Health Insurance Portability and Accountability Act (HIPAA)

HIPAA requirements file on a deskThe Health Insurance Portability and Accountability Act (HIPAA) is a federal regulation that established national standards for how health information is transmitted and disclosed.

HIPAA, which became federal law in 1996, enacted a number of privacy rights and protections for consumers in order to ensure that care information remains sufficiently confidential.

Understanding HIPAA

HIPAA was designed to increase insurance coverage among Americans while delivering health care in a more efficient manner. The regulation contains provisions in three main areas: portability provisions, tax provisions, and administrative provisions. Congress recognized that advances in technology, while increasing efficiency, could also potentially endanger the security of health information. Thus, the Privacy Rule was incorporated in December 2000. This rule established guidelines for the electronic use and disclosure of health information in order to better protect patient privacy in a changing technological environment.

The Privacy Rule, which applies to health plans as well as all care providers who transmit health information in electronic form, protects individual health records, only allowing such information to be shared without an individual’s permission in a few specific cases.

All identifiable health information held or transmitted by a covered entity (providers to whom HIPAA applies), is referred to as “protected health information” (PHI). Protected health information includes demographic data, details about physical and mental health, information about health care services rendered, and information about payment for such services.

Disclosure and Protection of Health Information Under HIPAA

Under HIPAA, covered entities are permitted to disclose PHI for the purpose of treatment, payment, and healthcare operations. Other disclosures are permitted in the case of 12 national priority purposes. These include instances such as public health activities, law enforcement purposes, essential government functions, and serious threat to health/safety, among others.

HIPAA serves to protect the privacy of individuals by stating that covered entities should obtain, use, and share only the minimum amount of PHI necessary. Additionally, HIPAA mandates that providers obtain written authorization for any use or disclosure of PHI not for the purpose of treatment, payment, or healthcare operations. Covered entities are also required to take certain steps to ensure PHI remains protected. These steps include:

  • Developing and implementing written privacy policy procedures
  • Designating a privacy official who is responsible for ensuring that privacy policy procedures are being followed
  • Implementing reasonable safeguards to prevent disclosure of PHI, except as permitted by the Privacy Rule

HIPAA and Mental Health Information

The HIPAA privacy rules applies to all health information, including information about mental health. Under HIPAA, mental health care providers are permitted to communicate with an individual’s family and friends or others who are involved in care, as long as the individual has the capacity to make healthcare decisions and does not object to the communication. The provider can ask permission to share relevant information, inform the individual of the intent to share information and give them an opportunity to object, or infer from the circumstances that the individual does not object (such as when the individual invites a family member into the treatment room). The provider should disclose only the minimum amount of information needed.

When the individual being treated is not present or is otherwise unable to agree or object to disclosure of PHI (one example of this would be when a person is unconscious), a provider should disclose information only if doing so can reasonably be said to be in the person’s best interest. Under the Privacy Rule, providers are also permitted to disclose PHI when the provider believes an individual is a serious, imminent threat to the self or to others. In such a situation, disclosures can be made to law enforcement, family members of the individual, or other people who may be reasonably able to prevent or reduce the threat.

Psychotherapy Notes and HIPAA

Psychotherapy notes, recorded by a mental health professional to document conversations held in session, receive special protection under HIPAA. They are generally not subject to the Privacy Rule, except in the case of a “duty to warn” disclosure or when otherwise required by law.

In order to be protected from the general guidelines of the Privacy Rule, however, psychotherapy notes must be kept separate from the medical record.


  1. HIPAA privacy rule and sharing information related to mental health. (2014, February 20). gov. Retrieved from
  2. Nass, S.J., Levit L.A., & Gostin L.O.  (Eds.). (2009). Beyond the HIPAA privacy rule: Enhancing privacy, improving health through research. Retrieved from
  3. Summary of the HIPAA privacy rule. (2003). United States Department of Health & Human Services. Retrieved from

Last Updated: 08-4-2016

  • Leave a Comment
  • Nilda R

    February 2nd, 2018 at 9:24 AM

    It’s awesome that these services are offered

  • Tracy

    November 24th, 2020 at 10:29 AM

    One of the ASWs that I am supervising accidentally released the name, first name only, of an individual to another client when using 8 x 8 technology. She thought that she was sending it to the primary care physician that sees this client but it accidentally went to another client of hers. What is she legally required to do?

  • Patricia

    September 4th, 2023 at 8:16 AM

    I’m interested in information

Leave a Comment

By commenting you acknowledge acceptance of's Terms and Conditions of Use.


* Indicates required field.

GoodTherapy uses cookies to personalize content and ads to provide better services for our users and to analyze our traffic. By continuing to use this site you consent to our cookies.