In 2022, OCR settled with a New England dermatology practice for $300,640 after a breach exposed patient records — including sensitive mental health information — that should never have been accessible to unauthorized staff. While that case involved a broader security failure, it underscored a reality I see constantly in my work with covered entities: organizations routinely underestimate the heightened protections HIPAA places on HIPAA mental health records and the severe consequences of getting disclosure rules wrong.

What HIPAA Classifies as Mental Health Records — and Why It Matters

Under the HIPAA Privacy Rule (45 CFR § 164.501 and § 164.508), not all mental health information is treated equally. General mental health records — diagnoses, treatment plans, medication lists, session dates — are protected health information (PHI) subject to the standard Privacy Rule requirements. They can be used and disclosed for treatment, payment, and healthcare operations with the same rules that apply to any other medical record.

But HIPAA carves out a separate, more restrictive category: psychotherapy notes. These are the personal notes recorded by a mental health professional during or immediately after a counseling session, maintained separately from the medical record. Under 45 CFR § 164.508(a)(2), psychotherapy notes require their own specific written authorization before disclosure — even to other providers involved in the patient's treatment.

Healthcare organizations consistently confuse general mental health records with psychotherapy notes. That confusion creates real compliance risk.

The Psychotherapy Notes Exception Most Organizations Underestimate

The heightened protection for psychotherapy notes means your covered entity cannot disclose them based on a general HIPAA authorization for release of medical records. A separate, specific authorization is required. There are only narrow exceptions where psychotherapy notes can be disclosed without patient authorization:

  • Use by the originator of the notes for treatment purposes
  • Training programs for mental health students or counselors
  • Defense by the covered entity in a legal action brought by the patient
  • Required by the Secretary of HHS for compliance investigations
  • Mandated by law — such as certain abuse reporting requirements
  • To avert a serious and imminent threat to health or safety

Outside those narrow scenarios, disclosure of psychotherapy notes without a valid, specific authorization is a HIPAA violation that can trigger OCR enforcement action and civil monetary penalties under the HITECH Act penalty tiers — ranging from $137 to over $2 million per violation category, per year.

How HIPAA Mental Health Records Intersect with the Minimum Necessary Standard

For general mental health records (not psychotherapy notes), the minimum necessary standard applies to every use and disclosure. Your organization must implement policies ensuring that workforce members access only the mental health PHI they need for their specific job function.

This is where I see breakdowns most frequently. Front desk staff with full EHR access can view psychiatric diagnoses. Billing personnel can see therapy session notes unrelated to the claim they're processing. OCR has consistently emphasized that the minimum necessary standard is not optional — and mental health information demands particular attention because of its sensitivity and the stigma patients face.

Your risk analysis should specifically evaluate who has access to mental health records and whether role-based access controls are properly configured. If your last risk analysis didn't address this, it's incomplete.

Patient Rights to Access Mental Health Records Under HIPAA

Patients have a right to access their own mental health records under the Privacy Rule's access provisions (45 CFR § 164.524). However, HIPAA does permit a covered entity to deny access to psychotherapy notes — this is one of the few categories where a provider can withhold records without offering the patient a right to have the denial reviewed.

For general HIPAA mental health records — progress notes, treatment summaries, diagnoses, medications — patients have the same access rights as they do for any other medical record. Your Notice of Privacy Practices must accurately reflect these rights, and your workforce must understand the distinction when processing access requests.

Denying access to general mental health records by incorrectly claiming they are psychotherapy notes is a compliance violation that OCR takes seriously.

State Laws That Add Complexity to Mental Health Privacy

HIPAA sets the federal floor, not the ceiling. Many states impose stricter protections on mental health records. For example, some states require specific consent for any disclosure of substance use disorder treatment records, or restrict mental health information from being shared in certain legal proceedings even when HIPAA might otherwise permit it.

Under HIPAA's preemption rules (45 CFR § 160.203), the more protective state law prevails. Your compliance program must account for both layers. A business associate agreement that meets HIPAA standards may still fall short if your state law imposes additional mental health privacy requirements on the third parties handling your patients' records.

Workforce Training: The Front Line of Mental Health Record Protection

Every HIPAA violation involving mental health records I've investigated traces back to a workforce training gap. Staff didn't know the difference between psychotherapy notes and general mental health records. Clinicians didn't understand when a separate authorization was required. Administrative employees didn't realize that the minimum necessary standard applied to sensitive mental health PHI the same way it applies to everything else.

HIPAA requires workforce training under 45 CFR § 164.530(b), but that requirement is only meaningful if your training program addresses the specific, high-risk scenarios your organization faces — including mental health record handling. Generic annual training that never mentions psychotherapy notes or mental health disclosure limits leaves your organization exposed.

Investing in comprehensive HIPAA training and certification ensures your workforce understands these critical distinctions. Organizations that prioritize role-specific, scenario-based training through platforms like HIPAA Certify's workforce compliance program are far better positioned to avoid costly enforcement actions.

Three Steps to Strengthen Your Mental Health Records Compliance Today

If your organization handles any mental health PHI — and most covered entities do — take these steps immediately:

  • Audit your psychotherapy notes procedures. Confirm that psychotherapy notes are stored separately from the general medical record and that your authorization forms specifically address psychotherapy note disclosures as a distinct category.
  • Review role-based access controls. Verify that only workforce members with a documented need can view mental health diagnoses, treatment records, and session notes in your EHR system.
  • Update your workforce training. Add specific modules on mental health record protections, psychotherapy notes requirements, and the minimum necessary standard as it applies to sensitive PHI categories.

OCR's enforcement trends make one thing clear: mental health record mishandling is a high-priority target. Your organization's compliance posture depends on getting these protections right — not in theory, but in daily practice.