In 2022, OCR settled with a psychiatric practice in New England for $150,000 after an impermissible disclosure of a patient's mental health records to an employer — records the patient never authorized to be shared. The case underscored what I've observed repeatedly in my work with behavioral health organizations: HIPAA for mental health professionals carries unique complexities that general compliance training rarely covers. If your practice handles psychotherapy notes, substance use disorder records, or telehealth therapy sessions, the standard Privacy Rule playbook isn't enough.

Why HIPAA for Mental Health Professionals Demands Extra Vigilance

Mental health records are among the most sensitive categories of protected health information (PHI). A breach involving therapy session notes or a psychiatric diagnosis can cause irreversible harm to a patient's career, relationships, and personal safety. OCR recognizes this, and enforcement actions against behavioral health providers have increased steadily.

The Privacy Rule at 45 CFR § 164.508 establishes heightened protections specifically for psychotherapy notes — protections that go beyond what applies to standard medical records. Mental health professionals who don't understand these distinctions put their patients and their practices at serious risk.

Psychotherapy Notes: The Protection Most Practices Misunderstand

Under HIPAA, psychotherapy notes occupy a privileged category. These are the personal notes a mental health professional records during or after a counseling session that are separated from the rest of the medical record. They are not the same as treatment summaries, diagnoses, prescriptions, or session start and stop times.

The critical distinction: a covered entity generally cannot use or disclose psychotherapy notes without specific, written patient authorization — even for treatment, payment, or healthcare operations. This is stricter than the rules governing most other PHI. The only narrow exceptions include use by the originator for treatment, certain law enforcement situations, and oversight of the provider who created them.

I regularly see practices store psychotherapy notes in the same EHR system as general treatment records without proper access controls. This is a compliance failure. If your entire staff can view therapy notes through a shared system, you're violating the minimum necessary standard and the psychotherapy notes protections simultaneously.

Practical Steps to Protect Psychotherapy Notes

  • Store psychotherapy notes in a separate location — physically or electronically — from the patient's general medical record.
  • Implement role-based access controls so only the originating clinician can access these notes.
  • Never include psychotherapy note content in billing records, referral letters, or treatment summaries shared with other providers unless you have a valid, specific authorization.
  • Train every member of your workforce — including front desk staff and billing personnel — on why psychotherapy notes require separate handling.

Disclosures That Trip Up Behavioral Health Providers

Mental health professionals face disclosure requests that other healthcare providers rarely encounter. Family members demanding access to an adult child's therapy records. Attorneys seeking session notes for custody battles. Employers requesting fitness-for-duty evaluations that could reveal diagnoses.

HIPAA permits — but does not require — disclosure of PHI in limited circumstances, such as to prevent a serious and imminent threat to health or safety under 45 CFR § 164.512(j). But this exception is narrower than many clinicians assume. It does not authorize blanket disclosures to concerned family members or law enforcement simply because a patient has a mental health diagnosis.

Your Notice of Privacy Practices must clearly explain how your practice handles these situations. Vague or boilerplate language exposes you to OCR complaints. Patients in mental health treatment pay close attention to privacy promises — and they file complaints when those promises are broken.

Telehealth Therapy Sessions and the Security Rule

The pandemic permanently shifted mental health care toward telehealth. OCR's enforcement discretion for telehealth platforms during the public health emergency has ended. If your practice conducts virtual therapy sessions, every platform you use must comply with the HIPAA Security Rule.

This means you need a Business Associate Agreement (BAA) with your telehealth vendor. Consumer-grade video tools like standard FaceTime, Zoom (free version), or Google Hangouts do not meet HIPAA requirements. Your risk analysis — required under 45 CFR § 164.308(a)(1) — must specifically address telehealth infrastructure, including encryption in transit, access controls, and audit logging.

Key Security Requirements for Telehealth in Mental Health

  • Use only platforms that offer a signed BAA and end-to-end encryption.
  • Conduct sessions from a private location where conversations cannot be overheard.
  • Document telehealth-specific risks in your organization's risk analysis and review it annually.
  • Train clinicians on secure session practices, including screen-sharing risks and recording prohibitions.

The Workforce Training Requirement Most Practices Overlook

Under 45 CFR § 164.530(b), every member of your workforce must receive HIPAA training. For mental health practices, generic training modules miss the mark entirely. Your staff needs education on psychotherapy note protections, the nuances of mental health disclosures, and the specific risks that behavioral health organizations face.

OCR investigations consistently examine whether a practice provided adequate, role-specific training. A front desk coordinator who accidentally confirms a patient's therapy appointment to an unauthorized caller creates a HIPAA violation that proper training could have prevented.

Investing in HIPAA training and certification tailored to healthcare roles ensures your clinicians and administrative staff understand the rules that apply specifically to mental health settings. This isn't optional — it's a regulatory requirement with real enforcement consequences.

Business Associate Risks Unique to Mental Health Practices

Mental health professionals often work with business associates that general medical practices don't — EAP providers, court-appointed evaluators, specialized billing companies handling behavioral health codes, and transcription services for session notes. Every one of these relationships requires a BAA under 45 CFR § 164.502(e).

I've reviewed practices where therapists contracted with note-taking services or AI transcription tools without a BAA in place. Each of these arrangements constitutes a HIPAA violation before a single byte of data is compromised. Audit your vendor relationships at least annually and terminate any business associate that cannot demonstrate compliance.

Build a Mental Health Practice That Patients Trust

Patients choose mental health providers based heavily on trust. A single privacy incident — an unauthorized disclosure, a telehealth platform breach, a careless conversation at the front desk — can destroy that trust and trigger an OCR investigation that costs your practice six figures or more.

HIPAA for mental health professionals isn't a checkbox exercise. It requires understanding protections that go beyond general healthcare compliance: psychotherapy note safeguards, nuanced disclosure rules, telehealth security, and workforce training that reflects the realities of behavioral health care.

Start building that foundation now. HIPAA Certify's workforce compliance platform gives mental health practices the tools and training needed to meet every requirement — before OCR comes asking questions.