In 2023, OCR settled with a behavioral health provider for $1.25 million after the organization disclosed substance abuse treatment records without patient authorization. The provider assumed its standard PHI policies were sufficient — but failed to account for the heightened protections federal law demands for certain categories of health data. If your workforce can't distinguish between general protected health information and sensitive health information, your organization is carrying a risk most compliance officers underestimate.

What Is Sensitive Health Information and Why Does HIPAA Treat It Differently?

So what is sensitive health information? Under the HIPAA Privacy Rule (45 CFR Part 164, Subpart E), all individually identifiable health information held by a covered entity or business associate qualifies as protected health information (PHI). But certain categories of PHI carry additional legal protections because of the stigma, discrimination, or personal harm that unauthorized disclosure could cause.

Sensitive health information typically includes records related to mental health treatment, substance use disorder (SUD) diagnoses and treatment, HIV/AIDS status, sexually transmitted infections, reproductive health and abortion records, genetic information, and psychotherapy notes. These categories don't just fall under HIPAA — many are subject to overlapping federal and state laws that impose stricter standards than the Privacy Rule alone.

For example, substance use disorder treatment records are governed by 42 CFR Part 2, which historically required separate written patient consent for nearly all disclosures — even those HIPAA would otherwise permit under the treatment, payment, and health care operations (TPO) exception. The 2024 final rule aligning Part 2 more closely with HIPAA changed some of these dynamics, but organizations treating SUD patients still face stricter re-disclosure prohibitions.

Categories Your Workforce Must Recognize

Healthcare organizations consistently struggle with training their teams to identify which records demand elevated protection. Here are the primary categories your compliance program should address:

  • Psychotherapy notes: Under 45 CFR §164.508(a)(2), these require specific patient authorization for most uses and disclosures — separate from general medical record consent. They are excluded from the TPO exception.
  • Substance use disorder records: Protected under both HIPAA and 42 CFR Part 2, with strict limitations on re-disclosure even after the 2024 rule updates.
  • HIV/AIDS and STI records: Many states impose consent and notification requirements that exceed HIPAA's baseline protections.
  • Genetic information: The Genetic Information Nondiscrimination Act (GINA) adds a federal layer of protection that intersects with HIPAA's Privacy Rule.
  • Reproductive health information: The 2024 HIPAA Privacy Rule update (effective December 23, 2024) added new protections prohibiting the use or disclosure of PHI related to lawful reproductive health care for certain non-health purposes, including investigations into patients or providers in states where specific services are legal.

Each of these categories requires specific policies, targeted workforce training, and — in many cases — distinct authorization forms. A generic Notice of Privacy Practices won't cover the nuances.

The Minimum Necessary Standard and Sensitive Records

The minimum necessary standard under 45 CFR §164.502(b) requires your covered entity to limit PHI access and disclosure to only the information reasonably needed for a given purpose. When applied to sensitive health information, this standard becomes even more critical.

In my work with covered entities, I've seen organizations grant broad EHR access that allows front-desk staff to view psychotherapy notes or SUD treatment records with no clinical justification. This isn't just a policy gap — it's a HIPAA violation waiting to become a breach report. Role-based access controls must be configured to segment sensitive records so that only authorized clinical personnel with a documented need can view them.

OCR has made clear through its enforcement actions that failing to apply the minimum necessary standard to highly sensitive data categories is treated as a serious compliance deficiency during investigations.

Business Associate Obligations You Cannot Ignore

Your business associates handle sensitive health information more often than many organizations realize. Cloud EHR vendors, billing companies, telehealth platforms, and even transcription services may process mental health notes, SUD records, or reproductive health data.

Every business associate agreement (BAA) should specifically address the handling of sensitive categories. Generic BAA language that references "PHI" without acknowledging the heightened protections for specific data types exposes your organization to liability. If a business associate improperly discloses substance abuse records or psychotherapy notes, your covered entity shares the regulatory consequences.

Conduct a thorough risk analysis that maps where sensitive health information flows — including to third parties — and verify that each business associate's safeguards meet the standards required by both HIPAA and any applicable overlapping laws.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), every covered entity must train its workforce on HIPAA policies and procedures. But here's where compliance programs fall short: most training curricula treat all PHI identically. Your staff needs specific instruction on what is sensitive health information, which records carry elevated protections, and how handling procedures differ from general PHI.

Front-line employees need to understand why a patient's psychotherapy notes cannot be released with a standard records request. Your billing team needs to know that SUD treatment claims may require segmented handling. Clinical staff need clarity on when reproductive health information can and cannot be disclosed under the 2024 rule changes.

Investing in comprehensive HIPAA training and certification that covers sensitive health information categories is one of the most effective steps your organization can take. Generic annual training no longer meets the regulatory bar OCR expects — especially in specialty practices handling behavioral health, reproductive care, or genetic testing data.

Build a Compliance Program That Addresses Sensitivity Tiers

Effective HIPAA compliance in 2024 and beyond requires your organization to think in tiers. Not all PHI carries the same risk profile, and your policies should reflect that reality.

Start by inventorying the types of sensitive health information your organization creates, receives, stores, or transmits. Map the regulatory requirements for each category — HIPAA, 42 CFR Part 2, state law, GINA. Then build layered safeguards: segmented access controls, category-specific authorization forms, targeted workforce training modules, and BAA provisions that address each data type explicitly.

OCR enforcement trends point toward increasingly aggressive action against organizations that fail to protect high-sensitivity records. The penalties reflect the harm: unauthorized disclosure of mental health or SUD records can devastate patients' employment, relationships, and personal safety.

Your organization doesn't need to build this program from scratch. Platforms like HIPAA Certify for workforce HIPAA compliance give your team the structured education and documentation tools needed to meet regulatory expectations — including the nuanced requirements around sensitive health information that generic programs overlook.