HIPAA Compliance for Behavioral Health Clinics: Substance Abuse and Mental Health

Q: Can a minor consent to their own behavioral health treatment?

In many states yes, and where they can, the minor often controls that information and HIPAA defers to state law on parental access. Policies must reflect the provider's specific state statutes.

Quick Answer: Behavioral health providers face HIPAA’s strictest data — psychotherapy notes get heightened protection, 42 CFR Part 2 adds extra rules for substance-use records, and minor-consent and duty-to-warn situations create disclosure decisions other specialties rarely face. A Security Risk Analysis plus clear policies for psychotherapy notes and Part 2 records are the foundation.

Psychotherapy notes get special protection

HIPAA singles out psychotherapy notes — the therapist’s personal process notes kept separate from the medical record — for heightened protection. Unlike most PHI, they generally require a specific patient authorization to disclose, even for many treatment, payment, or operations uses that would otherwise be permitted. Behavioral health practices must store these notes separately and train staff that they cannot be released on a routine records request.

42 CFR Part 2 layers on top of HIPAA

Records from federally assisted substance-use disorder treatment programs are governed by 42 CFR Part 2, which is stricter than HIPAA about redisclosure and consent. Many behavioral health organizations hold both Part 2 and ordinary HIPAA records, and the two regimes must be mapped correctly. Recent rulemaking has aligned parts of Part 2 with HIPAA, but the heightened-consent posture for substance-use records remains a distinct compliance obligation.

Minors, consent, and duty to warn

Behavioral health frequently involves minors who, under many state laws, can consent to their own mental-health or substance-use treatment — which shifts control of that information away from parents. Providers also face duty-to-warn and safety situations where disclosure to prevent serious harm is permitted. Both require written policies grounded in the provider’s specific state law, not a generic rule.

Telehealth and the Security Risk Analysis

Behavioral health delivers heavily by telehealth, putting ePHI on video platforms, home networks, and clinician devices. Under 45 CFR § 164.308(a)(1)(ii)(A), the practice must run a thorough Security Risk Analysis across all of it. The proposed 2026 Security Rule update (NPRM December 2024, not yet final, 240-day window once published) adds mandatory encryption, MFA, asset inventory, biannual vulnerability scanning, and annual penetration testing.

How Medcurity helps behavioral health

Medcurity provides guided, NIST-aligned Security Risk Analyses, remediation tracking, business associate management, training, and audit-ready reporting — built for the telehealth-heavy, multi-regime reality of behavioral health, starting at $499/year (about $42/month). See our HIPAA compliance for mental health providers and HIPAA risk assessment guides.

Frequently Asked Questions

Do psychotherapy notes need a separate authorization to release?

Generally yes. HIPAA gives psychotherapy notes heightened protection, and most disclosures require a specific patient authorization — even some that would be permitted for ordinary PHI. They must be kept separate from the rest of the record.

How does 42 CFR Part 2 differ from HIPAA?

Part 2 governs federally assisted substance-use treatment records and is stricter than HIPAA on consent and redisclosure. Organizations holding both must map each record to the correct rule.

Can a minor consent to their own behavioral health treatment?

In many states, yes — and where they can, the minor often controls that information and HIPAA defers to state law on parental access. Policies must reflect the provider’s specific state statutes.