HIPAA Compliance for Behavioral Health Practices

Posted By Steve Alder on Feb 11, 2025

HIPAA compliance for behavioral health practices not only consists of complying with the HIPAA Privacy, Security, and Breach Notification Rules, but also with any other federal or state regulations that preempt HIPAA’s “federal floor” of privacy protections. These regulations include (for example) the Part 2 “SUD” regulations and the Texas Medical Records Privacy Act.

Most behavioral health professionals are subject to the HIPAA Privacy, Security, and Breach Notification Rules inasmuch as they are either solo practitioners who qualify as a HIPAA Covered Entity, or they work for a behavioral health practice that has implemented policies and procedures to comply with the HIPAA Rules.

In terms of HIPAA compliance for behavioral health practices, if a solo practitioner qualifies as a Covered Entity, they are responsible for implementing measures to protect the privacy of individually identifiable health information and that ensure the confidentiality, integrity, and availability of electronic Protected Health Information (PHI).

In multi-practitioner behavioral health practices, these responsibilities are delegated to a Privacy and Security Officer who is either an existing member of the workforce (usually a non-clinical employee) or appointed to fulfill the role(s). Alternatively, the challenge of HIPAA compliance for behavioral health practices is contracted out to specialist compliance organizations.

In both scenarios, any employed or sub-contracted practitioners, assistants, support staff, or administrative staff are required to comply with the policies and procedures put in place by the responsible person – and, in some cases, these can go way beyond the requirements of the HIPAA Privacy, Security, and Breach Notification Rules.

Privacy Rule HIPAA Compliance for Behavioral Health Practitioners

Privacy Rule HIPAA compliance for behavioral health practitioners is the same as for any other HIPAA Covered Entity inasmuch as all members of the workforce must understand what individually identifiable health information is, know when it can permissibly be used or disclosed, and be aware of patients´ rights to access PHI and request an accounting of disclosures.

However, because of the nature of behavioral health, there can be many elements of a practitioner´s work that are square pegs in HIPAA´s round holes. For example, career counseling, mediation services, and life coaching are not included in HIPAA´s definition of health services. So, do these activities have the same Privacy Rule protections as psychotherapy notes, or should they be included in a designated record set and be subject to the same protections as health information?

The answer to this question can vary depending on the location of the practice (i.e., state laws may apply), the nature of the practice’s activities (i.e., if it provides services for substance use disorder patients), and the practice´s propensity to risk. With regards to risk, all Covered Entities are required to conduct a HIPAA risk assessment, but what is done with the results of the assessment should be “appropriate to the [Covered Entity´s] circumstances” and therefore open to interpretation.

Security Rule HIPAA Compliance for Behavioral Health Practices

In theory, Security Rule HIPAA compliance for behavioral health practices should also be the same as for any other Covered Entity. However, it can often be much harder to comply with the Technical Safeguards of the Security Rule due to behavioral health practitioners (most often at the request of clients) tending to favor consumer-facing services such as Gmail, Square, and PayPal. This was especially true during the height of the COVID-19 pandemic with regard to remote consultations.

Consumer-facing services rarely have the technical capabilities required by the Security Rule (i.e., automatic log-off, event monitoring, etc.), so they are not compliant with HIPAA. Additionally, consumer-facing services can store copies of communications indefinitely on their servers, communications can be intercepted via Man-In-The-Middle attacks, and many service providers will not sign a Business Associate Agreement. Effectively, there is a lot to overcome.

Consequently, behavioral health practitioners have to be very careful about how they use technology; and while the Security Rule has a “flexible approach” clause (see CFR 45 § 164.306(b)), it may be necessary for practitioners to adhere to the policies developed to limit disclosures to the minimum necessary – even when talking to clients, if communications are being transmitted through unsecure channels. Naturally, it is important compliance with the policies is monitored wherever possible.

The Breach Notification Rule and Notification Timeframes

The Breach Notification Rule stipulates when and how clients should be notified of an impermissible disclosure of unsecured Protected Health Information and what information should be included in the notification letter. The Rule also mandates timeframes within which HHS´ Office for Civil Rights has to be notified – and, in some cases, the media.

Generally, the notification timeframe for individuals is within 60 days of a breach being discovered, while HHS´ Office for Civil Rights has to be notified of breaches annually unless a breach impacts more than 500 individuals – in which case the notification timeframe is also within 60 days. Information on the notification requirements can be found in this article.

Although it is not difficult to comply with this Rule, it is important to be aware that most states have privacy laws with much shorter notification timeframes. It is also important to be aware that some state laws extend beyond state borders and relate to data breaches affecting any resident of the state – for example, Texas´ Medical Records Privacy Act.

HIPAA Training for Behavioural Health Practice Staff

HIPAA training for behavioural health practice staff is critical because behavioural health information is especially sensitive and often subject to heightened privacy expectations. Staff in behavioural health practices handle PHI during intake, therapy sessions, care coordination, billing, and communication with patients and families, often across multiple channels. Training should clearly explain how the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule apply to behavioural health settings, with emphasis on minimum necessary access, appropriate disclosures, and careful communication.

Consistent with effective HIPAA training for employees, behavioural health focused training should use plain language and realistic scenarios rather than abstract rules. It should address common risk areas such as scheduling and reminders, telehealth sessions, shared notes, use of messaging tools, and discussions in public or semi private spaces. Training should also reinforce prompt incident recognition and reporting so potential issues can be addressed quickly.

Best practice in the healthcare sector is to provide HIPAA training annually, and regular refresher training helps behavioural health staff stay aligned as treatment models, technology, and privacy risks evolve.

Seek Compliance Advice, Understand, and Document!

In conclusion, it can be hard for busy practitioners to do their best for clients while struggling with HIPAA compliance for behavioral health practices – notwithstanding the volume of federal and state laws with more stringent privacy protections or security requirements. The best solution for balancing work vs compliance is to seek professional compliance advice, understand what laws apply in what situations, and develop policies and procedures accordingly.

In all cases, document risk assessments, risk analyses, and decisions relating to the HIPAA standards – explaining why, if applicable, an implementation specification has not been implemented. It is also necessary to retain policy documents for a minimum of six years from the date the policy was last in force in case of an audit, review, or investigation. Finally, remember that ignorance of the HIPAA compliance requirements is not an acceptable defense in the event of a data breach.

HIPAA Compliance for Behavioral Health Practices: FAQs

Why are “most”, and not “all” behavioral health practitioners subject to HIPAA?

Some health care professionals – including some behavioral health practitioners – are not subject to HIPAA because either they do not provide qualifying services or they do not transmit individually identifiable health information electronically in a transaction for which the Department of Health and Human Services has developed standards (see CMS´ Transactions Overview for more info).

Alternatively, a practitioner may practice in an environment in which HIPAA does not apply. For example, if a behavioral health practitioner provides services for university students, the students´ medical records are classified as part of their educational records under the Family Educational Rights and Privacy Act (FERPA), so HIPAA does not apply to these medical records.

If a behavioral health practitioner does not qualify as a Covered Entity but provides a service on behalf a practitioner who is a Covered Entity, what happens then?

In this case, the practitioner who is not a Covered Entity (Practitioner A) provides the service as a Business Associate of the practitioner who is a Covered Entity (Practitioner B). As a Business Associate of Practitioner B, the Practitioner will have to comply with some HIPAA Rules, and those that are applicable will be written into the Business Associate Agreement between the two practitioners.

How does my state´s “duty to warn” requirement align with HIPAA?

If a behavioral health practitioner believes there is a serious and imminent threat of a client harming themselves or others, HIPAA generally allows the practitioner to warn the appropriate person(s) (45 CFR §164.512 (j)). However, there are exceptions to this permissible disclosure (see 45 CFR §164.512 (j)(2)) and it is important to be aware of how these exceptions may contradict state law.

What Privacy Rule protections do psychotherapy notes have?

Under the General Principles for Uses and Disclosures, even though psychotherapy notes can contain information relevant to a client´s past, present, or future condition, they cannot be disclosed without written authorization from the client – provided they are maintained separately from other health information. However, in some states (i.e., Vermont), psychotherapy notes must be kept with other health information, and the Privacy Rule protections would not apply.

How might the Texas Medical Records Privacy Act affect a behavioral health practice in Oklahoma?

If a behavioral health practice in Oklahoma provides services for a client from Dallas, there are fewer permissible uses and disclosures of the client´s individually identifiable health information than allowed by HIPAA, client requests for access to their health information have to be attended to quicker, and all members of the workforce have to receive HIPAA training within 90 days of being engaged.