HIPAA Compliance for Mental Health Providers: Privacy & Security Guide
Mental health is where HIPAA is at its most protective and its most nuanced. The information a therapist holds — diagnoses, session content, substance use history — carries more stigma and legal sensitivity than almost any other PHI, and HIPAA reflects that with rules that apply to mental health providers differently than to a general medical office. Getting compliant here means understanding the special categories layered on top of the baseline.
Psychotherapy notes are a category of their own
Psychotherapy notes — a clinician’s private session notes kept separate from the medical record — receive heightened protection under §164.508(a)(2). They generally require a specific, separate patient authorization to disclose, even for uses that ordinary PHI would not, and they are excluded from the patient’s right of access. The catch: they only qualify if you actually keep them separate from the rest of the chart. Medication, diagnoses, treatment plans, and session times are NOT psychotherapy notes and follow ordinary rules.
42 CFR Part 2 may apply on top of HIPAA
If you provide substance use disorder treatment and meet the federal definition of a Part 2 program, 42 CFR Part 2 imposes consent requirements stricter than HIPAA. Recent alignment between Part 2 and HIPAA has eased some friction, but Part 2 still governs SUD records, and you must follow the more protective standard.
The everyday risks for a small practice
Most mental health care happens in solo or small-group practices without dedicated IT. The practical risk surface is teletherapy platforms (use one that will sign a business associate agreement), email and texting with clients, unencrypted laptops and phones, and shared waiting-room or telehealth environments where conversations carry. Each is addressable with basic controls, but only once you have identified it. Our HIPAA compliance for behavioral health guide covers the broader behavioral-health context.
Start with the risk analysis
Every mental health practice that transmits electronic claims is a covered entity and must complete a Security Risk Analysis under 45 CFR § 164.308(a)(1)(ii)(A). For a small practice, the SRA is the single most valuable compliance exercise: it inventories where PHI lives — EHR, teletherapy tool, email, billing service — and prioritizes the handful of fixes that matter on a limited budget.
The rules are tightening
The proposed 2026 Security Rule update — an NPRM HHS published in December 2024, not final, with a 240-day compliance window once published — would make controls like encryption and MFA explicit requirements, which matters for solo practitioners who have leaned on the addressable category to defer them.
How Medcurity helps
Medcurity gives small mental health practices a guided, plain-language Security Risk Analysis and remediation tracker built for teams without an IT department. Pricing is $499/year (about $42/month); group practices and clinics can request a quote. Keep our HIPAA compliance checklist handy as you work through it.
Frequently Asked Questions
Are psychotherapy notes treated differently from the rest of the record?
Yes. When kept separate from the medical record, psychotherapy notes require a specific separate authorization to disclose and are excluded from the patient’s right of access — stronger protection than ordinary PHI.
Can a therapist email or text clients?
Only with appropriate safeguards. Standard email and SMS are unencrypted; use a secure, BAA-backed platform, or document the patient’s informed request to communicate over an unsecured channel.
Does HIPAA or 42 CFR Part 2 apply to substance use records?
Both can apply. If you are a Part 2 program, its stricter consent rules apply to SUD records in addition to HIPAA. Follow the more protective standard.
Do solo practitioners really need a Security Risk Analysis?
Yes. There is no small-practice exemption. Any provider who bills electronically is a covered entity and must complete and maintain an SRA.