Behavioral health records are some of the most sensitive information any practice holds. A single therapy note or substance use history can affect a patient’s job, relationships, and legal standing, which is why these records carry extra protection under federal law. In 2026 the rules tightened. If you run a counseling practice, a psychiatry group, an addiction treatment program, or a teletherapy service, your technology and your paperwork both need to keep up. Here is what changed and what your IT setup needs to cover.
The 2026 Part 2 deadline behavioral health practices cannot ignore
On February 8, 2024, the U.S. Department of Health and Human Services finalized major changes to 42 CFR Part 2, the federal rule that protects records from substance use disorder (SUD) treatment programs. The rule has been effective since April 16, 2024, and practices had to comply by February 16, 2026. The goal was to bring Part 2 closer to HIPAA so records can move more easily between providers while patients keep strong privacy.
The most important changes include:
- A single patient consent can now cover all future uses and disclosures for treatment, payment, and health care operations, instead of a separate consent for each disclosure.
- The HIPAA Breach Notification Rule now applies to Part 2 records, so a breach of SUD data triggers the same reporting duties as any other protected health information.
- Penalties were aligned with HIPAA, replacing the old criminal-only penalties with the civil and criminal enforcement framework that applies to HIPAA violations.
- A new category of SUD counseling notes now gets heightened protection, much like psychotherapy notes under HIPAA.
If your practice touches SUD treatment in any way, these are not optional. The access controls, audit logs, and breach response that HIPAA expects now clearly apply to Part 2 data too. Our HIPAA compliance services page explains how those controls fit together.
Psychotherapy notes need more than a locked drawer
HIPAA already gives psychotherapy notes a higher level of protection than the rest of the medical record. In most cases you cannot release them without a specific, separate authorization signed by the patient. A general release for the chart does not cover them.
There is a catch that trips up many practices. Notes only qualify for this extra protection if they are kept separate from the main record. If a clinician stores session analysis in the same file as diagnoses, medications, and billing, those notes lose their special status and are treated as standard electronic protected health information.
That separation is a technology decision as much as a clinical one. Your electronic health record should let clinicians store psychotherapy notes in a distinct, access-restricted location, and only authorized staff should be able to open them. If your current system cannot do that cleanly, it is worth a HIPAA risk assessment to find the gap before an auditor or a breach does.
Teletherapy is convenient, but the platform is only half the job
Behavioral health adopted video visits faster than almost any other specialty, and most patients now expect the option. HIPAA does not ban any particular tool, but it does require that telehealth runs on technology that meets the Privacy and Security Rules, and that you have a signed business associate agreement (BAA) with the vendor.
A consumer video app with no BAA is a problem, no matter how secure it feels. Before you treat a single patient over video, confirm the platform covers the basics:
- A signed BAA from every vendor that handles your patient data.
- Encryption of data both in transit and at rest.
- Unique logins, multi-factor authentication, and role-based access so only the right people see each record.
- Audit logging that records who accessed what and when.
- A current security risk analysis that reflects your telehealth workflow and every vendor in it.
The same standard applies to your EHR, billing system, scheduling tool, and any cloud storage. Each one that touches patient data needs a BAA on file. Our managed IT services for healthcare team keeps that vendor inventory current so nothing slips through.
A practical IT foundation for behavioral health practices
Most enforcement actions trace back to a few missing basics rather than exotic attacks. A behavioral health practice that wants to sleep at night should have:
- A documented, up-to-date security risk analysis, reviewed at least once a year.
- Multi-factor authentication on email, the EHR, and remote access.
- Encrypted devices and encrypted, tested backups stored off site.
- Access controls so each staff member sees only what their role requires.
- Regular staff training on phishing and on handling sensitive records.
These same controls also satisfy most cyber insurance requirements, which means one well run program protects patients, your license, and your premium at the same time. Strong cybersecurity is no longer separate from compliance. It is the same work.
Frequently asked questions
Does 42 CFR Part 2 apply to my practice if I only provide general therapy?
Part 2 applies to federally assisted programs that hold themselves out as providing substance use disorder diagnosis, treatment, or referral. A general therapy practice that does not provide SUD treatment may fall outside Part 2, but it is still fully subject to HIPAA. If any part of your work touches SUD treatment, assume Part 2 applies and confirm with counsel.
What is the difference between psychotherapy notes and the regular record?
Psychotherapy notes are a clinician’s private notes analyzing a counseling session, kept separate from the chart. They get extra protection and usually require a specific authorization to release. The regular record, including diagnoses, medications, test results, and treatment plans, does not get that heightened protection.
Can I use a normal consumer video app for teletherapy?
Only if the vendor will sign a business associate agreement and the platform meets HIPAA’s security requirements. Many consumer tools will not sign a BAA, which makes them a poor fit for clinical care. Choose a platform built for healthcare and get the BAA in writing.
How often do I need a HIPAA risk analysis?
HIPAA requires an accurate and thorough risk analysis with updates as needed. In practice, an annual review plus an update after any major change, such as a new EHR or a move to telehealth, is the standard most practices follow.
Behavioral health compliance is detailed, and the 2026 changes raised the stakes. If you want a clear picture of where your practice stands, book a free IT and security consultation with Atlantic Computer Systems, or call us at 1-650-300-7557. We will review your systems, your vendors, and your records workflow, and give you a straight answer on what to fix first.