By Ryan Windt | Head of Growth Marketing | Updated June 2026
Mental health records are among the most sensitive categories of protected health information under HIPAA. Therapy notes, psychiatric diagnoses, substance use treatment records, and medication histories carry a stigma risk that goes beyond what most other health data involves. A patient whose cardiologist’s records are breached faces one kind of harm. A patient whose mental health or addiction treatment records are exposed faces potential damage to employment, custody proceedings, professional licensure, and personal relationships.
Behavioral health practices, including therapy practices, psychiatry offices, counseling centers, substance use treatment programs, and group practices, hold this data at scale. They also tend to operate with smaller administrative teams, more limited IT resources, and a heavier reliance on telehealth platforms than many other healthcare settings. That combination of highly sensitive data and constrained security resources makes behavioral health a meaningful cyber target, and it creates specific insurance needs that a generic healthcare policy may not address.
The Specific Cyber Risks Behavioral Health Practices Face
Mental health record sensitivity under HIPAA. HIPAA provides extra protections for psychotherapy notes, separating them from the general medical record and restricting their disclosure even within normal treatment operations. A breach involving psychotherapy notes triggers the same notification requirements as any other HIPAA breach, but the harm to patients can be significantly greater, which in turn affects the liability exposure for the practice.
Substance use treatment records and 42 CFR Part 2. Practices that provide substance use disorder treatment face an additional federal regulatory framework: 42 CFR Part 2, which applies specifically to records from federally assisted substance use treatment programs and imposes stricter confidentiality requirements than HIPAA alone. A breach of Part 2 records creates both HIPAA and Part 2 regulatory exposure, with separate notification and compliance obligations.
Telehealth platform risk. The expansion of telehealth has fundamentally changed the attack surface for behavioral health practices. Sessions conducted over video platforms, patient records accessed remotely, and intake forms submitted through patient portals all introduce data in transit and at rest across systems the practice may not fully control. If a telehealth platform the practice uses is breached, patient data may be exposed through the vendor rather than the practice’s own systems.
Small practice IT constraints. Most behavioral health practices are small: a solo therapist, a group of five clinicians, or a mid-size counseling center. These practices typically don’t have dedicated IT staff. Security controls that larger health systems implement as standard practice, such as endpoint detection, systematic patch management, and formal access controls, are less consistently in place. Underwriters see this reflected in claims data.
Ransomware targeting healthcare. Healthcare has been one of the most heavily targeted sectors for ransomware. Behavioral health practices are not immune. A ransomware attack that encrypts patient records and scheduling systems can halt operations, prevent clinicians from accessing notes ahead of sessions, and in crisis care settings create genuine patient safety concerns.
Social engineering and payment fraud. Billing staff at behavioral health practices are targets for the same BEC and vendor impersonation schemes that affect other small businesses. Insurance billing fraud, where an attacker intercepts payment information or redirects reimbursements, is a real exposure.
What HIPAA Requires and Where It Falls Short
HIPAA’s Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information. It requires a risk analysis, workforce training, access controls, audit controls, and breach notification procedures.
What HIPAA does not do is pay for any of this when something goes wrong.
A breach at a behavioral health practice triggers notification obligations to affected patients, the Department of Health and Human Services, and in some cases local media. HHS’s Office for Civil Rights investigates breaches affecting 500 or more individuals. Investigations can result in corrective action plans, technical assistance requirements, and civil money penalties.
The costs of responding to a breach, including forensic investigation, legal counsel, patient notification, credit monitoring, and regulatory defense, are not covered by HIPAA compliance. Cyber insurance covers them.
Our post on what HIPAA doesn’t cover and cyber does covers the gap between regulatory compliance and financial protection in more detail.
What Cyber Insurance Covers for Behavioral Health Practices
A well-structured cyber policy addresses the primary exposures behavioral health practices face across both first-party costs and third-party liability.
Breach response costs. Forensic investigation to determine what was accessed, legal counsel to navigate HIPAA notification requirements, notification to affected patients, and credit monitoring services. For a practice with hundreds or thousands of patients, these costs can be substantial even in a relatively contained incident.
Regulatory defense and penalties. Coverage for the cost of responding to an HHS Office for Civil Rights investigation, including legal defense costs and, where insurable under applicable law, civil money penalties. State attorneys general also have enforcement authority under HIPAA, adding another potential regulatory exposure.
Business interruption. If a ransomware attack or system outage prevents clinicians from accessing patient records or the practice from scheduling and billing, business interruption coverage compensates for lost revenue during the restoration period.
Ransomware and extortion. Coverage for ransom demands and the associated costs of negotiation, decryption, and system restoration when ransomware encrypts practice systems.
Third-party liability. Claims from patients whose records were exposed, including claims related to the specific harms that mental health and substance use record exposure can cause.
Telehealth and vendor incidents. How your policy handles incidents that originate at a third-party telehealth platform or EHR vendor matters. Coverage for vendor-caused breaches varies by policy and requires attention at placement.
Coverage Gaps to Watch For
Psychotherapy note exposure. Some cyber policies treat all health records as equivalent. The heightened sensitivity and potential liability exposure from psychotherapy note breaches may not be explicitly addressed. Confirm how your policy defines covered health information and whether the higher-harm nature of mental health record exposure is contemplated in the coverage structure.
42 CFR Part 2 regulatory exposure. If your practice provides substance use disorder treatment under a federally assisted program, confirm that your policy covers regulatory defense for Part 2 investigations in addition to HIPAA. Not all policies explicitly address this.
Telehealth platform breaches. If patient data is exposed through a breach at your telehealth platform vendor rather than your own systems, your cyber policy may treat this as a third-party-originating incident with different coverage terms. Understand how your policy handles vendor-caused breaches before you need it.
Business associate agreement failures. HIPAA requires business associate agreements with vendors who handle PHI. If a breach occurs at a vendor with whom you lack a proper BAA, the regulatory and legal exposure is compounded. This is a compliance gap that can affect coverage outcomes.
What Underwriters Look For
Behavioral health practices face standard healthcare underwriting requirements plus a few areas of additional focus given their risk profile.
Multi-factor authentication. MFA on email, EHR systems, and any remote access is a baseline underwriting expectation. Telehealth platforms and patient portals should also require MFA for clinician access. Our post on MFA and cyber insurance covers what to deploy and how to document it.
EHR and telehealth platform security. Underwriters want to know which platforms you use and whether they are maintained and current. Using a recognized, actively maintained EHR and telehealth platform is preferable to legacy or unsupported systems.
Patch management. Keeping practice management software, operating systems, and any connected devices current. This is particularly important for internet-facing systems including remote access tools and patient portals.
Backup posture. Regular backups of patient records and practice data, stored separately from primary systems and tested for restorability. In a ransomware scenario, the quality of your backups determines how quickly you can restore operations.
Access controls. Limiting who can access patient records to those with a clinical need. Shared credentials, former employee accounts that remain active, and broad access to sensitive records are underwriting concerns.
HIPAA compliance documentation. Evidence of a current risk analysis, workforce training, and documented security policies. Underwriters treating behavioral health accounts expect to see that HIPAA compliance is active rather than nominal.
Incident response plan. A written plan that includes who to call, how to contain an incident, and how to notify patients. For behavioral health practices, this plan should account for the sensitivity of the records involved and the specific notification requirements under HIPAA.
For a full breakdown of what underwriters evaluate, see The Security Controls Underwriters Check Before They Quote You and our cyber insurance requirements checklist.
How Behavioral Health Compares to Other Healthcare Verticals
Behavioral health practices share the HIPAA framework with other healthcare settings but have a distinct risk profile in several ways.
Compared to dental practices, behavioral health involves more sensitive record categories and a more significant telehealth footprint, but less payment card data exposure from in-office transactions. Our post on cyber insurance for dental practices covers the dental-specific profile.
Compared to hospitals and health systems, behavioral health practices are far smaller but face the same regulatory obligations with fewer resources to meet them. A breach that a large health system can absorb with internal resources can be operationally devastating for a small practice. Our post on cyber insurance for hospitals covers the larger healthcare setting.
The common thread across all healthcare cyber coverage is the gap between HIPAA compliance and actual financial protection. Compliance tells you what you must do. Insurance pays for what happens when something goes wrong despite your efforts.
Frequently Asked Questions
Does a small therapy practice really need cyber insurance?
Yes. HIPAA notification obligations and regulatory exposure apply regardless of practice size. A solo therapist with 200 patients whose records are exposed faces the same notification requirements as a large practice. The costs of forensic investigation, legal counsel, and patient notification can be significant relative to the size of a small practice. Cyber insurance is sized to match your exposure, and premiums for small practices are correspondingly modest.
Does cyber insurance cover a breach caused by my EHR vendor?
It depends on how the policy is written. Some policies cover losses arising from a vendor breach; others treat third-party-originating incidents differently or exclude them. This is a specific question to ask when placing coverage, particularly given how central EHR and telehealth platforms are to behavioral health practice operations.
What is the difference between HIPAA compliance and cyber insurance?
HIPAA compliance is a set of legal requirements governing how you protect patient data. It doesn’t pay anything when a breach occurs. Cyber insurance is financial protection that covers the costs of responding to a breach: forensics, legal counsel, notification, regulatory defense, and liability claims. You need both.
How much does cyber insurance cost for a behavioral health practice?
Premiums vary based on patient volume, revenue, security controls, and prior loss history. Small practices typically see premiums in the low thousands annually for meaningful coverage. The more important consideration is ensuring the coverage is structured for healthcare, with appropriate limits on breach response costs and regulatory defense, rather than a generic small business policy.
Are psychotherapy notes treated differently under cyber insurance?
Not explicitly by most carriers, but the potential liability from psychotherapy note exposure is relevant to how you should size your coverage limits. The harm to patients from mental health record exposure can be significant and can translate into meaningful liability claims. This is an area to discuss specifically with your broker when sizing coverage.
Related Resources
- Cyber Coverage for Healthcare: What HIPAA Doesn’t Cover (and Cyber Does)
- Cyber Insurance for Hospitals and Health Systems: Coverage, Risk, and What Underwriters Require
- Cyber Insurance for Dental Offices: Patient Data, HIPAA, and the Coverage Your Practice Actually Needs
- Cyber Insurance and Regulatory Fines: GDPR, CCPA, HIPAA, and What Your Policy Actually Pays
- MFA and Cyber Insurance: What to Deploy, How to Document It, and What Underwriters Require
- Cyber Insurance Requirements: What Underwriters Actually Check
- What Small Businesses Actually Need from Cyber Insurance and What Most Policies Miss
Behavioral health practices handle data that can cause real harm to patients if it is exposed. The combination of HIPAA obligations, telehealth risk, and limited IT resources makes cyber insurance a practical necessity rather than an optional line item. A policy sized and structured for healthcare, with appropriate limits and coverage for regulatory defense, is the right starting point.
Ready to review your coverage or get quotes? Contact us or explore your coverage options.