HIPAA Business Associate Agreement for Behavioral Health Organizations
By BAA Generator Editorial · Updated Apr 20, 2026 · 5 min read
Key Takeaways
- ✓ Behavioral health organizations are HIPAA covered entities and must execute BAAs with all vendors handling PHI
- ✓ Mental health EHRs (SimplePractice, TherapyNotes, Valant, Kipu Health) all provide BAAs — you must request them
- ✓ Substance use disorder records are governed by both HIPAA and the stricter 42 CFR Part 2 framework
- ✓ Behavioral health PHI carries heightened stigma risk — a breach can have severe professional and personal consequences for patients
Behavioral health organizations — outpatient therapy practices, psychiatric clinics, community mental health centers, and substance use disorder treatment programs — handle some of the most sensitive protected health information in healthcare. A breach of mental health diagnoses, psychiatric medications, or substance use records can affect a patient's employment, custody rights, insurance coverage, and personal relationships in ways that most medical breaches do not. The HIPAA Business Associate Agreement framework is therefore not just a compliance checkbox for these organizations — it is a critical patient protection.
Why Behavioral Health Organizations Are Covered Entities
Under HIPAA, any healthcare provider who transmits health information electronically in connection with a covered transaction is a covered entity. Behavioral health providers — including licensed clinical social workers, psychologists, psychiatrists, marriage and family therapists, and counselors — meet this definition when they submit insurance claims or conduct other standard electronic transactions.
Even behavioral health providers who see only self-pay clients may still be covered entities if they use EHR systems that transmit data electronically. The determining factor is electronic transmission of health information for a covered transaction, not whether the practice accepts insurance.
Covered behavioral health organization types include:
- Outpatient mental health practices (solo and group)
- Psychiatric clinics and inpatient psychiatric hospitals
- Community mental health centers (CMHCs)
- Substance use disorder (SUD) treatment programs
- Co-occurring disorder programs treating both mental health and SUD
- Telehealth-only behavioral health platforms with licensed clinicians
What PHI Behavioral Health Organizations Handle
Behavioral health PHI is distinct in its sensitivity. The records held by a behavioral health organization typically include:
- Mental health diagnoses (e.g., depression, PTSD, bipolar disorder, schizophrenia)
- Substance use disorder treatment history and diagnoses
- Psychiatric medications and dosing history
- Psychotherapy session notes and treatment plans
- Crisis intervention and hospitalization records
- Group therapy participation records
- Demographic and insurance information linked to a behavioral health context
Under HIPAA's Privacy Rule, psychotherapy notes held separately from the rest of a patient's medical record receive heightened protection — they are not included in the general right of access and cannot be disclosed without explicit authorization in most circumstances. Vendors whose systems store psychotherapy notes separately must understand these requirements, and BAAs should reflect them.
42 CFR Part 2 and Substance Use Disorder Records
Organizations that treat substance use disorders — including alcohol, opioid, and other substance addictions — operate under a second federal confidentiality framework: 42 CFR Part 2. Originally enacted to encourage people to seek SUD treatment without fear of legal consequences, Part 2 imposes restrictions that go beyond HIPAA in several important ways:
- SUD records generally cannot be disclosed without patient consent, even to other treating providers, unless specific exceptions apply
- Redisclosure of Part 2 records by recipients is prohibited without a new patient authorization
- Law enforcement cannot access Part 2 records through standard HIPAA exceptions
The 2024 Part 2 final rule, effective February 2024, aligned Part 2 more closely with HIPAA — allowing patients to provide a single general consent for treatment, payment, and operations purposes. However, Part 2 restrictions on disclosure for legal proceedings and law enforcement remain more stringent than HIPAA. BAAs with vendors who access SUD records should specifically acknowledge Part 2 obligations and prohibit redisclosure.
Vendors Behavioral Health Organizations Typically Need BAAs With
Mental Health EHR and Practice Management Platforms
SimplePractice, TherapyNotes, Valant, Kipu Health, and TheraNest are among the most widely used platforms in behavioral health. All offer BAAs to paying subscribers, but you must initiate the agreement — the BAA is not automatically executed upon signup. Kipu Health and Valant cater specifically to higher-acuity psychiatric and SUD settings and have compliance teams familiar with both HIPAA and Part 2.
Telehealth Platforms
Behavioral health has one of the highest rates of telehealth adoption in healthcare. Telehealth platforms — whether standalone tools or embedded within EHRs — must sign BAAs because they transmit video sessions and associated scheduling and clinical data. Doxy.me, Zoom for Healthcare, and SimplePractice's built-in telehealth all offer HIPAA BAAs. Consumer-grade Zoom does not.
Billing Companies and Clearinghouses
Behavioral health billing often requires specialized knowledge (mental health CPT codes, prior authorization for SUD treatment) and is frequently outsourced. Any billing company or clearinghouse receiving claim data with patient diagnoses and demographic information is a business associate requiring a BAA.
Patient Messaging and Scheduling Platforms
Patient reminder systems, appointment scheduling tools, and secure messaging platforms that link a patient's identity to a behavioral health practice handle PHI. A text reminder that says "You have an appointment at [Mental Health Clinic]" discloses that the patient has a relationship with a behavioral health provider — which is itself PHI in many contexts.
Common BAA Requirements Table for Behavioral Health
| Vendor Type | Example Vendors | BAA Required? |
|---|---|---|
| Mental health EHR | SimplePractice, TherapyNotes, Valant, TheraNest | Yes |
| SUD-specific EHR | Kipu Health, Netsmart, Welligent | Yes (+ Part 2 provisions) |
| Telehealth platform | Doxy.me, Zoom for Healthcare | Yes |
| Billing company | Outsourced behavioral health billing firms | Yes |
| Clearinghouse | Availity, Change Healthcare, Office Ally | Yes |
| Patient messaging / scheduling | Spruce Health, Klara, NexHealth | Yes |
| Cloud backup / IT support | Microsoft 365, local MSP | Yes |
Common Compliance Gaps in Behavioral Health
The most frequent BAA gaps in behavioral health settings include: (1) using a HIPAA-compliant EHR but a consumer-grade video platform for telehealth sessions; (2) failing to get a BAA with a billing company because the relationship predates the organization's formal compliance program; (3) not addressing 42 CFR Part 2 in BAAs with vendors accessing SUD records; and (4) using free or low-tier versions of productivity tools (Google Workspace, Slack) that don't include BAA provisions.
For a broader framework on vendor BAA tracking, see our guide on BAA requirements for individual therapists and our post on whether SimplePractice signs a BAA. For TherapyNotes specifically, see does TherapyNotes sign a BAA.
Frequently Asked Questions
Do behavioral health organizations need HIPAA BAAs?
Yes. Behavioral health organizations are HIPAA covered entities. They must sign BAAs with every vendor that creates, receives, maintains, or transmits protected health information on their behalf — including EHR platforms, telehealth tools, billing companies, clearinghouses, and patient communication systems. There is no exception based on practice type or size.
What is 42 CFR Part 2 and how does it relate to BAAs?
42 CFR Part 2 is a federal regulation that imposes stricter confidentiality protections on substance use disorder treatment records than HIPAA alone. Organizations treating SUD must ensure their BAAs with vendors who access those records reflect Part 2 restrictions — including prohibitions on redisclosure without patient consent. The 2024 Part 2 final rule aligned some provisions with HIPAA but did not eliminate all distinctions.
What EHR systems for behavioral health sign BAAs?
SimplePractice, TherapyNotes, Valant, Kipu Health, TheraNest, and Netsmart all offer BAAs. You must actively request the BAA rather than assuming it is included in your subscription. For platforms specializing in SUD treatment, confirm whether the BAA language addresses 42 CFR Part 2 obligations specifically.
Do group therapy notes require special BAA provisions?
Group therapy notes contain PHI for multiple patients simultaneously, and their unauthorized disclosure can be especially harmful. Standard HIPAA BAA provisions cover the data, but practices treating SUD should confirm that BAAs for documentation vendors specifically address 42 CFR Part 2 restrictions, which apply to SUD group session records even when those records don't identify other group members by name.
Generate a BAA for your behavioral health organization
Create a HIPAA-compliant Business Associate Agreement for your vendors — free to start, no subscription required.
Generate Your BAA Free →