HIPAA Compliance for Mental Health Practices: The Complete 2026 Guide

Mental health providers deal with the most sensitive category of health information that exists. A leaked cardiology report is a privacy violation. A leaked therapy note about childhood trauma, substance use, or suicidal ideation can destroy a patient’s career, relationships, and willingness to seek care.

That sensitivity is exactly why HIPAA treats certain mental health records differently from other medical records — and why getting compliance wrong carries consequences beyond fines. If your patients can’t trust that their disclosures stay private, they stop disclosing. The therapeutic relationship breaks down. People don’t get help.

Despite this, most mental health practices — especially solo practitioners and small group practices — operate with significant compliance gaps. Not out of negligence, but because the rules are genuinely more complex for behavioral health than for most other specialties, and because the resources available are usually written for hospital systems, not for a therapist running a practice out of two rooms and a telehealth platform.

This guide covers the specific HIPAA requirements and risks that mental health and behavioral health practices face in 2026.

Why Mental Health Practices Face Unique HIPAA Challenges

Every healthcare provider must comply with HIPAA. But mental health practices deal with layers of regulation that most medical practices never encounter:

1. Psychotherapy notes get extra legal protection that goes beyond standard PHI — with separate authorization requirements that trip up even experienced practitioners.

2. Telehealth is now a primary delivery method, not a pandemic accommodation. The temporary enforcement discretion from 2020 is gone. Your video platform, your home office setup, and your intake process all need to meet full HIPAA requirements.

3. Substance use disorder records are subject to an entirely separate federal regulation — 42 CFR Part 2 — with stricter rules that override parts of HIPAA.

4. Solo practitioners wear every hat: clinician, office manager, biller, IT department, privacy officer, and security officer. Every compliance gap that would be caught by a dedicated person in a larger organization falls through the cracks.

5. The nature of the information makes breaches more damaging. OCR and state regulators know this, and the standard for what constitutes “reasonable safeguards” is higher when the data is this sensitive.

Psychotherapy Notes vs. Treatment Records: The Distinction That Matters

This is where most mental health providers get confused — and where OCR enforcement has real teeth.

HIPAA creates a specific, elevated category for psychotherapy notes under 45 CFR 164.508. These are the clinician’s personal notes documenting the contents of a therapy session — the patient’s statements, the therapist’s analysis, impressions, and hypotheses. To qualify for extra protection, psychotherapy notes must be kept separate from the rest of the medical record.

What psychotherapy notes are NOT:

• Medication prescriptions and monitoring
• Session start and stop times
• Types and frequencies of treatment
• Results of clinical tests
• Diagnosis, functional status, treatment plan
• Symptoms, prognosis, progress

All of those are regular treatment records, subject to standard HIPAA rules. Patients have a right to access them. Health plans can request them for payment purposes. They can be disclosed for treatment, payment, and healthcare operations (TPO) without patient authorization.

Psychotherapy notes, by contrast, require a separate, specific written authorization before disclosure — even to insurance companies, even for payment. The only exceptions are narrow: use by the originator for treatment, training programs, defense in legal proceedings brought by the patient, required by the Secretary of HHS for compliance investigations, to avert a serious threat, and to the coroner or medical examiner.

Where Practices Get This Wrong

Mixing notes into the general record. If your psychotherapy notes are stored in the same system, same file, or same section as the rest of the patient’s treatment record, they lose their special protection. They become regular PHI, accessible under standard TPO rules. The separation must be real — a different section of the EHR with different access controls, a separate file, or a physically distinct record.

Not understanding what qualifies. A progress note documenting that the patient “reported increased anxiety, discussed coping strategies, assigned homework” is a treatment record, not a psychotherapy note. The psychotherapy note would be the therapist’s personal analysis: observations about transference, hypotheses about underlying dynamics, raw session content. If you’re labeling standard progress notes as psychotherapy notes to shield them from disclosure, you’re misapplying the rule — and you may be violating patients’ right of access to their own treatment records.

Releasing notes without proper authorization. A general HIPAA authorization form doesn’t cover psychotherapy notes. The authorization must specifically reference psychotherapy notes. A blanket “I authorize release of my medical records” is not sufficient.

Telehealth Compliance: The Post-Pandemic Reality

During the COVID-19 public health emergency, OCR exercised enforcement discretion for telehealth — allowing providers to use platforms like FaceTime, Zoom (consumer version), and Skype without penalty. That discretion period is over. In 2026, telehealth must meet the same HIPAA standards as in-person care.

Platform Requirements

Your video platform must be HIPAA-compliant, which means:

• Encryption in transit and at rest for all audio, video, and chat data
• A signed Business Associate Agreement (BAA) with the platform vendor
• Access controls — unique logins, session authentication, waiting room functionality
• Audit logging — the ability to see who accessed what session and when

Platforms that will sign BAAs (as of early 2026): Doxy.me, Zoom for Healthcare, Google Workspace (with Healthcare add-on and BAA), Microsoft Teams (with appropriate licensing and BAA), Thera-LINK, SimplePractice Telehealth, VSee, and several others.

Platforms that will NOT sign BAAs: Consumer Zoom (free tier), FaceTime, Skype, WhatsApp, Facebook Messenger, Google Meet (consumer), and any standard consumer video tool.

Using a non-compliant platform isn’t just a technical violation. If a session is intercepted, recorded, or accessed by the platform vendor, you have a reportable breach — and no BAA means no contractual protection and no shared liability.

The Home Office Problem

Telehealth created a new category of HIPAA risk: the provider’s home. When you conduct sessions from home, your home office becomes a location where PHI is created, accessed, and stored.

What you need:

• A private space where sessions can’t be overheard by family members, roommates, or visitors. “I close the door” is a start, but if household members can hear through the wall, you don’t have adequate physical safeguards.
• A secured device — not a shared family computer. Unique login, screen lock, encryption, updated operating system and antivirus.
• Secure network — your home Wi-Fi should use WPA3 (or at minimum WPA2) encryption with a strong password. No conducting sessions from coffee shop Wi-Fi without a VPN.
• Screen visibility — position your monitor so that patient information isn’t visible to anyone passing by.
• Recording and storage — if you record sessions (with consent), where are those recordings stored? A local hard drive on a shared family computer is a violation waiting to happen.

Patient-Side Considerations

You can’t control your patient’s environment, but you have an obligation to inform them about privacy risks on their end. Document that you’ve advised patients to:

• Join from a private location
• Use headphones
• Avoid using shared or public devices
• Understand that you can’t guarantee privacy on their end

This documentation protects you if a breach occurs on the patient’s side.

42 CFR Part 2: The Extra Layer for Substance Use Disorder Records

If your practice treats substance use disorders — or if substance use comes up in the course of treating other conditions — you likely need to comply with 42 CFR Part 2, which governs the confidentiality of substance use disorder (SUD) patient records.

Part 2 is a separate federal regulation, administered by SAMHSA, that in many ways is stricter than HIPAA:

• Consent requirements are more specific. A Part 2 consent must name the recipient, specify the purpose, describe the information to be disclosed, and include an expiration date. A general HIPAA authorization doesn’t satisfy Part 2.
• Re-disclosure is prohibited. When you share HIPAA-covered records, the recipient can generally use them under their own HIPAA policies. Part 2 records come with a prohibition on re-disclosure — the recipient cannot share them further without a new consent.
• Court orders, not subpoenas. Regular medical records can be obtained with a subpoena. Part 2 records require a court order with specific findings — a much higher bar.

The 2024 Final Rule Alignment

SAMHSA finalized updates to Part 2 in 2024 that brought it into closer alignment with HIPAA, allowing Part 2 records to be disclosed for treatment, payment, and healthcare operations purposes once a single initial consent is obtained. This was a significant change — previously, each disclosure required its own specific consent.

However, the anti-discrimination protections and re-disclosure restrictions remain. Part 2 records still cannot be used against a patient in criminal, civil, administrative, or legislative proceedings without proper authorization. And the re-disclosure notice must still accompany any shared records.

The practical risk for mental health providers: If a patient discloses substance use during a therapy session and you document it, those records may be subject to Part 2 — depending on whether your practice is considered a “Part 2 program” or whether the disclosure is incidental to other treatment. The distinction is fact-specific and often requires legal guidance. When in doubt, apply the stricter standard.

Solo Practitioners: The Compliance Gaps Nobody Talks About

More than half of practicing psychologists and a large share of licensed clinical social workers and marriage and family therapists operate as solo practitioners. When you’re the sole clinician, biller, IT administrator, privacy officer, and security officer, certain compliance failures are almost inevitable without deliberate effort to prevent them.

The Most Common Solo Practitioner Gaps

No Security Risk Assessment. This is the single most cited deficiency in OCR enforcement actions across all practice sizes. For solo practitioners, the completion rate is particularly low because there’s no compliance department prompting it and no audit committee reviewing it. You are required to conduct and document a risk assessment — even as a solo provider. “I thought about security” doesn’t count. It must be written.

Take the free HIPAA risk assessment quiz to see where you stand —>

No written policies. HIPAA requires documented policies and procedures — not just practices you follow in your head. “I always lock my computer” is a habit. “All workstations must be locked when unattended, with automatic screen lock set to 2 minutes” is a policy. You need the second one, in writing.

Shared devices and accounts. Solo practitioners often use personal devices for practice purposes — checking the schedule on a personal phone, using a home computer for notes, storing files in a personal cloud account. Each of these creates compliance exposure unless the device is secured, encrypted, and covered by your policies.

No audit logging review. Even if your EHR system has audit logs, when was the last time you reviewed them? Solo practitioners almost never review access logs because they assume they’re the only user. But audit log review also catches unauthorized access — a former office assistant whose credentials were never revoked, a vendor with unnecessary access, or an intrusion you haven’t detected.

No BAA inventory. How many vendors touch your patient data? Your EHR. Your billing software or clearinghouse. Your telehealth platform. Your email provider (if you email anything containing PHI). Your cloud storage. Your phone answering service. Your payment processor. Each one requires a BAA. Solo practitioners commonly have BAAs with their EHR vendor and nobody else.

No incident response plan. When a solo practitioner experiences a potential breach — a lost phone, a misdirected fax, a ransomware attack — there’s no protocol. The response is improvised, which means required notifications get missed, timelines get blown, and documentation doesn’t happen.

The Proposed 2026 Security Rule Changes: What Mental Health Practices Need to Know

The proposed HIPAA Security Rule update would impose several new requirements with significant implications for mental health practices:

• Mandatory encryption with no exceptions. The current rule treats encryption as “addressable” — meaning you can use an alternative if encryption isn’t reasonable. The proposed rule eliminates this. All ePHI must be encrypted at rest and in transit. For a solo therapist using a laptop and a cloud EHR, this means full-disk encryption on every device and verified encryption on every transmission.

• Multi-factor authentication (MFA) everywhere. Every system that accesses ePHI would require MFA — your EHR, your telehealth platform, your email, your cloud storage. No more single-password access.

• Annual penetration testing and vulnerability scanning. This will require either technical expertise or a qualified third party. For solo practitioners and small group practices, this represents a new cost.

• 72-hour system restoration. You must have written procedures to restore access to ePHI within 72 hours of a disruption. For a solo practitioner without dedicated IT, this means having a tested backup and recovery plan — not just “I’ll figure it out.”

• Technology asset inventory. A complete, maintained inventory of every device, system, and application that creates, receives, maintains, or transmits ePHI.

The final rule hasn’t been issued yet, and significant industry pushback — particularly from small and solo practices — may modify some requirements. But the direction is unmistakable: the regulatory floor is rising.

Read our full breakdown of the proposed 2026 rule changes —>

Mental Health Practice HIPAA Checklist

Use this as a baseline assessment. If you can’t check a box, that’s a compliance gap to address.

Administrative Safeguards

• Documented Security Risk Assessment, updated annually
• Written privacy and security policies specific to your practice
• Designated Privacy Officer and Security Officer (can be you, but it must be documented)
• Workforce training completed and documented (even if you’re the only workforce member)
• Sanction policy for HIPAA violations
• Incident response and breach notification plan
• Business Associate Agreement inventory — every vendor who touches PHI

Psychotherapy Notes and Clinical Records

• Psychotherapy notes stored separately from treatment records
• Separate authorization form specifically for psychotherapy note disclosure
• Clear internal criteria for what qualifies as a psychotherapy note vs. treatment record
• Right of Access procedures — 30-day response timeline for treatment record requests
• 42 CFR Part 2 compliance assessment if SUD treatment is provided

Telehealth

• HIPAA-compliant video platform with signed BAA
• Telehealth-specific policies covering platform use, session documentation, and patient notifications
• Home office physical safeguards documented (if conducting sessions from home)
• Patient-facing telehealth privacy notice provided and documented

Technical Safeguards

• Encryption on all devices — laptops, tablets, phones used for practice purposes
• Unique user credentials for every system (no shared logins)
• Multi-factor authentication on EHR and telehealth platforms
• Automatic screen lock (2 minutes or less)
• Audit logging enabled and reviewed regularly
• Regular encrypted backups, tested for restoration
• Anti-malware and firewall protection on all devices

Physical Safeguards

• Office sound privacy — sessions can’t be overheard from waiting areas or adjacent rooms
• Screens positioned away from patient view
• Paper records (if any) secured in locked storage
• Secure disposal of old devices and paper records

Vendor Management

• Current BAA on file with: EHR vendor, telehealth platform, billing/clearinghouse, email provider, cloud storage, answering service, payment processor, IT support, shredding service
• Annual review of vendor BAA status and compliance

Download the full 93-point HIPAA compliance checklist —>

How ComplyMD Helps Mental Health Practices

Mental health compliance isn’t generic healthcare compliance. The psychotherapy note rules, the telehealth requirements, the Part 2 overlap, the solo practitioner reality — these all require a compliance program that understands behavioral health.

ComplyMD builds your complete HIPAA compliance program with mental health-specific policies, risk assessments that account for telehealth and psychotherapy note protections, BAA tracking across your vendor ecosystem, and documentation that holds up if OCR comes asking.

No binders. No generic templates written for hospital systems. A compliance program that reflects how your practice actually operates.