HIPAA Compliance · Mental Health Specialty
HIPAA for Therapy,
Psychology, and Behavioral Health.
Written, OCR-defensible Risk Analysis built for clinical practices where the session itself is the protected health information. CIPP/US certified. Free 30-min discovery call to scope the right engagement. Solo therapists through group behavioral health practices, nationwide.
Why Mental Health Practices Need a Specialty-Specific Approach
Therapy Sessions Are Not
Like Other Medical Records.
Mental health practices face HIPAA risks that general medical practices and dental practices do not. The session content itself is highly sensitive PHI, federal substance use rules layer on top of HIPAA, and the practice structure (often a solo clinician without admin staff) creates compliance gaps that off-the-shelf platforms miss.
Psychotherapy Notes Have Enhanced Protections
Under 45 CFR 164.501 and 164.508(a)(2), psychotherapy notes recorded during a counseling session and kept separate from the rest of the medical record require specific patient authorization for nearly all disclosures, including for treatment, payment, and healthcare operations. A Risk Analysis that does not address how psychotherapy notes are stored, who can access them, and what authorization workflow is in place is incomplete.
42 CFR Part 2 Layers on Top of HIPAA
If your practice provides substance use disorder treatment, 42 CFR Part 2 applies in addition to HIPAA. The 2024 Final Rule under the CARES Act aligned several provisions with HIPAA, but consent and re-disclosure rules still exceed HIPAA. Mixed practices need dual-framework documentation, and substance use records require separate handling procedures from general therapy records.
The COVID Telehealth Exception Ended in 2023
HIPAA enforcement discretion for telehealth ended on August 9, 2023. Telehealth therapy now requires platforms with executed BAAs covering PHI in transit and storage. Doxy.me, SimplePractice, TherapyNotes, and Zoom Business or higher all offer BAA coverage. Consumer-grade FaceTime, Skype, and personal Google Meet do not. A Risk Analysis should confirm your telehealth platform is HIPAA-supported and the BAA is current.
Solo Practice Workflows Create Specific Gaps
A solo clinician who is also the practice owner, the bookkeeper, the IT person, and the records custodian creates compliance gaps that group practices and hospitals do not. Workforce training documentation, sanctions policy application, vendor BAA tracking, and breach response readiness all require specific Risk Analysis attention when the staff is one or two people. Compliance platforms typically assume a larger administrative structure.
Recent OCR Enforcement Against Behavioral Health Practices
Behavioral Health Is Squarely
Within OCR's Crosshairs.
Two of the highest-profile recent OCR settlements involved behavioral and small-specialty practices. Both cited Risk Analysis failures as the root cause. Both showed that practice size does not protect against enforcement.
2025
Deer Oaks — The Behavioral Health Solution: $225,000. A ransomware attack on August 29, 2023 affected 171,871 individuals, plus a separate ePHI exposure of 35 patients spanning December 2021 to May 2023. OCR's root finding was the same that appears in nearly every Risk Analysis Initiative settlement: failure to conduct an accurate and thorough Risk Analysis.
April 2025
Comprehensive Neurology, PC: $25,000. A small New York neurology practice settled with OCR after a ransomware attack. The settlement included a two-year corrective action plan. OCR's eighth Risk Analysis Initiative action and clear signal that small specialty practices are not protected by size.
2024–2026 trend
OCR's Risk Analysis Initiative. Launched in fall 2024. The first seven settlements ranged from $10,000 (Northeast Surgical Group, a small Michigan practice) to $350,000 (NERAD). Every settlement cited the same root failure: a missing or inadequate Risk Analysis under 45 CFR 164.308(a)(1)(ii)(A). By April 2026, OCR had completed 13 Risk Analysis Initiative investigations and 19 ransomware-related breach investigations.
Your Practice Protects Patients' Most Sensitive Information.
Your Documentation Should Reflect That.
Book a free 30-minute consultation. No pitch, no pressure. We will tell you whether a Risk Analysis is the right next step or whether the $750 Privacy Exposure Review is a better starting point for your practice.
Book a Free Consultation