HIPAA in 2026: What's Changed and What Therapists Need to Know

HIPAA isn't static. The Privacy Rule was finalized in 2000, but it has been amended multiple times, and the Office for Civil Rights (OCR) has issued guidance, rule changes, and enforcement priorities that meaningfully affect how therapists handle patient information.

The past several years have seen some of the most significant HIPAA changes since the HITECH Act of 2009, with new rules addressing reproductive health privacy, mental health record access, and patient right-of-access enforcement. Here's what's changed and what it means for your practice.

The Reproductive Health Privacy Rule

The most significant recent HIPAA change is the final rule issued by OCR in April 2024 that strengthens privacy protections for reproductive health information. Given the shifting legal landscape on reproductive rights in various states, this rule has direct relevance to therapists.

What the rule does: The rule prohibits covered entities — including therapists — from using or disclosing protected health information related to reproductive health care for certain investigative or enforcement purposes. Specifically:

• You cannot disclose PHI to a state or law enforcement agency for the purpose of investigating or imposing liability on a person for seeking, obtaining, providing, or facilitating lawful reproductive health care
• You cannot disclose PHI to identify or locate a patient for these purposes
• You cannot use or share PHI in a civil or criminal proceeding if the purpose is to investigate reproductive health care that is lawful in the state where it was provided

What this means for therapists: If a client discusses decisions about reproductive health care in session — seeking an abortion, contraceptive use, fertility treatment — that information is subject to these enhanced protections. A court order or law enforcement request seeking disclosure of that information for the purposes described above would not, under the rule, be something you're required to comply with.

This is a significant departure from prior practice and requires therapists to be familiar with the new attestation requirements when receiving requests for PHI.

Compliance note: covered entities receiving requests for PHI must now obtain an attestation from the requesting party that the PHI will not be used for prohibited reproductive health care purposes.

The attestation requirement applies to health oversight activities, judicial and administrative proceedings, law enforcement purposes, and requests from coroners and medical examiners.

Patient Right-of-Access Enforcement

OCR has significantly ramped up enforcement of the patient right of access under HIPAA — the right of patients to receive copies of their medical records within 30 days of a request.

Since 2019, OCR has resolved numerous enforcement actions under its "Right of Access Initiative," with settlements ranging from a few thousand dollars to over $300,000. The message has been consistent: OCR takes access requests seriously, and providers who delay, obstruct, or overcharge for records will face enforcement.

For therapists, the key points:

• You must respond to a patient records request within 30 calendar days (one 30-day extension is available if you notify the patient within the initial 30 days)
• You must provide records in the format the patient requests if you can readily do so
• You can charge reasonable cost-based fees, but cannot charge for the time it took to search for records or separate clinical notes from administrative records
• You generally cannot refuse to provide records on the basis that providing them would be harmful — though there are limited exceptions for psychotherapy notes (more on that below)

The psychotherapy notes distinction remains important. Under HIPAA, "psychotherapy notes" have a specific legal meaning: they are process notes kept separate from the medical record, used only by the treating clinician, and not used for billing or treatment coordination. If you keep such notes, they are subject to special protections and do not fall under the right-of-access requirement. Most clinical notes — SOAP notes, DAP notes, progress notes — are not psychotherapy notes in the HIPAA sense and are subject to access requests.

This distinction continues to confuse therapists. If your SOAP notes are in your EHR and used for billing, they are not psychotherapy notes and are subject to the right of access.

Mental Health Records and 42 CFR Part 2

42 CFR Part 2 is a separate federal regulation (not HIPAA) that governs substance use disorder treatment records. It has historically been stricter than HIPAA and created coordination-of-care headaches because SUD records couldn't be shared without explicit consent even among treating providers.

A 2024 update to 42 CFR Part 2 brought it closer to alignment with HIPAA in some respects:

• SUD records can now be shared for treatment, payment, and health care operations with a one-time general consent (similar to HIPAA's TPO permissions), rather than requiring separate consent for each disclosure
• Patients retain the right to revoke consent
• The prohibition on use of SUD records in criminal proceedings remains in place

For therapists treating co-occurring disorders or working in integrated care settings: this change may affect how you handle records and consent for clients with substance use disorders. If you have clients who previously signed only a HIPAA-compliant consent for records release, and those records include SUD treatment information, you may need updated 42 CFR Part 2-compliant consent forms.

Enforcement Priorities in 2025–2026

OCR has signaled several enforcement priorities that therapists should be aware of:

Ransomware and cybersecurity. Health care has been disproportionately targeted by ransomware attacks. OCR has issued guidance clarifying that ransomware incidents likely constitute HIPAA breaches requiring notification, and is prioritizing investigation of organizations that experience ransomware attacks.

For therapists: if your EHR is breached or your device containing PHI is compromised, the breach notification requirements apply. You should understand your breach notification obligations before you need them.

Right-of-access enforcement continues as an active priority, as described above.

AI and HIPAA. OCR has not issued specific HIPAA guidance on AI yet, but the agency has noted that AI tools that process PHI are subject to HIPAA requirements. Any AI documentation tool that processes session audio or transcripts must have a BAA in place. This is an area likely to see more formal guidance in 2026.

What to Do Now

Review your Notice of Privacy Practices. The reproductive health care changes require a mandatory update to your NPP. The new NPP language must be provided to new patients and posted prominently in your practice (or on your website if you operate online). If your NPP hasn't been updated since April 2024, it's out of compliance.

Audit your records request process. Do you know how to respond to a patient records request within 30 days? Who handles this in your practice? What's your fee structure? Having a documented process matters both for compliance and for protecting yourself if a request leads to a complaint.

Verify your BAAs. Check that current Business Associate Agreements are in place with your EHR, telehealth platform, billing service, and any AI documentation tools you use. BAAs should be updated when you change vendors.

Know your breach notification obligations. In the event of a security incident, you have specific notification timelines under HIPAA — to affected individuals, to HHS, and in some cases to media. Know what triggers notification and who you'd contact.

HIPAA compliance isn't glamorous, and most therapists in small practices will never face an OCR investigation. But the regulatory landscape is meaningfully more complex than it was five years ago, and being informed is the baseline for practicing ethically and legally in 2026.