Request a demo

Share your information and we'll be in touch shortly.

By submitting, you agree to our Privacy Policy

Thank you.

We'll be in touch.
Something went wrong while submitting the form
Compliance

HIPAA

HIPAA (the Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 that establishes national standards for protecting the privacy and security of patients' health information, regulating how healthcare providers, insurers, and their business associates handle protected health information (PHI).
Ease Health Team
HIPAA
Table of contents
TOC Header

HIPAA (the Health Insurance Portability and Accountability Act) is a federal law enacted in 1996 that establishes national standards for protecting the privacy and security of patients' health information, regulating how healthcare providers, insurers, and their business associates handle protected health information (PHI). For behavioral health providers, HIPAA compliance is foundational to practice operations, affecting clinical documentation, technology choices, communication protocols, and administrative processes.

HIPAA's Key Rules

HIPAA comprises several rules that together form the regulatory framework. The Privacy Rule establishes standards for when and how PHI can be used and disclosed, granting patients rights over their health information. The Security Rule sets requirements for protecting electronic PHI (ePHI) through administrative, physical, and technical safeguards. The Breach Notification Rule requires covered entities to notify affected individuals, HHS, and in some cases the media when unsecured PHI is breached. The Enforcement Rule establishes penalties for noncompliance, ranging from $100 to $50,000 per violation, with annual maximums up to $2 million per violation category.

Protected Health Information (PHI)

PHI includes any individually identifiable health information held or transmitted by a covered entity, including names, dates (birth, admission, discharge), contact information, Social Security numbers, medical record numbers, health plan beneficiary numbers, diagnosis and treatment information, and any other data that could identify a patient. In behavioral health, PHI extends to therapy session content, substance use treatment records, psychiatric diagnoses, medication histories, and assessment results.

HIPAA in Behavioral Health Practice

Behavioral health practices must implement HIPAA compliance across several operational areas. Clinical documentation systems (EHRs) must include access controls, audit trails, and encryption. Communication channels must be secure — standard email, text messaging, and unencrypted faxes are not HIPAA-compliant for transmitting PHI without patient authorization. Telehealth platforms must meet HIPAA security requirements. Staff training must be conducted regularly, covering privacy policies, security practices, and breach reporting procedures. Business Associate Agreements (BAAs) must be in place with all vendors who access PHI.

HIPAA vs 42 CFR Part 2

Behavioral health providers treating substance use disorders must navigate the overlap between HIPAA and 42 CFR Part 2. While HIPAA permits disclosure of PHI for treatment, payment, and healthcare operations without patient authorization, 42 CFR Part 2 requires specific written consent for virtually any disclosure of SUD treatment records. Part 2 provides a higher level of protection than HIPAA for substance use treatment information, and when both regulations apply, the more restrictive rule governs.

Common HIPAA Violations in Behavioral Health

Frequently identified violations include unauthorized access to patient records by staff, improper disposal of paper records containing PHI, sending PHI via unsecured email or text, failure to execute BAAs with vendors, inadequate access controls on EHR systems, discussing patient information in public areas, and failure to provide patients with access to their records within the required timeframe (30 days under HIPAA, with state laws sometimes requiring faster access).

FAQs

What are the penalties for HIPAA violations?

HIPAA penalties range from $100 per violation for unknowing violations to $50,000 per violation for willful neglect. Annual maximums can reach $2 million per violation category. Criminal penalties, including imprisonment, apply to knowingly obtaining or disclosing PHI.

Do I need a BAA with my EHR vendor?

Yes. Any vendor that creates, receives, maintains, or transmits PHI on behalf of your practice is a business associate and must sign a BAA before accessing PHI. This includes EHR providers, billing services, cloud storage providers, and telehealth platforms.

Can I text patients about their appointments?

Standard SMS text messaging is not HIPAA-compliant. Appointment reminders that do not include clinical information (just time and date) are generally acceptable, but any communication containing PHI requires a secure, encrypted messaging platform or written patient authorization.

Does HIPAA apply to all behavioral health providers?

HIPAA applies to covered entities, which include healthcare providers who transmit health information electronically for billing or other standard transactions. Virtually all behavioral health providers who bill insurance are covered entities subject to HIPAA.

Learn More

EHR
Behavioral Health
Mental Health
Practice Management
Healthcare Technology