HIPAA documentation for behavioral health practices. Built in 30 days.
A complete HIPAA-aligned documentation package for psychotherapists, psychiatrists, group practices, and behavioral health platforms, scoped to psychotherapy notes, 42 CFR Part 2 overlap, and the unique sensitivity of mental health PHI. ComplianceArmor delivers 33 policies, the Security Risk Analysis at 45 CFR § 164.308(a)(1)(ii)(A), BAA register, breach plan, and OCR-ready evidence library.
Mental health PHI is more sensitive. The package treats it that way.
Psychotherapy notes, substance use treatment, court-involved patients, and minor consent rules all create scope that a generic HIPAA template cannot handle. ComplianceArmor for mental health practices is written for the regulatory reality of behavioral healthcare.
This page is for solo licensed psychologists and psychiatrists, group practices, community mental health agencies, behavioral health telehealth platforms, substance use disorder programs, and the digital therapy companies that have made mental health a venture-backed sector. If your EHR is SimplePractice, TheraNest, TherapyNotes, ICANotes, Valant, Quenza, Owl Practice, or Welligent, your patient roster includes minors or court-involved individuals, and your clinicians work both from the office and from home, this is the right scope.
Mental health PHI is treated more carefully than general medical PHI under HIPAA itself. Psychotherapy notes, defined narrowly at 45 CFR § 164.501 as the personal notes of a mental health professional that are kept separate from the rest of the medical record, get heightened protection under the Privacy Rule. Patients do not have an automatic right of access to psychotherapy notes (45 CFR § 164.524(a)(1)(i)), and most disclosures require specific written authorization beyond a generic HIPAA release.
The same patient population frequently overlaps with 42 CFR Part 2, the federal substance use treatment confidentiality rule, which is stricter than HIPAA. If your practice operates a federally-assisted SUD program, the Part 2 record requires patient-specific authorization for almost every disclosure, even ones HIPAA permits. Most behavioral health practices end up running parallel HIPAA and Part 2 programs without realizing it.
Where OCR finds behavioral health practices coming up short.
The enforcement pattern in mental health is different from primary care. The failure modes are subtler, and the patient populations are more likely to file complaints.
Psychotherapy notes co-mingled with the medical record
If process notes are stored inside the EHR alongside diagnosis, treatment plan, and progress notes, they are no longer "kept separate" and lose the heightened protection of 45 CFR § 164.501. Many EHRs claim a "psychotherapy notes" tab without enforcing actual separation.
Subpoenas treated as court orders
A subpoena from an attorney is not a court order. HIPAA permits disclosure under a court order without patient authorization, but a subpoena requires either patient authorization or "satisfactory assurances" the patient was notified. Practices that comply with bare subpoenas are exposed to both HIPAA and state confidentiality claims.
Parent-minor access rules misapplied
State law sets the age at which a minor may consent to mental health treatment without a parent (commonly 12-14, varies by state). When a minor consents, the parent generally loses the right of access to the protected portion of the record. Many practices give parents whatever they ask for, in violation of state law and HIPAA.
42 CFR Part 2 overlap with no Part 2 program
Practices that bill Medicaid for SUD services or accept federal grant dollars for substance use treatment are operating a Part 2 program even if they do not call it that. Without a Part 2 consent form, a Part 2 redisclosure notice, and a Part 2 breach response, the practice is out of compliance with both rules simultaneously.
Insurance billing PHI minimization
Some commercial payers ask for treatment plans, progress notes, and session frequencies as a condition of authorization. The minimum necessary standard at 45 CFR § 164.502(b) limits what must be sent. Practices that send the full chart by default are over-disclosing and creating a downstream PHI footprint they do not control.
Telehealth from clinician home offices
The shift to virtual sessions during and after the public health emergency moved most clinical encounters into clinician home offices. Workforce security, network controls, screen privacy from family members, and acceptable-use rules all require documentation, not just an honor system.
OCR has prioritized the Right of Access Initiative against behavioral health practices over the past five years, with multiple resolution agreements naming therapy and psychiatry providers. The package writes the right-of-access procedure that handles the psychotherapy notes carve-out and the minor-consent question correctly, so the front desk has a defensible answer when a parent asks for the file.
Behavioral-health-scoped HIPAA documentation. In one package.
The full ComplianceArmor HIPAA library, with mental health-specific scoping written into every artifact. Branded, editable, yours forever, no subscription.
33 HIPAA Policy Templates
Administrative, Physical, Technical, and Organizational safeguards, scoped to a behavioral health practice.
Security Risk Analysis
Required at 45 CFR § 164.308(a)(1)(ii)(A), scored for the EHR, telehealth, and home-office workforce.
Psychotherapy Notes Policy
The separation, access, authorization, and disclosure rules for notes under 45 CFR § 164.501.
42 CFR Part 2 Crosswalk
Where Part 2 applies, where it does not, and the consent and redisclosure language for SUD treatment.
Business Associate Register
BAA tracker for EHR, telehealth, billing, transcription, and any AI-assisted documentation tools.
Court Order vs Subpoena Guide
The disclosure decision tree for subpoenas, court orders, qualified protective orders, and law enforcement requests.
Minor & Parent Access Procedure
State-specific consent age, parent access carve-outs, and the front-desk script for handling parent requests.
Insurance Disclosure Standard
Minimum necessary rule applied to payer authorization requests, treatment plan submissions, and audit responses.
Telehealth & Home Office Policy
Clinician home office workforce security, screen privacy, network controls, and family-member exclusion rule.
Workforce Training Program
Behavioral health-specific privacy training, recorded for distributed staff, with annual refresh and sign-in logs.
Notice of Privacy Practices
Behavioral-health-scoped privacy notice with the psychotherapy notes carve-out and Part 2 reference where applicable.
OCR Interview Prep Guide
The questions investigators ask behavioral health practices, with confident, plain-English answers.
Mental health HIPAA done-for-you. Fixed price.
No hourly billing. No surprise invoices. No external auditor required to attest to HIPAA. You own every document forever.
Delivered in 30 days, scoped to your EHR, your patient population (including minor consent and Part 2 overlap), and your home-office workforce. Self-attested under HHS rules: there is no HHS-recognized HIPAA certification.
Where the price moves: A solo licensed psychologist or small group practice with one EHR and a clean HIPAA-only scope sits at the $7,997 base. Practices running a federally-assisted SUD program (Part 2 overlap), behavioral health platforms with multi-state telehealth, and groups with 50+ clinicians add scoping time. We tell you the number before you sign, in writing. Bundle pricing with SOC 2 ($18,997) is common for digital therapy and platform companies going through enterprise procurement.
If we missed something, we fix it free.
Every ComplianceArmor HIPAA engagement carries the Petronella Technology Group Audit-Ready Promise. If any artifact has a gap, we fix it at no charge within 30 days. If your package fails an OCR review or audit because of our work, we refund 50% of our fee. The package is yours forever, in editable native formats, with no subscription and no DRM.
Behavioral health HIPAA questions buyers ask.
What counts as a "psychotherapy note" under HIPAA?
The HIPAA definition at 45 CFR § 164.501 is narrow. Psychotherapy notes are notes recorded by a mental health professional documenting or analyzing the contents of a counseling session, that are kept separate from the rest of the patient's medical record. They specifically exclude medication prescription and monitoring, counseling session start and stop times, modalities and frequencies of treatment, results of clinical tests, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date.
The package's Psychotherapy Notes Policy walks through what is and is not a note under that definition, why the separation matters (heightened access protections under 45 CFR § 164.524(a)(1)(i) and authorization rules under 45 CFR § 164.508(a)(2)), and the EHR configuration that actually achieves separation.
How do I know if 42 CFR Part 2 applies to my practice?
Part 2 applies to a federally-assisted program that holds itself out as providing, and provides, alcohol or drug abuse diagnosis, treatment, or referral for treatment. "Federally assisted" includes Medicare, Medicaid, federal grant funding, and DEA registration of the practitioner. A general mental health practice that occasionally treats substance use is generally not a Part 2 program; a methadone clinic or a dedicated SUD outpatient program almost always is.
The 42 CFR Part 2 Crosswalk in the package walks through the application analysis, the consent form requirements, the redisclosure notice text, the prohibition on use in court without a separate court order, and the alignment with HIPAA after the 2024 final rule that pulled Part 2 closer to HIPAA without merging the two.
How do we handle subpoenas for therapy records?
HIPAA permits disclosure under a subpoena only with either patient authorization or "satisfactory assurances" the patient was notified and had a chance to object (45 CFR § 164.512(e)). A court order, by contrast, permits disclosure without that step. State law often imposes additional psychotherapist-patient privilege rules. The package's Court Order vs Subpoena Guide is a decision tree the practice can follow when a subpoena arrives, including the language to use when objecting and the workflow for getting a qualified protective order.
A parent is asking for their teenager's therapy record. What do I do?
State law controls. In most states, when a minor consents to mental health treatment under their own state-law authority (often at age 12, 14, or 16, varies by state), the parent loses the automatic right of access to that portion of the record. HIPAA defers to state law on parent access rules under 45 CFR § 164.502(g)(3). The Minor and Parent Access Procedure in the package is configured for the practice's state and gives the front desk a one-page script for the parent conversation, the documentation to record, and the escalation path if the parent disputes the practice's position.
Our payer asks for treatment plans and notes for authorization. Can we say no?
You can frequently send less than the payer asks for, by applying the minimum necessary standard at 45 CFR § 164.502(b). Payment, treatment, and health care operations disclosures are permitted without patient authorization, but the disclosure must be limited to the minimum necessary to accomplish the purpose. The Insurance Disclosure Standard in the package gives the practice a default rule (send the treatment plan summary, withhold psychotherapy notes), the documentation a payer should accept, and the escalation language when the payer pushes back.
Our clinicians work from home. How do we cover that under HIPAA?
The home office is in scope. Your administrative safeguards have to address remote workforce security: who is allowed to see the screen, where the printer is, how documents are destroyed, what the network looks like, and what happens if the device is lost. Your physical safeguards have to acknowledge the workstation is not in your facility. The package includes a Telehealth and Home Office Policy and a Home Office Workstation Standard distributed clinicians can sign and meet without compliance making site visits.
How is this different from buying SimplePractice's HIPAA add-on?
EHR platforms like SimplePractice, TheraNest, and TherapyNotes will sign a BAA and provide certain technical safeguards inside their product. They do not write your psychotherapy notes policy, run your Risk Analysis, document your physical safeguards, train your workforce, or address your Part 2 overlap. ComplianceArmor produces the practice-level program around the EHR you already use. We treat the platform's BAA as one input to your program, not a substitute for the program.
What happens if a former patient files an OCR complaint?
Behavioral health is one of the highest-volume sources of OCR complaints because the patient population is more likely to seek records and to feel mishandling acutely. The first ask from OCR is the same: a current Risk Analysis, written policies for each safeguard category, evidence of workforce training, BAAs for vendors who handle PHI, the right-of-access procedure, and a documented breach notification process. Your ComplianceArmor package delivers all of these in a single binder, with an OCR Interview Prep Guide that walks through the questions investigators ask behavioral health practices.
Stop authoring HIPAA policies. Start the program.
Schedule a 30-minute demo. We will walk through your EHR, your patient mix (including minor consent and Part 2 overlap), and your home-office workforce, scope your HIPAA package live, and show the deliverables an OCR investigator would expect to see for a behavioral health practice.
Related: HIPAA software hub · ComplianceArmor · HIPAA compliance services · HIPAA for telehealth · HIPAA for medical billing · SOC 2 software