remain in effect. Mental health practices that treat co-occurring substance use disorders must comply with both HIPAA and 42 CFR Part 2.

Patient Rights in Mental Health Settings

Patients receiving mental health treatment retain all standard HIPAA rights, with some important nuances.

Right of Access (45 CFR § 164.524)

• Patients generally have the right to access their mental health records
• Exception for psychotherapy notes: Patients do NOT have a right of access to psychotherapy notes under HIPAA
• Denial based on harm: A licensed mental health professional may deny access to general mental health records if, in their professional judgment, access would reasonably endanger the life or physical safety of the patient or another person (45 CFR § 164.524(a)(3))
• If access is denied on this basis, the patient has the right to a review by another licensed professional
• Some state laws grant broader patient access rights than HIPAA — always follow the more protective standard

Right to Request Amendments

• Patients may request amendments to their mental health records
• If the therapist believes the record is accurate, they may deny the amendment but must document the request and denial
• Psychotherapy notes are generally not subject to amendment requests

Right to an Accounting of Disclosures

• Patients can request an accounting of disclosures made of their mental health records
• This includes disclosures for public health, law enforcement, and legal proceedings
• Disclosures for treatment, payment, and operations are typically excluded
• Maintain records of all disclosures for at least six years

Right to Request Restrictions

• Patients may request restrictions on how their mental health information is used or disclosed
• While you are not required to agree to most restrictions, you must agree if:
  • The disclosure is to a health plan for payment or operations
  • The patient has paid out of pocket in full for the service

This right is particularly important in mental health settings, where patients may not want certain information shared with their primary care physician or insurance company.

Telehealth and Teletherapy Compliance

The rapid expansion of telehealth has created significant HIPAA compliance considerations for mental health providers. Teletherapy introduces unique privacy and security risks that must be addressed.

Platform Requirements

Not all video conferencing platforms are HIPAA compliant. A compliant telehealth platform must:

• Encrypt communications end-to-end (both audio and video)
• Provide a signed BAA — the platform vendor must execute a Business Associate Agreement
• Support access controls including user authentication
• Maintain audit logs of session activity
• Prevent unauthorized recording or data storage

Platforms that are generally NOT HIPAA compliant without specific healthcare configurations:

• Standard Zoom (the free consumer version)
• FaceTime
• Skype (consumer version)
• Facebook Messenger
• Google Hangouts

Platforms designed for HIPAA-compliant telehealth include:

• Zoom for Healthcare (with BAA)
• Doxy.me
• SimplePractice Telehealth
• TherapyNotes
• VSee
• Other platforms specifically designed for healthcare with BAA availability

Documentation for Teletherapy Sessions

• Document the patient's location at the start of each session (this may affect licensure and jurisdiction)
• Note the technology platform used
• Record any technical difficulties that interrupted the session
• Document informed consent for telehealth services
• Maintain the same clinical documentation standards as in-person sessions

Patient Environment Considerations

While you cannot control the patient's environment during a teletherapy session, you should:

• Advise patients to find a private location for sessions
• Discuss risks of conducting therapy in shared spaces
• Address what to do if someone enters the room during a session
• Document that you discussed privacy considerations with the patient
• Encourage use of headphones for additional auditory privacy

Therapist Environment Requirements

Your telehealth workspace must protect patient privacy:

• Conduct sessions in a private room with a closed door
• Ensure your screen is not visible to others
• Use headphones to prevent others from hearing the patient
• Secure your internet connection (avoid public Wi-Fi)
• Lock your device when not in use

Confidentiality and the Minimum Necessary Standard

Confidentiality is the cornerstone of effective mental health treatment. HIPAA's minimum necessary standard (45 CFR § 164.502(b)) is particularly important in mental health settings.

Applying the Minimum Necessary Standard

When disclosing mental health information:

• For treatment: The minimum necessary standard does not apply to disclosures for treatment purposes between covered entities. However, mental health professionals should still exercise clinical judgment about what information is appropriate to share
• For payment: Disclose only the information needed to process the claim — diagnoses and procedure codes, not detailed session notes
• For healthcare operations: Limit disclosures to what is needed for the specific operational purpose
• For all other purposes: Apply the minimum necessary standard rigorously

Coordination with Other Providers

When coordinating care with other healthcare providers:

• Share only information relevant to the coordinated care
• Consider what the receiving provider actually needs to know
• Document what information was shared and the purpose
• If the patient has requested restrictions, honor them unless an exception applies
• For referrals, provide a summary rather than the entire treatment record when possible

State Law Considerations

Many states have mental health privacy laws that are more protective than HIPAA. When state law provides greater protection, you must follow the state law. Common state law protections include:

• Stricter consent requirements for mental health record disclosures
• Additional protections for specific conditions (HIV/AIDS, substance abuse, genetic information)
• Broader definitions of what constitutes protected mental health information
• More restrictive rules for disclosures to family members
• Specific provisions for minors seeking mental health treatment

Always research and comply with the laws of every state in which you practice, especially if you provide teletherapy across state lines.

Security for Mental Health Practices

Mental health practices must implement the full range of HIPAA security safeguards (45 CFR §§ 164.308, 164.310, 164.312).

Administrative Safeguards

• Designate a Security Officer responsible for HIPAA security compliance
• Conduct a Security Risk Assessment at least annually
• Develop and maintain security policies covering all aspects of ePHI protection
• Implement workforce training on security awareness and procedures
• Establish incident response procedures for security events
• Manage business associate relationships with signed BAAs and ongoing oversight

Physical Safeguards

• Secure your office with locks, access controls, and visitor management
• Protect workstations with privacy screens, automatic logoff, and cable locks
• Secure devices — lock laptops, tablets, and phones when not in use
• Control media disposal — shred paper records, wipe electronic media before disposal
• Separate waiting areas from treatment spaces to prevent inadvertent disclosure

Technical Safeguards

• Implement strong access controls with unique user IDs and role-based permissions
• Use encryption for all ePHI at rest and in transit
• Enable audit logging on all systems that access ePHI
• Maintain automatic logoff to prevent unauthorized access to unattended systems
• Install and update security software including antivirus and anti-malware
• Secure your network with firewalls, intrusion detection, and network segmentation
• Back up data regularly and test restoration procedures
• Use multi-factor authentication for remote access and sensitive systems

Solo Practitioner Considerations

Many mental health professionals are solo practitioners, which creates unique security challenges:

• You may be your own Security Officer, Privacy Officer, and IT administrator
• Budget constraints may limit security investments — prioritize encryption and access controls
• Consider cloud-based, HIPAA-compliant EHR systems that include built-in security features
• Use managed IT services with a signed BAA for technical security support
• Do not store PHI on personal devices unless they are properly encrypted and secured

Documentation and Record Keeping

Proper documentation is essential for both clinical care and HIPAA compliance.

Clinical Documentation Best Practices

• Maintain clear, contemporaneous records of each patient encounter
• Distinguish between progress notes (part of the medical record) and psychotherapy notes (stored separately)
• Document informed consent for treatment, telehealth, and any special authorizations
• Record all disclosures of PHI and the basis for each disclosure
• Document patient requests regarding their privacy rights and your responses

HIPAA Compliance Documentation

• Maintain your Security Risk Assessment and remediation plans
• Keep copies of all policies and procedures (current and historical)
• Document all training sessions with dates, topics, and attendees
• Retain Business Associate Agreements and related correspondence
• Keep breach investigation records and notification documentation
• Retain all compliance documentation for a minimum of six years

Record Retention

• Follow state law for clinical record retention (often 7-10 years after last treatment, longer for minors)
• Retain HIPAA compliance documentation for at least six years
• Establish a secure destruction process for records that have exceeded their retention period
• Document the destruction of records including what was destroyed and when

Breach Response for Mental Health Practices

Given the sensitivity of mental health information, breaches can be particularly harmful to patients. Mental health practices must be prepared to respond quickly and effectively.

Identifying a Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by HIPAA (45 CFR § 164.402). In mental health settings, common breach scenarios include:

• Sending therapy notes to the wrong patient or provider
• Unauthorized access to records by staff members
• Lost or stolen devices containing patient information
• Cyberattacks or ransomware affecting practice systems
• Improper disposal of records
• Unauthorized disclosure of therapy information to family members

Breach Response Steps

1. Contain the breach — stop the unauthorized access or disclosure immediately
2. Investigate — determine what information was involved, who was affected, and how the breach occurred
3. Assess the risk — evaluate the probability that PHI was compromised using the four-factor risk assessment (45 CFR § 164.402)
4. Notify affected individuals — within 60 days of discovery for breaches affecting 500+ individuals; as soon as practicable for smaller breaches
5. Notify HHS — report breaches affecting 500+ individuals within 60 days; report smaller breaches annually
6. Notify the media — required for breaches affecting 500+ individuals in a state or jurisdiction
7. Document everything — maintain records of the breach, investigation, and response for at least six years

How HIPAA Agent Helps Mental Health Practices

HIPAA Agent provides specialized compliance tools for mental health practitioners:

• Psychotherapy notes guidance to help you properly classify and protect different types of clinical documentation
• Telehealth compliance assessments to verify your teletherapy platform and practices meet HIPAA requirements
• 42 CFR Part 2 integration for practices treating substance use disorders
• State law cross-reference to identify when state mental health privacy laws exceed HIPAA requirements
• Security Risk Assessments tailored to solo practitioners and small mental health practices
• Policy templates designed for mental health workflows, including psychotherapy notes policies and teletherapy procedures
• Training modules covering mental health-specific HIPAA topics

Frequently Asked Questions

Are psychotherapy notes the same as progress notes?

No. Psychotherapy notes are the therapist's personal analysis and impressions documented during or after a session, kept separately from the medical record. Progress notes — which summarize session content, treatment progress, diagnoses, and plans — are part of the general medical record and do not receive the same enhanced protections as psychotherapy notes.

Can a patient's family member request their therapy records?

Generally, no — not without the patient's written authorization, unless the family member is the patient's personal representative (e.g., a parent of a minor child, or a legally appointed guardian). Even personal representatives may be denied access if the therapist believes disclosure could endanger the patient.

Do I need a BAA for my telehealth platform?

Yes. Any technology platform that transmits, stores, or has access to PHI on your behalf is a business associate and must sign a BAA. This includes telehealth video platforms, EHR systems, billing software, appointment scheduling tools, and secure messaging services.

Can I be required to disclose mental health records in court?

HIPAA permits disclosures in response to a court order (45 CFR § 164.512(e)). However, a subpoena alone (without a court order) requires either patient authorization or specific assurances that the patient has been notified. State laws may provide additional protections. Consult legal counsel when you receive legal process seeking patient records.

How does HIPAA apply to group therapy?

In group therapy, participants may learn health information about other group members. While HIPAA does not prevent you from conducting group therapy, you should establish ground rules about confidentiality, obtain informed consent that acknowledges the group setting, and avoid including other patients' identifying information in individual records.

What are my obligations for mandatory reporting?

HIPAA permits (and in some cases requires) disclosures for mandatory reporting obligations such as child abuse, elder abuse, and threats of harm. These disclosures are permitted under the "required by law" exception (45 CFR § 164.512(a)) and the "serious threat" exception (45 CFR § 164.512(j)). Document all mandatory reports and the basis for the disclosure.

Ready to Automate Your Compliance?

HIPAA Agent handles all of this for you automatically.

Related Guides