Mental Health Providers HIPAA Awareness

Mental Health Providers Course Outline:

Briefing Overview

Learning Objectives

HIPAA (not HIPPA): Acronym and Meaning

Course Roadmap

HIPAA and Part 2 Timeline

HIPAA Rules and How They Work Together

Key Federal Developments Affecting Behavioral Health Providers

Why Behavioral Health and Office Workflows Need Special Attention

Terms and Definitions

• Definitions:  The C-I-A Triad
• Definition: Health Information, IIHI, PHI, and ePHI
• Definition: Identifiers That Can Make Information PHI
• Definition: Control Types and Functions
• What HIPAA Covers – and What It Does Not

Behavioral Health and PHI

• Mental Health Information and Psychotherapy Notes
• SUD Records Overview: When 42 CFR Part 2 May Apply
• Minimum Necessary – What It Is and What It Is Not
• Before PHI Is Used or Disclosed
• Patient Rights and the Designated Record Set
• Authorization vs. HIPAA Consent vs. Informed Consent
• Authorization Requirements
• Defective Authorizations
• Notice of Privacy Practices: Purpose and Workflow
• NPP and Patient Notice Updates Required in 2026
• Required Documentation and Retention

Sanctions and Enforcement:  HIPAA and Part 2

• Civil Penalties
• Civil Penalties for Part 2 Violations
• Criminal Penalties
• Current OCR Enforcement Themes
• Current Audit and Cybersecurity Focus

The HIPAA Rules

• HIPAA Security Rule Overview
• Administrative Safeguards
• Physical Safeguards
• Technical Safeguards

Threats, The Web and AI

• Ransomware, Malware, and Encryption
• Phishing, Social Engineering, and Impersonation
• Remote Work, Mobile Devices, and Texting
• Telehealth and Audio-Only Telehealth
• Online Tracking Tools, Chat Widgets, and Website Forms
• AI Update: HIPAA Rules Still Apply to AI Tools
• Responsible Use of AI: Workforce Guardrails and Required AI Use Policy

HIPAA Defined Entities and Their Arrangements

• Covered Provider Entities, Hybrid Entities, and Organized Health Care Arrangements (OHCA)
• Business Associates – Modern Examples
• Business Associate Agreements (BAAs)
• Vendor Due Diligence and Subcontractors
• When a BAA May Not Be Needed

Provider Close-Up and Special Topics

• Behavioral and Mental Health Providers: What Is Different
• Family, Friends, and Caregivers
• Serious and Imminent Threat / Duty to Protect
• Minors, Parents, and Designated Personal Representatives (DPR)
• FERPA vs. HIPAA in Academic Settings
• Psychotherapy Notes – Special Protection in Practice
• Part 2: Major 2024 and 2026 Operating Changes
• SUD Counseling Notes, Redisclosure, and Legal Proceedings
• Part 2 Notices, Patient Rights, Breaches, and OCR Enforcement
• Front Desk, Scheduling, and Check-In
• Clinical Encounters and Documentation
• Billing, Payment, and Records-Release Staff
• Incidental Disclosures and the Need-to-Know Culture
• Paper, Fax, Printers, Voicemail, and Disposal
• Marketing, Fundraising, Testimonials, Photos, and Social Media

Incidents, Breaches, and Documentation

• What Is a Breach?
• Breach Notification Requirements
• Event Response and the Four-Factor Risk Assessment
• Reporting Chain, Sanctions, and Mitigation
• Whistleblower Disclosures of PHI
• Documentation and Audit Readiness
• Human Trafficking Awareness for Health Care Staff
• State Law Overlay and Stricter Confidentiality Rules
• Handling Reproductive Health and Other Highly Sensitive Information Requests

Quick Review, Future Watch and Next Steps

• Quick Review – Five Rules to Remember
• Common High-Risk Situations
• Future Watch and Next Steps
• What the Future May Hold
• Security Rule NPRM and Proposed Changes to Watch
• Required Policies, Procedures, and Recommended Follow-Through
• Resources and Internal Contacts
• Selected Federal and Policy References
• Questions and Acknowledgment

In Closing…

What We Are Protecting