Are psychotherapy notes more protected than other medical records under HIPAA?

Yes. Psychotherapy notes receive heightened protection under 45 CFR § 164.524(a)(1)(ii) and § 164.508(a)(2). Psychotherapy notes are defined as notes recorded by a mental health professional documenting or analyzing the contents of a session, stored separately from the rest of the patient's medical record. They are excluded from the designated record set (patients have no right to access them), require specific authorization before disclosure (and cannot be disclosed even to the patient without authorization in most cases), and cannot be used for most treatment, payment, or health care operations without authorization.

Does a solo therapist need to comply with HIPAA?

Yes, if the therapist transmits PHI electronically in connection with standard transactions (such as billing insurance). Solo therapists who accept insurance and submit electronic claims are covered entities. Therapists who operate on a strict cash-pay basis and never electronically transmit PHI may not be covered entities — but most cash-pay therapists still use EHRs that connect to clearinghouses or billing systems.

What is 42 CFR Part 2 and does it apply to mental health practices?

42 CFR Part 2 is a federal regulation that governs the confidentiality of substance use disorder (SUD) patient records in federally assisted programs. It is separate from and in addition to HIPAA. Part 2 applies only to programs that specialize in providing SUD treatment and receive federal assistance. A mental health practice that also provides SUD counseling may be subject to Part 2 for those records. Part 2 has stricter consent requirements for disclosure than HIPAA — patients must provide written consent for nearly all disclosures, including to other treating providers.

What BAAs does a mental health practice need?

A mental health practice needs BAAs with: EHR/practice management software vendors (SimplePractice, TherapyNotes, Luminare Health), billing services and clearinghouses, telehealth video platforms (Zoom for Healthcare, Doxy.me), patient scheduling and reminder tools, cloud storage or backup services containing client records, and IT/managed service providers with access to practice systems. Each vendor that handles PHI on your behalf requires a signed BAA.

Can a patient access their own psychotherapy notes under HIPAA?

Generally, no. Psychotherapy notes are excluded from the designated record set, so patients do not have the same right of access to them as they do for other medical records. However, some states grant patients broader rights to mental health records under state law, which may supersede HIPAA's more restrictive approach. Always check your state's mental health records law in addition to HIPAA.

Industry Guide

HIPAA for Mental Health Practices: Psychotherapy Notes, BAAs, and Privacy Rules (2026)

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Mental health practices operate under the same HIPAA framework as other healthcare providers — but with critical added protections for psychotherapy notes, stricter patient trust expectations, and sometimes additional state law requirements. This guide covers what mental health professionals need to know about HIPAA, from covered entity status through session note protections, BAA requirements, and the intersection with 42 CFR Part 2.

Mental Health Practices as Covered Entities

A mental health provider — psychologist, licensed clinical social worker, licensed professional counselor, psychiatrist, marriage and family therapist — is a covered entity under HIPAA if they transmit PHI electronically in connection with standard transactions. This includes billing insurance electronically, submitting electronic claims, or electronic eligibility verification.

Solo therapists who see only self-pay clients and handle all billing on paper may not meet the covered entity threshold. But the practical reality is that most mental health practices use EHR software that connects to clearinghouses, scheduling platforms that store client data, or telehealth platforms — making covered entity status essentially universal in modern practice.

If you're unsure of your status, take our free Covered Entity Quiz for a guided determination.

Psychotherapy Notes: Heightened Protection Under HIPAA

HIPAA treats psychotherapy notes differently from all other medical records. This special status is defined under 45 CFR § 164.501 and carries significant compliance implications.

What Are Psychotherapy Notes?

Under HIPAA, psychotherapy notes are specifically defined as notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of conversation during a private counseling session or a group, joint, or family counseling session — and that are separated from the rest of the individual's medical record.

This definition is narrow. The following are NOT psychotherapy notes:

Medication prescription and monitoring information
Counseling session start and stop times
Modalities and frequencies of treatment
Results of clinical tests
Diagnoses, functional status, treatment plans, symptoms, prognosis, and progress to date

The above items are part of the general medical record and subject to standard PHI rules. Only notes that capture the actual contents of a therapy session — what the patient said, the therapist's reflections, impressions of the interaction — qualify as psychotherapy notes.

What's Different About Psychotherapy Note Protections?

Two key differences from standard PHI:

Authorization required: Disclosing psychotherapy notes almost always requires specific written authorization from the patient under 45 CFR § 164.508(a)(2) — even for treatment, payment, and health care operations that ordinarily don't require authorization.
Excluded from right of access: Patients do not have the right to access their own psychotherapy notes under 45 CFR § 164.524(a)(1)(ii). A covered entity may, but is not required to, provide access to psychotherapy notes.

Exceptions exist: disclosures for the provider's own training programs, defending a legal action brought by the patient, mandated reporting (child abuse, elder abuse), and public health oversight.

Practical Implications: Storage and EHR Configuration

For psychotherapy notes to receive heightened protection, they must be stored separately from the rest of the medical record. In an EHR context, this means maintaining session process notes in a separate, more restricted module — not integrated into the general clinical note where billing, diagnostic, and progress information is recorded.

EHR platforms designed for mental health (SimplePractice, TherapyNotes, TheraNest, Luminare Health) typically allow configuring session notes vs. progress notes separately. Review your EHR's documentation and access control settings to ensure that your process notes field is designated and protected as psychotherapy notes.

Notice of Privacy Practices for Mental Health Practices

Your NPP must address the standard HIPAA content — how PHI is used and disclosed, patient rights, and how to complain — but mental health NPPs should also address psychotherapy note protections explicitly. Patients should understand:

That their psychotherapy notes are stored separately and subject to heightened protection
That they cannot access their own psychotherapy notes through the standard patient access right
When psychotherapy notes may be disclosed without authorization (limited exceptions)
How to request restrictions on PHI use beyond the general treatment/payment/operations exceptions

Your mental health NPP should also reflect any applicable state law protections that are more stringent than HIPAA — in many states, mental health records have broader protections than HIPAA's baseline.

BAA Requirements for Mental Health Practices

A Business Associate Agreement is required with every vendor or service provider that handles PHI on your behalf. Mental health practices typically need BAAs with:

EHR / practice management software (SimplePractice, TherapyNotes, TheraNest, Luminare Health, Jane App)
Telehealth video platform — if not embedded in your EHR (Zoom for Healthcare, Doxy.me, Thera-Link)
Billing services or clearinghouses
Cloud storage or backup containing client records
Patient scheduling or reminder platforms that include client names and appointment details
IT managed service provider with access to practice systems
Transcription services if you dictate session notes
Supervisors and consulting clinicians — these are treatment relationships, not BA relationships, but written agreements about PHI handling are best practice

Generate a BAA for your mental health vendors at baagenerator.com and keep executed copies in a compliance folder.

State Mental Health Laws: Where HIPAA Isn't Enough

Many states have enacted mental health records laws that are more protective than HIPAA. Under the HIPAA preemption framework (45 CFR § 160.203), more protective state laws are not preempted — they apply in addition to HIPAA. Examples:

California: The Lanterman-Petris-Short Act and Welfare and Institutions Code § 5328 restrict disclosure of mental health records beyond HIPAA's standards. Patients have broader rights to their records under California law.
New York: Mental Hygiene Law § 33.13 restricts disclosure of clinical records from psychiatric facilities and imposes additional consent requirements.
Texas: Health and Safety Code Ch. 611 governs mental health records separately from general medical records, with enhanced patient consent requirements for disclosure.
Illinois: Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110) grants patients broad control over their mental health records and limits disclosures without consent.

Always review your state's mental health records law in addition to HIPAA. Compliance with HIPAA alone is not sufficient if your state imposes additional requirements.

42 CFR Part 2: When SUD Treatment Is Involved

42 CFR Part 2 is a separate federal regulation that governs substance use disorder (SUD) patient records held by "Part 2 programs" — federally assisted programs that specialize in providing SUD treatment. Part 2 is not a HIPAA amendment; it is an independent regulatory scheme with stricter rules.

Key Part 2 requirements that exceed HIPAA:

Patient consent is required for nearly all disclosures, including to other treating providers (unlike HIPAA's treatment exception)
Disclosures must reference the federal confidentiality rules and state that the recipient may not re-disclose
Breach of Part 2 records carries criminal penalties

Part 2 applies only if your practice is a "program" that specializes in SUD treatment and receives federal assistance (including Medicare or Medicaid). A general mental health practice that occasionally treats clients with co-occurring SUD issues is typically not a Part 2 program — but a dedicated addiction counseling center generally is.

The 2024 Part 2 Final Rule aligned Part 2 more closely with HIPAA for many treatment, payment, and operations disclosures — but key differences remain. If you provide SUD treatment in a federally assisted program, consult with a healthcare attorney about your Part 2 obligations.

Telehealth in Mental Health Practices

Mental health therapy via telehealth became standard during the COVID-19 pandemic and remains widely used. HIPAA requirements for telehealth sessions:

Use a HIPAA-compliant video platform with a signed BAA (Zoom for Healthcare, Doxy.me, Thera-Link, VSee) — standard Zoom without a BAA is not compliant
Conduct sessions in a private environment to prevent unauthorized access to PHI
Obtain consent for telehealth services consistent with state law (most states require explicit telehealth consent)
Document that sessions were conducted via telehealth in the clinical record
Ensure your EHR's telehealth notes module is configured consistently with your psychotherapy note storage approach

Compliance Checklist for Mental Health Practices

For a complete interactive checklist, see our HIPAA Compliance Checklist. Mental health-specific priorities:

Psychotherapy notes stored separately from general medical record in EHR
NPP explicitly addresses psychotherapy note protections
Signed BAAs with EHR, telehealth platform, billing service, and IT provider
Patient authorization obtained before disclosing psychotherapy notes
State mental health records law reviewed and incorporated into policies
Part 2 applicability assessed if SUD treatment is provided
Secure telehealth platform with BAA in place for remote sessions
Annual Security Risk Analysis conducted and documented
Workforce training on HIPAA, psychotherapy note protections, and breach response

What to do next

→ Generate a BAA for your mental health vendors at baagenerator.com ($49)
→ Create a mental health NPP at nppgenerator.com ($49)
→ Conduct your annual Security Risk Analysis
→ Review state mental health privacy laws
→ See our guide for individual therapists