Are ADHD Treatment Records Covered by HIPAA? Patient Rights and Provider Duties

HIPAA Coverage of ADHD Treatment Records

What counts as an ADHD treatment record

ADHD treatment records include evaluations and diagnoses, treatment plans, medication lists and refills, therapy and coaching documentation, clinician communications, and care coordination notes. When a covered entity creates or maintains these records, they are Protected Health Information and receive HIPAA protections.

When HIPAA applies

HIPAA covers records held by health plans, most health care providers who transmit standard electronic transactions, and their business associates (for example, EHR vendors, telehealth platforms, cloud storage, billing services). These entities must safeguard ADHD-related PHI across paper and electronic systems.

When HIPAA does not apply

Some ADHD-related information falls outside HIPAA. Examples include school “education records” governed by FERPA, employment records held by an employer, and data in consumer apps that do not act as a business associate. In these cases, HIPAA rights and duties may not apply even if the information concerns ADHD.

Intersection with 42 CFR Part 2

ADHD care is not substance use disorder (SUD) treatment, so 42 CFR Part 2 usually does not apply. If SUD services are provided by a Part 2 program and documented alongside ADHD care, SUD-related portions of the record are subject to stricter confidentiality rules that generally require the patient’s specific written consent for most disclosures.

De-identified Health Information

Data stripped of personal identifiers so that an individual cannot reasonably be re-identified is De-identified Health Information and is not PHI. De-identified ADHD data may be used for quality improvement, analytics, or research without HIPAA authorization.

Patient Rights Under HIPAA

Right of access to records

You can inspect or receive copies of your ADHD records in the format you prefer (including electronic copies) within 30 days, with one permissible 30-day extension. Any fee must be reasonable and cost-based, limited to labor, supplies, and postage for delivering the copy.

Right to request amendments

If something is inaccurate or incomplete—such as a diagnosis code, medication history, or summary—you may request an amendment. Providers must act within 60 days, explain any denial in writing, and allow you to add a statement of disagreement that travels with the record.

Right to request restrictions

You may ask a provider not to share certain ADHD information. Providers need not agree, but they must honor a request to restrict disclosure to a health plan for a specific item or service you paid for in full out of pocket, except when disclosure is required by law.

Right to confidential communications

You can request confidential communications about ADHD care by alternative means or at alternative locations (for example, a different mailing address or secure messaging). Providers must accommodate reasonable requests.

Accounting of disclosures

You can request an accounting of certain disclosures of your ADHD PHI made for purposes other than treatment, payment, and health care operations over the prior six years. This helps you see when information left the organization without your Patient Authorization.

Authorizations and revocation

For uses and disclosures not otherwise permitted by HIPAA, you control access through a written Patient Authorization. A valid authorization describes the information, the recipient, the purpose, and an expiration, and it can be revoked in writing at any time going forward.

How to exercise your rights

Submit requests in writing to the provider’s privacy contact listed in the Notice of Privacy Practices. If you believe your HIPAA rights related to ADHD records were violated, you can file a complaint with the provider or with the U.S. Department of Health and Human Services without fear of retaliation.

Provider Duties Under HIPAA

Safeguards for ADHD PHI

Covered entities must implement administrative, physical, and technical safeguards for ADHD records. That includes risk analysis, role-based access, audit logging, secure disposal, and strong authentication for electronic systems that store stimulant prescriptions or therapy documentation.

Minimum necessary standard

For most uses and disclosures other than treatment, providers must limit ADHD PHI to the minimum necessary to accomplish the purpose. Staff should access only what their roles require, and disclosures should be narrowly tailored.

Business Associate Agreements

When outside vendors handle ADHD PHI—like e-prescribing networks, cloud storage, or billing services—providers must have Business Associate Agreements requiring HIPAA-compliant safeguards and breach reporting.

Notice of Privacy Practices

Providers must give you a Notice of Privacy Practices that explains how your ADHD PHI may be used and disclosed, your rights, and how to contact the privacy officer. The notice must be available on request and posted prominently in the office or online.

Breach Notification Rule

If unsecured ADHD PHI is breached, the Breach Notification Rule requires notifying affected individuals without unreasonable delay and no later than 60 days after discovery. For breaches affecting 500 or more residents of a state or jurisdiction, notification to prominent media is also required, and all breaches must be reported to HHS on the required timetable.

Training and documentation

Providers must train workforce members on HIPAA policies, sanction violations, and retain required documentation. Clear procedures for handling ADHD information—especially controlled-substance prescribing and therapy records—reduce risk and support compliance.

Sharing Information with Family and Friends

With your agreement or opportunity to object

Providers may share ADHD information relevant to a family member’s or friend’s involvement in your care or payment when you agree, are present and do not object, or when your agreement can be reasonably inferred from the circumstances.

If you are not present or incapacitated

When you are unavailable or unable to agree, a provider may share limited ADHD PHI with persons involved in your care if, in professional judgment, it is in your best interests. Only information directly relevant to their involvement should be disclosed.

Practical examples

• Confirming a medication pick-up schedule with a spouse who manages your refills.
• Letting a parent know about stimulant side effects to watch for in a teenager.
• Coordinating post-visit instructions with a trusted friend who drives you to appointments.

When a Patient Authorization is needed

If a disclosure to family or friends goes beyond routine involvement in your care or payment, or you prefer broader, ongoing sharing, a written Patient Authorization specifies who can receive which ADHD details and for how long. You may revoke it at any time.

Psychotherapy Notes

What qualifies as psychotherapy notes

Psychotherapy notes are the therapist’s separate, personal notes analyzing the content of a counseling session. They exclude medication lists, session start and stop times, diagnoses, treatment plans, and progress notes that belong in the medical record.

Psychotherapy Notes Confidentiality

HIPAA gives psychotherapy notes heightened protection. In most cases, a provider must obtain your specific Patient Authorization before using or disclosing these notes, including for treatment by another clinician. Limited exceptions apply, such as a provider using notes for their own training or to defend against a patient’s legal claim.

How this affects ADHD care

If your ADHD therapy notes meet the psychotherapy-notes definition and are kept separate, they are not automatically accessible and are not routinely shared. However, most ADHD progress notes, medication management entries, and care plans are part of the medical record and follow the standard HIPAA rules discussed above.

Parental Access to Minor's Records

The general rule

Under HIPAA, a parent or legal guardian is usually a minor’s personal representative and can access the child’s ADHD PHI. Providers must verify authority and identity before releasing information.

Important exceptions based on Parental Consent Laws

State Parental Consent Laws can limit parental access when a minor is allowed to consent to certain mental health services on their own, when a court authorizes someone else to make decisions, or when the provider reasonably believes that granting access could subject the minor to harm. In those situations, parents may receive limited or no access.

School coordination and FERPA

Information maintained by a school is often an education record under FERPA, not HIPAA. Sharing ADHD details with a school for accommodations typically requires appropriate consent under the applicable law unless a limited exception applies.

Special note on 42 CFR Part 2

If a minor receives SUD treatment from a Part 2 program in addition to ADHD care, 42 CFR Part 2 may require the minor’s written consent for disclosures—even to parents—except for narrow exceptions. Providers should segment SUD data when feasible and follow the stricter rule.

Disclosure Without Patient Authorization

Treatment, payment, and health care operations

Providers may use and disclose ADHD PHI for treatment (for example, consulting with another clinician), payment (prior authorizations, billing), and health care operations (quality improvement, auditing) without Patient Authorization. The minimum necessary standard applies to payment and operations but not to treatment.

Required by law and public health

Disclosures may be made when required by law, such as reporting certain types of abuse or neglect. Pharmacies and prescribers may report controlled-substance data to a state prescription drug monitoring program as required by law.

Health oversight, judicial, and law enforcement

ADHD PHI may be disclosed to health oversight agencies, or in response to a court order or a valid subpoena with required safeguards. For law enforcement, disclosures are limited to specific circumstances defined by HIPAA.

Serious and imminent threat

When necessary to prevent or lessen a serious and imminent threat to health or safety, a provider may disclose relevant ADHD information to someone who can help avert the harm, consistent with professional judgment and applicable law.

Research and data use

Researchers may access ADHD PHI with an Institutional Review Board or privacy board waiver, via a limited data set under a data use agreement, or by using De-identified Health Information that is no longer PHI.

Workers’ compensation and specialized functions

HIPAA permits certain disclosures for workers’ compensation and other specialized government functions when authorized by law. Providers should disclose only what the statute or regulation requires.

FAQs

Are ADHD treatment records considered protected health information under HIPAA?

Yes. When created or maintained by a HIPAA-covered entity or its business associate, ADHD treatment records are Protected Health Information. Records held by schools under FERPA or consumer apps that are not business associates may fall outside HIPAA, and De-identified Health Information is not PHI.

What rights do patients have regarding access to their ADHD treatment records?

You have the right to get copies—often electronically—within 30 days, request amendments to fix inaccuracies, ask for certain restrictions (including when you pay out of pocket in full), request confidential communications, and obtain an accounting of certain disclosures. You can also control other sharing with a written Patient Authorization you may revoke.

When can providers disclose ADHD treatment records without patient authorization?

HIPAA permits disclosures for treatment, payment, and health care operations; when required by law; for specific public health and oversight activities; to avert a serious and imminent threat; and in other limited situations like workers’ compensation. Disclosures to family or friends involved in your care are permitted with your agreement or when it is in your best interests.

How are psychotherapy notes treated differently under HIPAA?

Psychotherapy notes—separate, personal notes analyzing a counseling session—have heightened protections. In most cases, a provider must obtain your specific Patient Authorization before using or disclosing them, and they are generally excluded from your routine right of access. Standard progress notes and medication records are not psychotherapy notes and follow usual HIPAA rules.