HIPAA protects electronic protected health information held by covered entities, and behavioral health providers are covered entities. Your daily work sits squarely inside that scope: you diagnose and treat mental health and substance use conditions, keep therapy and session records, prescribe and document medications, and bill payers. The information involved is not just sensitive health data. It is the kind of information a client most wants kept private, which raises both the compliance obligation and the harm when it is exposed.
The sensitivity of mental health and SUD records raises the stakes.
A behavioral health record can contain a mental health diagnosis, therapy notes, medication history, and substance use treatment details. Exposure of this information carries a level of stigma and personal harm that goes beyond most other health data, which is exactly why HIPAA, and in some cases a second federal rule, protect it so tightly.
HIPAA also gives psychotherapy notes special handling under the Privacy Rule. When kept separate from the rest of the record, they generally require a specific client authorization before they can be disclosed, over and above the ordinary rules for treatment, payment, and operations. A program built for behavioral health has to respect that distinction, not treat every note the same way.
The security risk analysis is the required foundation.
The HIPAA Security Rule requires a documented, accurate security risk analysis of the ePHI across your systems. It is not a one-time checkbox. It is the assessment everything else is built on, and the absence of a current, thorough SRA is one of the most common findings in Office for Civil Rights investigations.
The rule also draws a line between required and addressable implementation specifications, and addressable is often misunderstood as optional. It is not. For an addressable specification you either implement it, or you document why it is not reasonable and appropriate for your practice and put an equivalent measure in place. We produce the SRA and this documentation to reflect what is actually running in your environment, so the program stands up to scrutiny rather than reading as boilerplate.
42 CFR Part 2 can add a stricter layer for substance use disorder records.
For substance use disorder treatment, a separate federal rule may apply on top of HIPAA. 42 CFR Part 2 gives federally assisted SUD records heightened confidentiality protection, with stricter consent and redisclosure requirements than HIPAA alone. It is important to be precise about when it applies: Part 2 reaches federally assisted substance use disorder programs, so whether it applies to you depends on whether your practice meets that definition. Many behavioral health providers must satisfy both HIPAA and, where they are a Part 2 program, 42 CFR Part 2.
A 2024 final rule aligned Part 2 more closely with HIPAA in several respects, including consent, breach notification, and enforcement, but Part 2 still imposes stricter consent and redisclosure rules for SUD records than HIPAA does. The legal specifics of Part 2 consent and redisclosure are a matter for your counsel, not for us. Cyber One Solutions does not provide legal advice. What we do is build the technical safeguards, the access controls, and the audit logging that let you honor the consent and confidentiality decisions your counsel and clinicians make.
Teletherapy platforms and EHR access are where the real exposure sits.
Behavioral health has moved heavily to telehealth, and every teletherapy or telehealth platform that carries sessions and client data handles ePHI. That means each one needs a business associate agreement and needs to be part of your program, not an assumption. We inventory these platforms, confirm the agreements are in place, and document the oversight the rule expects.
Inside the practice, the EHR is the center of gravity. Role-based access controls keep records away from staff who do not need them, and audit logging shows who viewed a given client record and when. In a behavioral health setting, where clients may include employees, community members, or people a staff member knows personally, that access control and audit trail is not a formality. It is how you detect and deter improper access to a sensitive record.