Article Updated: July 11, 2026

HIPAA, 42 CFR Part 2, and State Laws in Psychiatric Practice

Psychiatrists practice within a layered legal framework in which the HIPAA Privacy Rule, HIPAA Security Rule, and HIPAA Breach Notification Rule establish the federal baseline for protecting patient information, but where 42 CFR Part 2 and state confidentiality laws can impose stricter requirements that take precedence over that baseline in specific circumstances. Understanding which framework governs a particular disclosure is a practical clinical and compliance skill, not a theoretical exercise. When those frameworks conflict, the governing principle is that the most protective rule applies, meaning the rule that places the greatest restriction on disclosure determines what a psychiatrist may or must do.

HIPAA as the Federal Baseline

The HIPAA Privacy Rule defines when Protected Health Information may be used or disclosed for treatment, payment, and healthcare operations, what patient rights apply to psychiatric records, and when patient authorization is required before information can be shared. The HIPAA Security Rule governs how electronic Protected Health Information must be protected across the systems, devices, and platforms psychiatrists use in clinical practice. The HIPAA Breach Notification Rule establishes the notification obligations that apply when Protected Health Information is impermissibly accessed or disclosed. These three rules apply to every psychiatrist operating within a Covered Entity and set the minimum standard for privacy and security compliance across all practice settings and patient populations.

How 42 CFR Part 2 Applies in Psychiatric Practice

When psychiatrists treat patients with co-occurring substance use disorders within federally assisted programs, 42 CFR Part 2 applies in addition to HIPAA and imposes substantially stricter requirements. Unlike the HIPAA Privacy Rule, which permits disclosures for treatment without patient authorization in most circumstances, 42 CFR Part 2 generally prohibits disclosure of substance use disorder patient records without written patient consent, even when the purpose is treatment. Redisclosure restrictions are equally strict: information received from a Part 2 program cannot be passed on to another party unless the patient has specifically authorized it or a narrow exception applies. These protections attach to the information itself rather than to the setting where it originated, which means a psychiatrist who receives Part 2-protected records in one clinical environment carries those restrictions into other settings where the same information is later used. Psychiatrists who work in or refer patients to federally assisted substance use disorder programs must recognize when Part 2 applies and apply it correctly alongside HIPAA.

State Law Variations That Affect Psychiatric Practice

State confidentiality laws create meaningful differences in the obligations psychiatrists face depending on where they practice. Some states allow minors to consent to their own mental health treatment independently, restricting parental access to the minor’s records in ways that go beyond what HIPAA requires. Others impose heightened protections for reproductive health information, HIV-related records, and behavioral health data that HIPAA does not separately protect. Mental health privilege laws, where enacted, determine whether psychiatric records can be introduced in legal proceedings, and the scope of those laws varies considerably across jurisdictions. Duty-to-warn and duty-to-protect laws also differ by state, with some states imposing a mandatory disclosure obligation when a patient makes a credible threat against an identifiable person and others permitting but not requiring such disclosures. Psychiatrists must know the laws of the state in which they practice and recognize when a disclosure request activates heightened protections rather than standard HIPAA rules.

Training That Addresses the Full Legal Landscape

The HIPAA Journal’s HIPAA Training for Psychiatrists includes a specialist module, Patient Confidentiality in Psychiatry, delivered as a required component of Section One of the course. The module addresses how HIPAA, 42 CFR Part 2, and state law interact in the scenarios psychiatrists encounter in practice, including how to identify when Part 2 applies to a patient’s records, how to recognize when state law imposes stricter requirements than the federal baseline, and how to apply the most protective framework consistently across different clinical environments. For practices operating in Texas or California, the course also includes optional state medical privacy modules at no additional cost. The Texas module covers the Texas Medical Records Privacy Act as amended by House Bill 300, the Texas Data Privacy and Security Act, the Texas Responsible AI Governance Act, and related statutes. The California module covers the Confidentiality of Medical Information Act, the California Privacy Rights Act, Senate Bill 81, and other applicable state frameworks. When selected at purchase, both modules are incorporated into Section One and become required training for all learners, giving psychiatric workforces in those states a single accredited course that meets their federal and state training obligations.

Author: PJ Murray

PJ Murray is the founder and publisher of The HIPAA Journal. He has more than 10 years of experience writing about HIPAA, healthcare compliance, patient privacy, and the protection of medical records. Through The HIPAA Journal, PJ helps healthcare organizations, business associates, and their employees better understand HIPAA regulations, reduce compliance risks, and strengthen the safeguards used to protect patient information.

PJ has a background in software development, holds an engineering degree, and specializes in the cybersecurity aspects of HIPAA compliance, including data security, medical record protection, and workforce training. He has also played a leading role in the development and launch of The HIPAA Journal Training, which provides HIPAA and cybersecurity training for healthcare organizations, business associates, students, and healthcare-related workforces.

PJ's work focuses on making complex regulatory and technical requirements easier for healthcare professionals and organizations to understand and apply in practice.
Connect on LinkedIn.