Skip to Main Content

Office of Mental Health

Health Insurance Portability and Accountability Act (HIPAA)

The Federal Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act establish national standards for the protection of certain health information.For the most up to date information on HIPAA, visit

The law was designed to reform health care coverage by:

  • safeguarding the privacy and confidentiality of patient information
  • improving the portability and continuity of health insurance
  • combating waste in health care delivery
  • simplifying the administration of health insurance

The law requires health care plans, providers, and clearing houses to protect and safeguard the privacy and confidentiality of patient health information as long as it is in their possession.

HIPAA regulations cover:

Security: Providers and others who maintain health information must maintain the security and integrity of individually identifiable health information.

Privacy: General rules for the uses and disclosures of individually identifiable health information by providers and others.

Enforcement: Provisions related to compliance and investigations.

Notice: Providers and others who maintain health information must provide notification following a breach of unsecured protected health information.


As a consumer, HIPAA gives you rights over your health information and sets rules and limits on who can look and receive your health information. HIPAA also requires security for health information in electronic form.

Learn more about Your Rights Under HIPAA.

If you are a patient with a mental health condition or substance use disorder, there is specific guidance that addresses HIPAA protections. It may be helpful for you to know the ways your family, friends, and others involved in your care will be able to get the information they need to support your treatment, care coordination, and recovery.

Learn more about HIPAA Guidance Related to Mental Health and Substance Use Disorder Treatment.

If you believe a HIPAA-covered entity violated your health information privacy rights, File a Complaint.


Counties and local providers should review HIPAA standards on privacy and security that:

  • focuses on compliance and implementation issues that are of concern to the local mental health community.
  • respond to the needs of local mental health providers and county mental health departments.
  • are accurate, timely and relevant to mental health consumers, providers, and counties.

Fast Facts for Covered Entities

Learn More about HIPAA for Professionals

Preemption of State Laws

HIPAA privacy standards preempt or override all but the 'more stringent' provisions of State law. According to OMH, HIPAA preempts some State Mental Hygiene Provisions.

To comply with HIPAA, it may be necessary for mental health providers and county mental health departments to change the way they treat patient information.