HIPAA Risk Assessment for Behavioral Health Practices (2026 Guide)

The short answer

Behavioral health practices — psychiatry, psychology, counseling, substance use disorder treatment, marriage and family therapy — are HIPAA covered entities and must complete an annual Security Risk Assessment (SRA) under 45 CFR 164.308(a)(1)(ii)(A). But behavioral health carries a second federal regime that general medical practices do not face: 42 CFR Part 2, which governs substance use disorder records and requires consent handling that is materially stricter than HIPAA. Layered on top, the 2023–2026 telehealth boom moved most sessions into video platforms, home offices, and personal devices — expanding the attack surface and adding scoping work to every SRA. Medcurity’s SRA is built for that combined HIPAA + Part 2 + telehealth reality.

Why HIPAA plus 42 CFR Part 2 makes behavioral health uniquely complex

42 CFR Part 2 — promulgated under the Public Health Service Act and updated by SAMHSA in 2024 to align more closely with HIPAA — covers records created by federally assisted programs that hold themselves out as providing substance use disorder (SUD) diagnosis, treatment, or referral. For behavioral health practices that treat SUD alongside other conditions, Part 2 applies to the SUD-related records and HIPAA applies to everything.

Practical SRA implications:

• Separate consent for SUD record disclosure. HIPAA permits disclosure for treatment, payment, and operations without authorization. Part 2 requires patient consent for most disclosures — including to other treating providers within the same health system. The SRA has to map how SUD records are segmented in the EHR and who can see them without a Part 2 consent on file.
• Re-disclosure prohibition. Part 2 records carry a re-disclosure notice; downstream recipients are bound by the same rules. The SRA must address how outgoing record packages (faxes, secure messages, EHR-to-EHR transmissions) include and preserve the Part 2 notice.
• Stricter breach analysis. A breach of Part 2 records may trigger both HIPAA breach notification and Part 2-specific reporting obligations.

The 2024 SAMHSA rule moved Part 2 closer to HIPAA but did not collapse the two regimes. Behavioral health practices that operate as if Part 2 has been “harmonized away” are exposed.

Telehealth obligations under the 2026 Security Rule landscape

Behavioral health was the fastest-mover into telehealth during 2020–2023, and most practices have not returned to in-person-only delivery. The HIPAA Security Rule applies to ePHI regardless of where it lives — clinician home office, personal laptop, video platform, cloud EHR. The 2025–2026 HHS proposed Security Rule update, while not yet final, is tightening expectations on encryption, multi-factor authentication, asset inventory, and incident response. A current behavioral health SRA needs to address:

• Telehealth platform BAAs. Every video session vendor (Zoom for Healthcare, Doxy, SimplePractice, TheraNest, etc.) requires a current business associate agreement. The free consumer versions of these platforms do not include BAAs.
• Home-office security. Clinicians delivering tele-sessions from home are doing so on home networks, with family members in the house, often on personal devices. The SRA has to inventory these endpoints and document the safeguards (separate session devices, encrypted drives, locked rooms, headset use, screen privacy).
• Mobile device management. Clinicians using personal phones for scheduling, secure messaging, or session reminders need MDM or equivalent technical controls.
• Audit logging. EHR access logs must capture who saw which record and when, with retention sufficient for breach investigation.

Common audit failure modes in behavioral health

OCR enforcement and SAMHSA-side findings against behavioral health practices cluster around four recurring failures:

1. Free video platform used for sessions. The consumer tier of a popular video platform was used during a surge and never replaced with the BAA-covered tier.
2. Part 2 records co-mingled with general medical records. The EHR does not segment SUD-related records, so any clinician with patient-level access can see Part 2 material without the required consent on file.
3. No SRA update after going telehealth. The risk assessment was done pre-2020 and never updated to scope home-office workstations, personal devices, or video platform vendors.
4. Workforce training does not address Part 2. Staff are trained on HIPAA but not on Part 2 consent handling, re-disclosure notices, or the boundary between the two.

The Medcurity approach for behavioral health practices

Medcurity’s SRA platform walks behavioral health practices through the data flows that actually exist in 2026 — including home-office endpoints, telehealth platform BAAs, and Part 2 record segmentation. Policy templates address both HIPAA and Part 2, with specific language on consent, re-disclosure, and breach response under each regime. The workforce training module includes behavioral health-specific content on Part 2 consent handling, telehealth session security, and minor confidentiality (since pediatric behavioral health adds another consent layer). Pricing is flat — $499/year for single-site SRA and $949/year for the SRA + Compliance bundle including policy templates and ongoing training tracking. There is no per-seat pricing escalator, which matters for group practices with rotating clinicians and per-diem staff.

Frequently asked questions

Does 42 CFR Part 2 replace HIPAA for behavioral health practices?

No. Both regimes apply. HIPAA governs the practice as a covered entity. Part 2 governs SUD-specific records when the practice is a federally assisted program holding itself out as providing SUD diagnosis, treatment, or referral. The SRA has to address both.

Do I need a separate SRA for my telehealth operations?

No, but the existing SRA must be updated to scope home-office endpoints, telehealth platform business associates, mobile devices used by clinicians, and the network paths between clinician and patient. Many pre-2020 behavioral health SRAs do not cover any of this.

Is the free version of a popular video platform okay for occasional sessions?

No. Any ePHI transmitted over a consumer-tier video platform without a BAA is a HIPAA violation per session. The BAA-covered enterprise tier is required for any patient session.

How often should a behavioral health practice update its HIPAA risk assessment?

At least annually, and after any material change — new telehealth platform, new EHR module, new state law affecting consent thresholds, new business associate, significant workforce change, or a security incident.

What does HIPAA compliance cost for a behavioral health practice?

Medcurity SRA starts at $499/year for single-site practices and $949/year for the SRA + Compliance bundle including policy templates and workforce training. There is no per-clinician pricing escalator.

Schedule a Medcurity behavioral-health-fit walkthrough →

Related guides

• HIPAA Security Risk Assessment for Illinois Community Health Centers
• HIPAA Risk Assessment for Pediatric Practices
• HIPAA Security Risk Assessment for California FQHCs
• HIPAA Security Risk Assessment for Texas FQHCs
• How Much Does a HIPAA Security Risk Assessment Cost in 2026?
• What Is a HIPAA Risk Assessment? (2026 Guide)