In 2022, a behavioral health provider in New England paid a six-figure settlement to OCR after a workforce member disclosed a patient's substance abuse treatment records to a family member without proper authorization. The case underscored something healthcare organizations consistently underestimate: the intersection of HIPAA and mental health records carries heightened regulatory stakes that go well beyond standard PHI protections.

If your organization treats, stores, or transmits mental health information, you're operating under a stricter compliance lens. Here's what your covered entity and its business associates need to get right.

How HIPAA and Mental Health Records Differ From Standard PHI

The HIPAA Privacy Rule (45 CFR Part 164, Subpart E) applies to all protected health information. But mental health records occupy a unique position within that framework. HIPAA carves out a special category — psychotherapy notes — and subjects them to more rigorous authorization requirements than virtually any other type of PHI.

Under 45 CFR §164.508(a)(2), a covered entity generally cannot use or disclose psychotherapy notes without a patient's written authorization, even for treatment, payment, or healthcare operations. This is a critical distinction. Most other uses of PHI for treatment purposes don't require separate authorization.

Psychotherapy notes, as defined by HIPAA, are notes recorded by a mental health professional documenting or analyzing a counseling session's contents. They must be kept separate from the rest of the medical record. If your organization mixes psychotherapy notes into general clinical documentation, you've already created a compliance gap.

The Psychotherapy Notes Authorization Requirement Your Workforce Must Understand

Here's where enforcement risk intensifies. Many providers assume that because a patient consented to treatment, the organization can freely share mental health records internally or with other treating providers. That assumption is wrong when psychotherapy notes are involved.

Authorization for psychotherapy note disclosures must be specific, written, and signed. There are narrow exceptions — a therapist may use their own psychotherapy notes for treatment, and disclosure is permitted for certain oversight activities, to avert a serious threat, and in limited legal proceedings. But the default position is clear: without explicit authorization, these notes stay locked down.

Your workforce needs to know the difference between psychotherapy notes and the broader mental health treatment record. A diagnosis, medication list, treatment plan, or session start/stop times are part of the general medical record and follow standard PHI disclosure rules. The therapist's private analytical notes from a session are what HIPAA protects at this elevated level.

Investing in comprehensive HIPAA training and certification for every member of your workforce — not just clinicians — is the most reliable way to prevent unauthorized disclosures of mental health records.

Minimum Necessary Standard and Mental Health Disclosures

Even when your organization is permitted to disclose mental health information from the general medical record (not psychotherapy notes), the minimum necessary standard under 45 CFR §164.502(b) still applies. Your covered entity must make reasonable efforts to limit disclosures to only the PHI necessary for the intended purpose.

In my work with covered entities, I've seen organizations routinely over-disclose mental health records to insurers, employers, and even other providers. A workers' compensation claim, for example, does not entitle the requesting party to a patient's complete psychiatric history. Your policies must define who within the organization can access mental health records and under what circumstances.

State Laws That Add Another Layer

HIPAA sets the federal floor, not the ceiling. Many states — including California, Texas, Connecticut, and New York — impose additional restrictions on mental health record disclosures that are more protective than HIPAA. When state law is more stringent, your organization must follow the state standard.

42 CFR Part 2, which governs substance use disorder (SUD) treatment records, adds yet another layer of federal protection. Recent rulemaking has aligned Part 2 more closely with HIPAA, but SUD records still carry consent requirements that exceed standard HIPAA rules. If your organization provides any substance abuse treatment, a separate compliance analysis is essential.

Risk Analysis: Where Mental Health Record Breaches Start

OCR enforcement actions consistently reveal that breaches involving mental health records originate from predictable failures:

  • Inadequate access controls: Staff members who have no treatment relationship accessing behavioral health records in EHR systems.
  • Improper storage of psychotherapy notes: Notes stored within the general medical record rather than segregated as HIPAA requires.
  • Failure to conduct a thorough risk analysis: Organizations that haven't assessed vulnerabilities specific to mental health data — including how it's transmitted to business associates.
  • Untrained workforce members: Front desk staff, billing teams, and IT personnel who don't understand the elevated protections for mental health information.

Your HIPAA risk analysis under 45 CFR §164.308(a)(1)(ii)(A) must specifically account for mental health records. A generic risk assessment that treats all PHI identically will leave your organization exposed.

Business Associate Agreements Must Address Mental Health Data

If your covered entity shares mental health records with business associates — EHR vendors, billing companies, cloud storage providers, telehealth platforms — your business associate agreements (BAAs) must reflect the heightened sensitivity of this data.

OCR has made clear that a BAA alone doesn't satisfy your obligations. You must verify that business associates have implemented administrative, physical, and technical safeguards appropriate for the type of PHI they handle. Mental health records demand particular attention to audit controls, encryption, and access logging.

Notice of Privacy Practices: Be Specific About Mental Health Rights

Your Notice of Privacy Practices must inform patients about how their mental health information — including psychotherapy notes — may be used and disclosed. Vague or boilerplate language won't meet the standard under 45 CFR §164.520. Patients have the right to understand the specific protections that apply to their behavioral health data.

Build a Compliance Culture Around Mental Health Record Protection

The most effective way to reduce your organization's risk is to treat mental health record compliance as an ongoing operational priority — not a one-time policy exercise. That means:

  • Conducting annual workforce training that specifically addresses mental health record protections and psychotherapy note rules.
  • Auditing EHR access logs quarterly for unauthorized access to behavioral health records.
  • Segregating psychotherapy notes in your records system with role-based access controls.
  • Reviewing and updating your risk analysis whenever you adopt new technology that touches mental health data.

Organizations that partner with HIPAA Certify for workforce HIPAA compliance are better positioned to embed these practices across every department, from clinical staff to administration.

HIPAA violations involving mental health records carry the same penalty tiers as any other HIPAA violation — up to $2,067,813 per violation category per year under the adjusted 2023 penalty amounts. But the reputational damage of exposing a patient's mental health information often exceeds any financial penalty. Your patients trust you with their most sensitive disclosures. Protecting that trust requires precision, training, and a compliance infrastructure built for the complexity that HIPAA and mental health records demand.