A mid-size behavioral health practice in the Southeast received a subpoena demanding the complete treatment records of a current patient involved in a custody dispute. The office manager, unsure of the rules, released everything — including psychotherapy notes, session summaries, and medication history. Within months, an OCR complaint was filed, and the practice faced a costly investigation. This scenario plays out more often than you'd think, and it highlights exactly why your organization must understand when and how you can respond to a subpoena for mental health records under HIPAA.

Why a Subpoena Alone Doesn't Authorize Full Disclosure of Mental Health Records

Healthcare organizations consistently confuse a subpoena with a court order. Under the HIPAA Privacy Rule at 45 CFR § 164.512(e), a covered entity may disclose protected health information in response to a subpoena — but only if specific conditions are met. A subpoena issued by an attorney, rather than a court, does not carry the same legal weight as a court order.

Before you respond to a subpoena for mental health records, your organization must verify one of two things: either the requesting party has made reasonable efforts to notify the individual whose records are sought, or the requesting party has obtained a qualified protective order from the court. Without satisfying one of these conditions, releasing PHI in response to a subpoena is a HIPAA violation.

A court order, by contrast, is issued by a judge and typically authorizes disclosure of the specific records described in that order. Even then, the minimum necessary standard applies — you should release only the information directly responsive to the order, not the patient's entire file.

Psychotherapy Notes Get Heightened Protection Under HIPAA

This is the area where covered entities most frequently make critical errors when they subpoena mental health records or respond to such requests. HIPAA draws a sharp legal distinction between general mental health treatment records and psychotherapy notes.

Psychotherapy notes, as defined under 45 CFR § 164.501, are notes recorded by a mental health professional during or after a counseling session that document the contents of the conversation. They must be kept separate from the rest of the medical record. These notes receive heightened protection: they generally cannot be disclosed without the patient's explicit written authorization, even in response to a subpoena.

General mental health records — including diagnoses, treatment plans, medication lists, and session dates — do not carry this same elevated protection. They are treated as standard protected health information and can be disclosed under the judicial proceedings provisions of the Privacy Rule, provided the subpoena meets the requirements described above.

What Counts as Psychotherapy Notes vs. Treatment Records

  • Psychotherapy notes: A therapist's private observations, analysis of conversations, and impressions recorded during a session, stored separately from the medical record.
  • Treatment records: Diagnoses, functional status, treatment plans, symptoms, prognosis, progress to date, medication prescriptions, and session start/stop times.

If your workforce doesn't understand this distinction, you risk either over-disclosing psychotherapy notes or improperly withholding records that are legally required to be produced. Both outcomes can expose your organization to liability.

State Laws May Impose Stricter Rules on Mental Health Disclosures

HIPAA sets a federal floor, not a ceiling. Many states — including California, Texas, Connecticut, and Illinois — have mental health confidentiality laws that are more protective than HIPAA. Under the Privacy Rule's preemption analysis at 45 CFR § 160.203, when a state law provides greater privacy protections for the individual, the state law controls.

In practice, this means your compliance team must evaluate both HIPAA and applicable state law every time you receive a subpoena for mental health records. Some states require a court order specifically — not just a subpoena — before any mental health records can be disclosed. Others require patient notification and an opportunity to object before release.

Relying solely on HIPAA without checking state law is one of the most common compliance failures I see in behavioral health organizations.

Build a Subpoena Response Protocol Before the Next Request Arrives

OCR has made clear through enforcement actions and guidance that covered entities must have documented processes for handling legal requests for PHI. Waiting until a subpoena lands on your desk to figure out the rules is a recipe for a breach.

Your protocol should include the following steps:

  • Identify the type of legal process: Determine whether you've received a subpoena, a court order, or a discovery request — each triggers different HIPAA provisions.
  • Verify satisfactory assurances: If responding to a subpoena (not a court order), confirm the requesting party has provided evidence of patient notification or a qualified protective order.
  • Segregate psychotherapy notes: Ensure your records systems physically or electronically separate psychotherapy notes so they are not inadvertently included in a disclosure.
  • Apply the minimum necessary standard: Release only the specific information responsive to the legal request. Do not produce the entire patient chart unless explicitly ordered by a court.
  • Document everything: Record your analysis, the steps you took to verify compliance, and the exact records disclosed. This documentation is critical if OCR investigates a complaint.
  • Consult legal counsel: For complex cases — especially those involving psychotherapy notes, minors, or substance use disorder records protected under 42 CFR Part 2 — involve your attorney before releasing anything.

The Workforce Training Requirement Most Organizations Underestimate

A policy sitting in a binder is worthless if your front-desk staff, records custodians, and clinicians don't know the rules. Under 45 CFR § 164.530(b), every covered entity must train all workforce members on its privacy policies and procedures, including how to handle legal requests for protected health information.

In my work with covered entities, the organizations that avoid subpoena-related HIPAA violations are the ones that invest in comprehensive HIPAA training and certification for every person who touches patient records. This includes role-specific training for records departments on how to process subpoenas, verify legal sufficiency, and segregate psychotherapy notes from general treatment records.

If your organization hasn't updated its workforce training to address mental health record disclosures, the time to act is now — not after a complaint is filed with OCR.

Don't Let a Single Subpoena Create a Compliance Crisis

The consequences of improperly responding to a subpoena for mental health records extend beyond OCR penalties. Patients lose trust. Litigation multiplies. And your organization's reputation in the community suffers lasting damage.

Your risk analysis should specifically address the handling of legal requests as a threat vector for unauthorized PHI disclosure. Document the safeguards you've implemented, train your business associates who may handle records on your behalf, and update your Notice of Privacy Practices to accurately describe your legal disclosure policies.

Building a culture of compliance starts with equipping your entire team to handle these situations correctly. Explore workforce HIPAA compliance solutions at HIPAA Certify to ensure every member of your organization — from clinicians to administrative staff — knows exactly how to respond when a subpoena for mental health records arrives.