HIPAA for mental health professionals, hipaa guidelines for mental health professionals, hipaa mental health, hipaa mental health records release form

Quick Policy Review: HIPAA for Mental Health Professionals


Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

Mental health and addiction professionals are legally required to ensure that patients and clients can trust their private information is protected. Maintaining the privacy of that information is known as the clinician’s duty to maintain confidentiality. HIPAA regulations focus on compliance with rules to ensure the privacy and security of health information, whether that data is in the form of a document, a remote patient monitoring score, a recording, an image, or an app. 

Practitioners can fulfill these HIPAA expectations by following HIPAA guidelines for mental health and addiction professionals. Regularly reviewing and updating one’s policies regarding these rules is important, especially with recent risks to cybersecurity with ransomware, including those from Russian cyberattacks.

HIPAA Guidelines for Mental Health Professionals

A big part of HIPAA for mental health professionals dictates when it is appropriate to use and disclose patient information. Under HIPAA, mental health professionals may share digital information with people involved in a person’s care if the person:

  • Has agreed
  • Has been allowed to object and has not objected
  • Has requested the other person’s involvement (i.e., has brought the other person to treatment or included them in telehealth sessions)
  • Is incapable of making decisions (i.e., is unconscious, delirious, or unable to object or agree)
  • Has been rendered incompetent in writing by two physicians familiar with the case, and the health care directive is held by the individual making contact with the practitioner.

Additional note: Before releasing records, providers are strongly advised to contact their malpractice attorney to obtain a legal opinion about any additional state or federal laws that might be applicable. 

Psychotherapy Notes

Psychotherapy notes under HIPAA are subject to slightly different rules for disclosure. Patients must sign a mental health records release form identifying the healthcare provider, including disclosures for treatment purposes and the time period involved. 

However, mental health professionals do not need written authorization to use or disclose psychotherapy notes:

  • For their training
  • To defend themselves in legal proceedings brought by the client or patient
  • For the Department of Health and Human Services (HHS) to investigate or determine the covered entity’s compliance with the Privacy Rule
  • To avert a serious and imminent threat to public health or safety
  • To a health oversight agency for lawful oversight of the originator of the psychotherapy notes
  • For the legal activities of a coroner or medical examiner.

HIPAA Mental Health Records Release Forms

If a practice requires disclosure of protected health information (PHI) not covered in the Notice of Privacy Practices, the practitioner must obtain a signed HIPAA release form from everyone in their practice. This signed release form is essential to maintaining their HIPAA compliance.

Some instances in which a HIPAA release form is required include:

  • Disclosure of PHI to a third party for any reason other than treatment, payment, or healthcare operations
  • PHI used in marketing or fundraising efforts
  • PHI shared for research purposes
  • Disclosure of any psychotherapy notes
  • PHI disclosed or shared for monetary compensation.

Implementing an Effective HIPAA Compliance Program

HIPAA for mental health professionals also requires practices to implement a HIPAA compliance program, which outlines how practices are to:

  • Conduct security risk assessments
  • Create and implement remediation plans
  • Draft HIPAA policies and procedures
  • Train employees
  • Send and sign business associate agreements
  • Track and report incidents.

Once the practitioner or practitioner group has assembled their materials, it is essential that they either review their HIPAA process with a HIPAA-informed attorney or conduct an external HIPAA audit by HIPAA compliance specialists.

Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

Essential Telehealth Law & Ethical Issues

Bring your telehealth practice into legal compliance. Get up to date on inter-jurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, the duty to report, termination, and much more!

Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.

What are your thoughts about this article? Please comment below.

Notify of
Inline Feedbacks
View all comments