HIPAA Risk Analysis for a Mental Health Practice
5 min read · Last reviewed May 22, 2026
Mental health practices carry extra Privacy Rule obligations, but the Security Rule applies the same
A behavioral health practice is a covered entity under HIPAA whenever it transmits health information in electronic form for a HIPAA standard transaction (eligibility, claims, authorization). The Security Rule at 45 CFR Part 164 Subpart C then requires a written, dated risk analysis under 164.308(a)(1)(ii)(A)(1)(ii)(A)).
Therapists, psychologists, and psychiatry practices often assume the rule applies less strictly to them. It does not. The Security Rule's safeguard requirements are identical to those for primary care, and OCR's Resolution Agreements include behavioral health entities cited for absent or inadequate risk analyses.
Psychotherapy notes are a Privacy Rule concept, not a Security Rule exemption
A common confusion: psychotherapy notes have heightened protection under the Privacy Rule. The definition at 45 CFR 164.501 limits them to notes recorded by a mental health professional documenting a private counseling session that are kept separate from the rest of the medical record. Authorization for disclosure follows 164.508(a)(2)(2)).
That regime governs use and disclosure. It does not waive the Security Rule. Electronic psychotherapy notes are still ePHI and must be protected by the same administrative, physical, and technical safeguards as any other ePHI. The risk analysis must address them explicitly: where they live, who has access, how they are encrypted, how access is logged.
ePHI inventory for a typical behavioral health practice
Behavioral health practices tend to carry a different system mix than primary care:
- An EHR built for behavioral health (TherapyNotes, SimplePractice, TheraNest, ICANotes, Valant)
- A general EHR for psychiatry that supports e-prescribing controlled substances (EPCS) via Surescripts
- Telehealth video sessions (Doxy.me, SimplePractice video, Zoom for Healthcare)
- Secure intake and screening forms (PHQ-9, GAD-7, intake questionnaires)
- Outcomes measurement platforms
- Group therapy management tools
- Billing clearinghouse and superbill workflows for out-of-network patients
- Personal phone and voicemail used for client contact
- Files containing release-of-information requests, court orders, custody documents
Each item is a row in the inventory with a clear ePHI flow and a Business Associate Agreement reference under 45 CFR 164.504(e)).
Threat scenarios that hit behavioral health hardest
Some risks are over-represented in this specialty:
- A solo practitioner working from home, with the same laptop used for personal browsing
- Intake forms filled out on tablets in the lobby with the screen visible from adjacent seats
- Telehealth conducted from spaces with imperfect acoustic privacy
- Group therapy participant lists shared via email
- Family members accessing a shared computer used for practice notes
- Lost or stolen phones containing voicemail and text messages from clients
- Personal text messages used for appointment reminders that contain identifying details
- Cloud document services (Google Drive, Dropbox, iCloud) used without a BAA
- Voicemail transcription services that route content through third parties
- AI scribing or session-summary tools that send audio to vendors with no BAA
For each scenario the analysis records the threat, likelihood, impact, current safeguard, and residual risk. The methodology comes from NIST SP 800-30, applied as described in NIST SP 800-66 r2.
Telehealth deserves its own subsection
The HHS Telehealth and HIPAA page confirms that the COVID-era enforcement discretion ended August 9, 2023. Behavioral health practices that adopted consumer video tools during the public health emergency need to revisit whether each platform offers a Business Associate Agreement and meets the Security Rule's transmission security and access control standards at 164.312(c) and (e).
State law often layers on top of HIPAA
State mental health confidentiality statutes frequently impose stricter standards. The risk analysis remains a federal HIPAA artifact, but the practice should note where state law triggers additional safeguards or disclosure restrictions. 45 CFR 160.203 controls preemption analysis.
Special-category data: substance use disorder records
If the practice provides substance use disorder treatment that meets the definition of a Part 2 program, 42 CFR Part 2 applies in addition to HIPAA. The HHS 2024 final rule aligned several Part 2 requirements with HIPAA but kept higher consent protections. The SRA should note Part 2 applicability and the additional controls that flow from it.
Building a defensible record
A behavioral health SRA binder typically includes:
- An ePHI inventory with psychotherapy-note location called out separately
- A threat and vulnerability list with likelihood and impact ratings
- A safeguard inventory tied to each Security Rule standard at 164.308, 164.310, and 164.312
- A risk register with residual risk and remediation plan
- Documented decisions on addressable specifications
- A telehealth and BAA review record
- Sign-off by the Security Official
- A re-evaluation schedule per 164.308(a)(8)(8))
How D3rx supports this
D3rx SRA Binder Studio is a documentation aid for behavioral health practices doing this themselves. It walks each Security Rule specification in plain English, prompts for psychotherapy-note handling, surfaces telehealth and Part 2 considerations when relevant, and assembles a binder linked back to the underlying HHS, OCR, eCFR, and NIST sources. It is a point-in-time assessment aid; the practice remains responsible for the substance of every answer.
Next steps
See where your practice currently stands with the free 5-question readiness check, or review the full workflow and pricing on the main SRA page.
Where do you stand on your SRA today?
Five quick questions, no signup. You'll see which Security Rule sections your practice already has covered and which ones still need work.
This article is an administrative documentation aid. It does not certify compliance, provide legal advice, replace counsel, or guarantee an audit outcome. The practice remains responsible for reviewing, adopting, and maintaining its compliance program. References cited link to primary sources at HHS, OCR, the Code of Federal Regulations, and NIST.
D3rx is a healthcare-billing and compliance research aid maintained by D3rx Inc. Articles are drafted by an LLM (Anthropic Claude) against primary HHS, OCR, CMS, eCFR, NIST, and state-regulator publications, and reviewed for restraint and source fidelity by the D3rx team.
Reviewer status: a named credentialed reviewer (CHC, CHPC, or healthcare attorney) is being engaged. Until that engagement is finalized, this page does not claim credentialed review.
- 45 CFR Part 164 Subpart Chttps://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C
- 164.308(a)(1)(ii)(A)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.308#p-164.308(a
- Resolution Agreementshttps://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/index.html
- 45 CFR 164.501https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.501
- 164.508(a)(2)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.508#p-164.508(a
- 45 CFR 164.504(e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-E/section-164.504#p-164.504(e
- SP 800-30https://csrc.nist.gov/pubs/sp/800/30/r1/final
- SP 800-66 r2https://csrc.nist.gov/pubs/sp/800/66/r2/final
- Telehealth and HIPAA pagehttps://www.hhs.gov/hipaa/for-professionals/special-topics/telehealth/index.html
- 164.312(c) and (e)https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.312
- 45 CFR 160.203https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-160/subpart-B/section-160.203
- 42 CFR Part 2https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2
- 2024 final rulehttps://www.hhs.gov/about/news/2024/02/08/hhs-finalizes-rule-to-strengthen-protections-of-substance-use-disorder-patient-records.html
Sources verified as of May 22, 2026
This guide is a plain-English summary maintained by D3rx for healthcare practice administrators. It is not legal advice, medical advice, or accounting advice. The authoritative source is the cited regulation or agency document. Always confirm with qualified counsel before acting on a specific compliance question affecting your practice.
Related Guides
HIPAA Risk Analysis for a Primary Care Practice
5 min readFoundationsHIPAA Security Rule vs Privacy Rule: A Plain-English Map
5 min readVendors and BAAsBAA Vendor List: Which Vendors a Small Practice Needs to Sign With
5 min readTechnical SafeguardsHIPAA Encryption Requirements for ePHI
5 min readRelated across the archive
- SRAHIPAA Risk Analysis for a Primary Care PracticeWhat a primary care practice owes under 45 CFR 164.308(a)(1)(ii)(A): ePHI scope, threats specific to family medicine and internal medicine workflows, and a Security Rule mapping that holds up to OCR's audit protocol.
- SRABAA Vendor List: Which Vendors a Small Practice Needs to Sign WithA working list of the vendor categories a small practice typically needs a Business Associate Agreement with under 45 CFR 164.504(e), plus how to handle subcontractor chains.
- SRAHIPAA Encryption Requirements for ePHIWhat the Security Rule actually says about encryption at 45 CFR 164.312(a)(2)(iv) and 164.312(e)(2)(ii), the safe harbor under the Breach Notification Rule, and what 'addressable' means in practice.
- SRAHIPAA Security Rule vs Privacy Rule: A Plain-English MapWhat the Security Rule at 45 CFR Part 164 Subpart C does, what the Privacy Rule at Subpart E does, where they overlap, and which rule the SRA actually answers to.
- SRAHIPAA Risk Analysis for a Dental PracticeHow a small dental practice approaches the HIPAA Security Risk Analysis required by 45 CFR 164.308(a)(1)(ii)(A), with practical scope, ePHI flows, and Security Rule references.
- ComplianceBehavioral Health Compliance: 42 CFR Part 2 + HIPAA TogetherHow SAMHSA's 42 CFR Part 2 framework for substance use disorder records overlays HIPAA after the 2024 final rule alignment, and what behavioral health practices must document.
- GlossaryAccess ControlsTechnical policies and procedures that allow only authorized persons or software programs to access ePHI.
- RegulationHIPAA Privacy Rule Administrative Requirements (45 CFR 164.530)Designated privacy official, workforce training, safeguards, complaint process, sanctions, mitigation, anti-retaliation, anti-waiver, documentation, and policies and procedures.