HIPAA risk analysis for behavioral health practices

Behavioral health-specific risk analysis considerations: therapy notes, telehealth, session recordings, 42 CFR Part 2, and the unique privacy threats mental health practices face.

By CoreFolio

Published May 18, 2026Verified May 18, 20269-minute read

Behavioral health practices face a distinct risk landscape. The information they protect is among the most sensitive in healthcare — mental health history, substance use, trauma, suicidality. The regulatory environment is layered: HIPAA applies, but so does 42 CFR Part 2 for substance use records in many cases. The practice setting varies widely: solo therapists, group practices, community mental health centers, telehealth-only providers.

A generic HIPAA risk analysis misses critical elements for behavioral health. This article describes the specialty-specific considerations that a defensible analysis must address.

The behavioral health data landscape

Types of protected information

Behavioral health practices create and maintain multiple categories of sensitive information:

Clinical documentation

Diagnostic assessments and treatment plans
Session notes (progress notes, process notes)
Psychotherapy notes (distinct from session notes under HIPAA)
Medication management records
Crisis intervention documentation

Administrative information

Insurance authorizations and verification
Superbills and billing records
Appointment schedules (which may indicate diagnosis via service type)

Communication records

Secure messages between sessions
Email exchanges
Crisis contact logs

Special categories

Substance use disorder records (42 CFR Part 2 protections)
Minor patient information (additional consent complexities)
School or employer communications

Risk analysis requirement: The scope must explicitly identify what types of information the practice creates and where each type is stored. "Patient records" is insufficient; the analysis must distinguish between note types with different protections.

Psychotherapy notes: the special category

HIPAA provides enhanced protection for psychotherapy notes under 45 CFR § 164.508(a)(2). These are notes recorded by a mental health professional documenting or analyzing the contents of conversation during a private counseling session. They must be kept separate from the rest of the patient's medical record.

Key distinction:

Session/progress notes: General documentation of what occurred, observable data, treatment plan updates — standard protected health information (PHI) protection
Psychotherapy notes: Therapist's analysis, impressions, hypotheses — enhanced protection, authorization required for most disclosures

Risk analysis implication: Where are psychotherapy notes stored?

Separate file within the electronic health record (EHR)
Password-protected document
Standalone note-taking app
Paper notebook

Each storage location must be assessed. A practice that keeps psychotherapy notes in the same system as scheduling (without additional protection) may have a control gap.

42 CFR Part 2: Substance use disorder records

For practices treating substance use disorders, 42 CFR Part 2 imposes restrictions beyond HIPAA:

Patient consent required for disclosure to other providers
Prohibition on re-disclosure notices
Specific security requirements for records

Risk analysis implication: SUD records must be identified in scope and assessed for Part 2 compliance in addition to HIPAA. The practice must document:

Which patients have SUD records
Where those records are stored
Additional controls (if any) beyond standard PHI protection
Consent management procedures

Technology systems in behavioral health

Practice management and EHR systems

Behavioral health uses a mix of specialty and general systems:

Therapy-specific platforms

SimplePractice
TherapyNotes
TherapyAppointment
TheraNest

General healthcare EHRs

athenahealth
Epic (for integrated settings)
eClinicalWorks

Minimal/standalone approaches

Spreadsheet scheduling
Paper records
Generic note-taking apps

Risk analysis requirement: The analysis must reflect the actual system architecture. A solo therapist using SimplePractice with integrated telehealth has a different risk profile than a group practice using paper records with a separate billing service.

Telehealth platforms

Behavioral health has adopted telehealth at higher rates than many other specialties. Platform selection varies:

HIPAA-compliant platforms

Doxy.me
SimplePractice Telehealth
VSee
SecureVideo

General platforms (often used without BAA)

Zoom (with healthcare business associate agreement (BAA))
Google Meet (consumer version, no BAA)
FaceTime (consumer, no BAA)

Risk analysis requirement: Telehealth platforms must be inventoried with BAA status. The analysis must assess whether the platform used is the platform approved/documented (staff sometimes use consumer versions for convenience).

Session recording and note-taking

Behavioral health practices may record or document sessions in ways that create additional electronic protected health information (ePHI):

Session recording

Video recording for supervision or training
Audio recording with patient consent
Secure storage requirements for recordings

Therapist note-taking during session

Laptop or tablet in session room
Note-taking apps (Evernote, OneNote) without BAAs
Personal devices with auto-backup

Risk analysis requirement: Any recording or note-taking technology must be in scope. Personal devices with clinical notes auto-backing to consumer cloud services represent a common, often undocumented risk.

Patient communication between sessions

Behavioral health involves ongoing communication:

Secure messaging portals

Practice management integrated messaging
Response time expectations
Crisis protocol for after-hours messages

Email and text

Patients may email therapists directly
Crisis texting to therapist personal phones
Group practice coordination (who monitors what)

Risk analysis requirement: The analysis must address how patients communicate between sessions, what ePHI those communications contain, and whether the methods are secure.

Behavioral health-specific threats

The solo provider endpoint problem

Many behavioral health practices are solo providers or small groups. Each therapist may:

Work from a home office with home WiFi
Use a personal laptop for clinical documentation
Take notes on a personal tablet or phone
Use personal email for professional communication

Threat: Personal devices and home networks often lack the security controls of corporate environments. Auto-backup to iCloud, family shared accounts, lost/stolen personal devices — these are common behavioral health risks.

Telehealth location variability

Telehealth sessions occur from variable locations:

Therapist home office
Patient home (with family members potentially present)
Patient workplace
Public spaces (cars, parked locations)

Threat: Confidentiality depends on both therapist and patient environmental controls. The practice has limited control over patient-side risks but must document the threat and any mitigations (instructions to patients, session rescheduling for unsafe locations).

Crisis and safety communication

Behavioral health involves duty-to-warn and safety planning:

Emergency contact protocols
988 and crisis line coordination
Family member notification procedures
Law enforcement interaction

Threat: Crisis communication often happens via phone (not secure text), may involve personal devices, and creates documentation challenges. The risk analysis must address how crisis information is communicated and documented.

Third-party payer requirements

Insurance authorization for behavioral health often requires disclosure of detailed clinical information:

Treatment plans with diagnoses
Session notes or summaries
Progress reports with specific outcome measures

Threat: The minimum necessary standard conflicts with payer requirements. Practices may over-disclose to secure authorization. The risk analysis should assess authorization workflows and information shared.

Session interruption and technical failure

Telehealth sessions face technical risks:

Connection failure mid-session
Platform security breach during use
Recording of session by unauthorized party (screen recording by patient)

Threat: Session integrity is part of confidentiality. Technical failures that expose session content or create unauthorized recordings are risk analysis considerations.

Behavioral health-specific controls

Segregation of psychotherapy notes

If the practice creates psychotherapy notes, controls should include:

Separate storage location from standard session notes
Additional access restrictions
Logging of access if technically feasible
Physical security if paper-based

Telehealth security protocols

Documented controls for telehealth should include:

Approved platform list (with BAAs)
Patient environment verification (visual check at session start)
Session lock if patient leaves frame
No recording policy (with patient agreement)
Platform security settings (waiting rooms, passwords)

Personal device policy

Given the prevalence of personal device use:

Policy on personal laptops/tablets for clinical work
Required security settings (encryption, auto-lock, remote wipe)
Prohibition on consumer cloud backup of clinical data
Incident reporting if device lost/stolen

Crisis communication protocol

Documented workflow for crisis situations:

Who can be contacted and how
What information can be shared with emergency contacts
Documentation requirements post-crisis
Security of crisis communications

Special considerations by practice type

Solo private practice

The therapist is the HIPAA Security Officer, the IT department, and the compliance officer. Risk analysis considerations:

Personal device and home network security
No internal oversight (no one reviewing access logs)
Backup verification (is the solo provider's backup actually working?)
Succession planning (what happens to records if provider cannot practice)

Group practice

Multiple providers create coordination challenges:

Shared EHR with individual provider access controls
Group supervision and case consultation (who sees what)
New provider onboarding security training
Departing provider access revocation and records transfer

Community mental health center

Complex environment with high volume and diverse services:

Integrated care (primary care + behavioral health) interfaces
State or county oversight requirements
High staff turnover
Grant-funded security infrastructure

Telehealth-only practice

No physical location creates unique risks:

No physical security controls to assess
Reliance entirely on platform security
Patient identity verification challenges
Interstate practice considerations (licensure, varying state requirements)

Substance use disorder specialty

42 CFR Part 2 adds complexity:

SUD record identification and marking
Consent management system
Separate authorization forms
Staff training on Part 2 restrictions

Documenting the behavioral health risk analysis

The analysis follows standard HIPAA structure with behavioral health enhancements:

Scope section: Explicitly identify:

Types of records (clinical notes, psychotherapy notes if separate, SUD records if applicable)
Practice structure (solo, group, telehealth-only)
Special populations (minors, mandated treatment, etc.)

Inventory: Include:

Telehealth platform with BAA status
Note-taking and documentation methods
Personal devices used for clinical purposes
Patient communication channels
Crisis communication methods

Threats: Address:

Solo provider endpoint risks
Telehome and patient-side environmental risks
Personal device auto-backup risks
Crisis communication security
Third-party payer information disclosure

Controls: Document:

Psychotherapy note segregation
Telehealth security protocols
Personal device policy
Crisis communication procedures

Risk register: Prioritize behavioral health-specific risks:

Unauthorized access to psychotherapy notes
Patient-side telehome privacy breach
Personal device loss with clinical data
Inadequate backup of sole-practice records

The CoreFolio HIPAA assessment includes behavioral health-specific prompts for practice structure, note types, telehealth platforms, and personal device use. The guided structure ensures specialty-specific considerations are captured while producing the documentation the Office for Civil Rights (OCR) expects.

Sources

FAQ

Common questions

Do behavioral health practices need a HIPAA risk analysis?

Yes. Behavioral health practices are covered entities and must conduct a risk analysis per 45 CFR § 164.308(a)(1)(ii)(A). The requirement applies to all covered entities regardless of specialty.

Are therapy notes treated differently under HIPAA?

Psychotherapy notes (separate from general therapy notes) receive additional protections under 45 CFR § 164.508. They require patient authorization for most disclosures and should be identified separately in the risk analysis scope.

What are the unique risks for telehealth-based behavioral health?

Telehealth introduces endpoint security risks (patient and therapist locations), platform security variability, session interruption risks, and the challenge of verifying patient identity remotely. These should be assessed in addition to standard HIPAA considerations.

Keep learning

How-to
How to do a HIPAA risk analysis yourself: a step-by-step guide for small practices
The Security Rule requires every covered entity to conduct an accurate, thorough risk analysis. Here is what that actually means, what it has to contain, and how to do it yourself — or prepare for a focused consultant review.
May 14, 20266-minute read
How-to
HIPAA risk analysis template for small practices
What a defensible HIPAA risk analysis template needs to include, how to structure it for OCR review, and why most free templates fail the accuracy requirement.
May 18, 20268-minute read
How-to
HIPAA workforce training: what the rule requires and what actually works
HIPAA requires workforce training on security policies and procedures. Here is what the rule actually says, what OCR has cited in settlement agreements, and what training looks like in a small practice.
May 4, 20266-minute read