HIPAA for Mental Health Care Providers



Toll Free
9AM - 5PM CST (M-F)

Faculty: Becca Kalivas, RN, MS


Successful Completion: Complete entire module, complete the exam with a passing score of 80% or better, and complete the evaluation form.


Estimated Time to Complete Activity: 90 minutes.


CEUs: HIPAA Exams is authorized by IACET to offer 0.1 CEUs for this program. CEU Information


Free Certification of Completion available instantly for download or printing upon successful completion.


This course is for mental health professionals. It answers what HIPAA is; while, ensuring your knowledge and understanding of the important pieces of HIPAA law, such as HIPAA Privacy, HIPAA Security, and the Enforcement Rule for HIPAA violations.

Includes 2021/2022 Updates - ONC 21st Cures Act Final Rule and the CMS Final Rule

Course includes a video and audio component with stand-alone exam

Receive HIPAA Certification "Certificate of Completion" with successful completion


Why does HIPAA prevent mental health reporting?

HIPAA, the Health Insurance Portability and Accountability Act, is designed to protect all health information, including mental health information. It helps to safeguard a patient's privacy. HIPAA does not specifically prevent mental health reporting, but any disclosures need to adhere to the appropriate protections outlined by the Act. The general rule is information can only be disclosed with the patient’s consent unless it falls under certain exceptions, the details of which are covered in this training course.

What are the HIPAA regulations for mental health professionals?

HIPAA regulations allow mental health professionals to disclose essential information in specific circumstances. For example, mental health professionals can share patient details among themselves for consultation or referral purposes, but these disclosures are usually limited to the information necessary for the purpose.

With a patient's permission, they can also communicate with a patient's family members or other persons involved in care or payment for care. However, these communications should also be limited to the minimum necessary information.

When should a mental health professional go against HIPAA?

The HIPAA privacy rule is not typically violated but there are certain circumstances under which a mental health professional can disclose protected health information without the patient's consent. These exceptions include responding to a public health threat, reporting information about victims of abuse, neglect, or domestic violence, and for judicial and administrative proceedings.

What does HIPAA require to release mental health records?

Under HIPAA, a mental health professional can release mental health records with the patient’s consent. The consent must be in writing or, in some cases, assumed if the patient does not object. The information released should be limited to only what is necessary to accomplish the intended purpose.

In some exceptional cases, depending on state law, mental health records can be released without patient consent, for example in circumstances of public health emergencies or legitimate legal processes.


What is a Business Associate Under HIPAA?

Business associates are third parties who create, receive, maintain, or transfer Personal Health Information (PHI) on behalf of a covered entity. They are not typical employees of the entity, but they may have access to, use, or disclose PHI for specific purposes. Consultants, electronic medical record providers, attorneys, accountants, IT software providers, and medical billing services providers are a few examples of business associates.

What is an Example of a Business Associate Under HIPAA?

Businesses that would be considered business associates:

  • Software companies with PHI access
  • Companies that process or collect claims
  • A third-party administrator who helps a health plan process claims.
  • Pharmacy benefit administrators who oversee the pharmacist network of a health plan. 
  • Patient safety or accreditation organizations
  • Medical transcription services
  • Software and data processing companies that could handle PHI Medical equipment services companies that deal with PHI-containing equipment
  • A CPA firm that provides accounting services to a health care provider that includes access to protected health information.
  • A lawyer who provides legal services to a health plan and has access to protected health information.

Which Part of HIPAA Extends all of HIPAA's Obligations to Business Associates?

The HIPAA Privacy Rule is a federal law that protects personal health information privacy and grants patients’ rights. It also mandates that covered entities must obtain assurances from their business associates that the business associate will safeguard the PHI on their behalf. These assurances must be documented in writing, either through a contract or other arrangement between the covered entity and the business associate. A HIPAA Business Associate must understand the HIPAA Privacy Rule and how it applies to them.

How to Become a HIPAA Compliant Business Associate?

A business associate must maintain the privacy and security of PHI in the same way as the covered entity does.  If there is a breach, they will be held accountable. Due to the sensitive nature of their employment, business associates must complete HIPAA compliance training and sign a HIPAA business associate agreement with their covered entity. A business associate agreement acknowledges the business associate's responsibility to protect the PHI entrusted to them by the covered company.

Completing business associate training assists in safeguarding protected health information and meeting the HIPAA Privacy Rule standards. We provide an online HIPAA Business Associate training course that will guarantee your understanding of key HIPAA rules, standards, and regulations.

How to Purchase

To enroll in this course, simply add the number of users you need below and ADD TO CART. Follow the steps for CHECKOUT which will include registering your account.


Learning Objectives

  • Define the purpose of HIPAA legislation
  • Recognize and comply with the modifications in the HIPAA Final Rule
  • Identify what is required to ensure compliance with the HIPAA Privacy, Security, and Breach Notification Rules in your practice
  • Name safeguards to protect individually identifiable protected information
  • List wasy to apply HIPAA law into his/her daily works as a Mental Health Professional

Target Audience

This course is intended for mental health care providers.

Table of Contents

HIPAA for Mental Health Care Providers

(HIPAA Privacy, Security, and Enforcement Training)

Table of Contents:

  • HIPAA Compliance for Mental Health Care Providers
  • Legal Notice
  • Purpose and Learning Objectives
  • Target Audience
  • Course Introduction
  • Health Care Regulations in the United States
  • What is HIPAA?
  • HITECH and Omnibus Rule
  • What Does HIPAA Mean to You?
  • The HIPAA Privacy Rule
  • ONC Cures Act and CMS Final Rule - 2021/2022 Update
  • The HIPAA Security Rule
  • Breach Notification Rule
  • Breach Notification Rule Compliance
  • Ensure HIPAA Compliance
  • Penalty Structure for HIPAA Violations
  • HIPAA Review of Terms
  • Recent Updates to HIPAA
  • End of Course Exam

Course Content Example 1:

HIPAA for Mental Health Care Providers: Course Introduction

With the increased penalties that were determined under the HITECH Act and the Omnibus Final Rule, it is now imperative that mental health care providers (MHCPs) who are considered covered entities (CEs), business associates (BAs), and subcontractors of BAs employ increased precautions.

A breach including mental health information or psychotherapy notes could cause signification harm to the person whose PHI is exposed.

The breach can also be costly to the CE in the form of increased civil penalties, possible criminal penalties, and damage to reputation.

This course discusses how the HIPAA Omnibus Final Rule impacts you, as a MHCP, and reviews what you must do to comply with HIPAA and avoid penalties.

Course Content Example 2:

What Does HIPAA Mean to You?

The HIPAA Omnibus Final Rule may affect your practice in many ways. The Final Rule mandates new standards and procedures within the Privacy, Security, and Breach Notification Rules.

  • As a MHCP, if you fall within one of the following CE categories, you must comply with HIPAA Rules:Health Care Providers: Any provider of medical or other health services, or supplies, who transmits any health information in electronic format in connection with a transaction where standard requirements are adopted
  • Health Plans: Any individual or group plan that provides or pays the cost of health care
  • Health Care Clearinghouses: A public or private entity that transforms health care transactions from one form to another


Download Certificate of Completion Immediately

3 Attempts to Pass Your Exam

Instant Access: 100% Online - Access 24/7 from Anywhere

No Recurring Fees

Banner Image

Train Anywhere, Anytime

Courses can be accessed from any internet device at anytime.