Skip to main content
CoreFolioHIPAA
How-to

HIPAA compliance for mental health counselors, therapists, and psychologists

Mental health providers face the same HIPAA obligations as any covered entity — plus additional protections for psychotherapy notes and, for substance use disorder providers, a separate regulatory layer under 42 CFR Part 2.

By CoreFolio

7-minute read

Mental health providers — therapists, licensed professional counselors, psychologists, clinical social workers, and psychiatrists — operate under the same HIPAA framework that applies to any covered health care provider. In several respects, however, the framework for mental health is more protective than for general medical records. Understanding where those additional protections apply, and where they interact with a separate regulatory layer under 42 CFR Part 2, requires specific attention.

Who qualifies as a covered entity in mental health

A mental health provider is a covered entity under 45 CFR § 160.103 if they furnish health care services and transmit any health information electronically in connection with covered transactions. In practice, this means the provider submits claims to insurance electronically, checks eligibility electronically, or receives electronic remittance advice.

Providers who see only self-pay clients and never interact with insurance electronically may not be covered entities. However:

  • Most states have health privacy statutes independent of HIPAA that impose obligations on any provider holding patient health records
  • Any business associate relationship with a covered entity creates direct HIPAA obligations under the HITECH Act
  • Providers who use EHR systems, telehealth platforms, or scheduling software that integrates with insurers’ systems should confirm their status using the CMS Covered Entity Decision Tool

Psychotherapy notes: heightened protection

The most significant mental-health-specific HIPAA protection is the special treatment of psychotherapy notes under 45 CFR § 164.501 and § 164.508.

What constitutes psychotherapy notes: Psychotherapy notes are notes recorded by a mental health professional documenting or analyzing the contents of a counseling session. They must be:

  • Recorded in any medium
  • Created by a mental health professional
  • Documenting the contents of the session (conversation, themes, the clinician’s personal observations)
  • Stored separately from the rest of the individual’s medical record

What does not qualify as psychotherapy notes: Medication prescriptions and monitoring, session start/stop times, modalities and frequencies of treatment, results of clinical tests, summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress are not psychotherapy notes — even if they relate to mental health treatment. These standard treatment records follow normal HIPAA rules.

The authorization requirement: Disclosures of psychotherapy notes require written patient authorization in most circumstances — more restrictive than standard PHI. Under § 164.508(a)(2), the standard treatment, payment, and health care operations (TPO) exceptions that allow disclosure of ordinary PHI without authorization do not apply to psychotherapy notes. Notable exceptions where psychotherapy notes may be disclosed without authorization include:

  • The treating provider using the notes for treatment
  • Training programs where the notes are used to supervise clinical training
  • Defense in legal proceedings brought by the patient
  • HHS in an investigation or oversight proceeding

Practical implication for small practices: Psychotherapy notes must be in a separate file or location from the general medical record — whether paper or electronic. In an EHR, they must be in a distinct section with access controls that differ from the standard record. A disclosure authorization for ordinary records does not cover psychotherapy notes. A separate authorization, specifically referencing psychotherapy notes, is required.

Substance use disorder records: 42 CFR Part 2

For mental health providers who also treat substance use disorder (SUD), an additional federal regulatory layer applies: 42 CFR Part 2, originally enacted under the Comprehensive Alcohol Abuse and Alcoholism Prevention, Treatment, and Rehabilitation Act of 1970, as amended.

When 42 CFR Part 2 applies: Part 2 applies to records of patients receiving substance use disorder assessment or treatment from a federally assisted program. “Federally assisted” is interpreted broadly — it includes programs receiving any federal funding (including Medicaid reimbursement) and programs holding a DEA registration.

Key differences from HIPAA:

  • Consent is required for most disclosures — the TPO exception in HIPAA does not override Part 2’s consent requirements for SUD records
  • Re-disclosure is restricted — recipients of Part 2 records may not further disclose them without patient consent, even to other treating providers
  • Criminal proceedings — SUD records may not be used in criminal, civil, or administrative proceedings against a patient without court order or patient consent
  • Business associate-like requirements — Part 2 imposes its own confidentiality requirements on persons who receive records

The interaction rule: Where both HIPAA and 42 CFR Part 2 apply, the more protective rule governs. In practice, Part 2 is nearly always more protective than HIPAA for SUD treatment records.

2020 amendments: HHS amended 42 CFR Part 2 in 2020 to align more closely with HIPAA, particularly around treatment, payment, and health care operations uses of SUD records. These amendments reduced — but did not eliminate — the gap between Part 2 and HIPAA.

Telehealth: a specific compliance surface

Mental health services moved substantially to telehealth during and after the COVID-19 public health emergency. HIPAA obligations apply fully to telehealth sessions that involve ePHI.

Platform requirements:

  • The telehealth platform must support encryption in transit (TLS 1.2 minimum, TLS 1.3 preferred per NIST guidance)
  • The vendor must sign a business associate agreement (BAA) with the covered entity before any sessions are conducted
  • The platform must provide audit logging capabilities

Consumer platforms and enforcement discretion: During the COVID-19 public health emergency (declared January 27, 2020, ended May 11, 2023), OCR exercised enforcement discretion and did not penalize covered health care providers for using non-BAA-enabled consumer video communication products for telehealth in good faith. That enforcement discretion ended with the public health emergency. Consumer video platforms such as FaceTime (without a BAA), standard Zoom (without the Healthcare tier and a BAA), and Google Meet (without a BAA) do not meet current HIPAA requirements.

Mental health-specific telehealth considerations:

  • Session recordings raise additional authorization requirements if stored as part of the patient record or shared
  • Telehealth platforms that allow session recording must address the data retention and access control requirements for stored ePHI
  • Home-based sessions require that patients have a private environment; documenting that this was addressed is a reasonable precaution

Core HIPAA Security Rule obligations for mental health practices

The Security Rule requirements for mental health providers are the same as for any covered entity. For a small mental health practice, the priority items are:

Risk analysis: Document the assessment of risks to ePHI in every system — EHR, telehealth platform, email, mobile devices used for scheduling or communication, and cloud storage. The risk analysis must be updated when the environment changes materially (such as when adopting a new telehealth platform).

Business associate agreements: Execute BAAs before sharing ePHI with: the EHR vendor, the telehealth platform, billing services, any cloud backup or storage service, and the email platform if it can access ePHI.

Workforce training with documentation: Even a solo practitioner must document security awareness training. Staff who handle PHI — including administrative staff — require training specific to mental health privacy requirements, including the psychotherapy notes distinction and any applicable 42 CFR Part 2 obligations.

Access controls: EHR systems must have unique login credentials for each staff member. Psychotherapy notes must be in a separately secured section with restricted access — not all staff who access the general record should have access to psychotherapy notes.

Incident response and breach notification: Mental health records are among the most sensitive categories of PHI. A breach involving mental health records — particularly SUD records — may cause significant harm to affected individuals. The four-factor risk assessment and breach notification procedures must be in place before an incident occurs.

Six-year documentation retention

HIPAA requires covered entities to retain documentation of HIPAA policies, procedures, and compliance activities for six years from creation or from when the document was last in effect, whichever is later (45 CFR § 164.316(b)(2)). This applies to the risk analysis, risk management plan, training records, BAAs, incident logs, and all other HIPAA compliance documents.

Some states impose longer retention requirements for mental health records specifically; state law controls where it is more protective.

Sources: 45 CFR § 160.103 (covered entity definition); 45 CFR § 164.501 (psychotherapy notes definition); 45 CFR § 164.508(a)(2) (authorization required for psychotherapy notes); 45 CFR §§ 164.302–164.318 (Security Rule); 42 CFR Part 2 (Confidentiality of Substance Use Disorder Patient Records); HHS 42 CFR Part 2 amendments (2020); HHS COVID-19 telehealth enforcement discretion, ended May 11, 2023; CMS Covered Entity Decision Tool. Last verified May 20, 2026.