HIPAA Rules for Eating Disorder Treatment Records: What Patients and Providers Need to Know

Eating disorder care involves sensitive medical and behavioral health information. Understanding how the HIPAA Privacy Rule, the HIPAA Security Rule, and related confidentiality protections apply helps you share information appropriately, coordinate care, and protect patient trust.

This guide explains how HIPAA protects eating disorder treatment records, where 42 CFR Part 2 may also apply, what changed under the CARES Act and the 2024 Part 2 Final Rule, and how to handle emergencies without jeopardizing patient confidentiality.

HIPAA Privacy Rule Protections for Eating Disorder Records

What information is protected

HIPAA protects individually identifiable health information in any form—paper, electronic, or verbal—held by covered entities and their business associates. Eating disorder treatment records such as diagnoses, nutrition plans, labs, medication lists, after-visit summaries, and care coordination notes are protected health information (PHI) under the HIPAA Privacy Rule.

Psychotherapy notes vs. treatment records

Psychotherapy notes documenting a therapist’s personal analysis of counseling sessions receive special protection. Most uses and disclosures of psychotherapy notes require Patient Authorization, distinct from general consent for treatment. However, the rest of a patient’s treatment record—diagnoses, medications, session dates, test results, and care plans—may be used and disclosed for treatment, payment, and health care operations (TPO) without an authorization, subject to the minimum necessary standard for non-treatment purposes.

Minimum necessary and role-based access

Use, access, and disclose only the minimum PHI necessary to accomplish the purpose, except for treatment. Implement role-based access so staff see only what they need, e.g., dietitians view nutrition and lab data, while billing staff see limited demographics and coding information.

De-Identification Standards

When you do not need identifiable data (e.g., quality improvement, trend reporting), apply HIPAA De-Identification Standards. Either remove the 18 identifiers (the “Safe Harbor” method) or use expert determination to conclude that the risk of re-identification is very small. Properly de-identified data is not PHI.

Authorizations and sensitive disclosures

Written Patient Authorization is generally required for most marketing, sale of PHI, many research disclosures without a waiver, and most releases of psychotherapy notes. Authorizations must be specific and time-limited and can be revoked in writing.

Breach Notification

Unauthorized acquisition, access, use, or disclosure of unsecured PHI may trigger Breach Notification obligations. Conduct a risk assessment considering the nature of PHI, the unauthorized person, whether PHI was actually acquired or viewed, and mitigation. If a breach is reportable, notify affected individuals, HHS, and, when large-scale, certain media outlets without unreasonable delay and within required timeframes.

Security Safeguards for Electronic Treatment Records

Administrative safeguards

• Perform a documented risk analysis of ePHI across EHRs, telehealth platforms, email, cloud storage, and mobile devices.
• Adopt risk management plans, sanctions policies, workforce training, and contingency plans (backup, disaster recovery, emergency mode operations).
• Execute business associate agreements (BAAs) with EHR, billing, telehealth, and cloud vendors handling ePHI.

Technical safeguards

• Enforce unique user IDs, multi-factor authentication, automatic logoff, and role-based access controls.
• Encrypt ePHI in transit and at rest; use TLS for portals and VPNs for remote access.
• Enable audit controls and alerts to monitor access, export, and printing of high-risk data (e.g., psychotherapy notes).
• Segment particularly sensitive data where feasible and apply data loss prevention (DLP) rules for outbound email and downloads.

Physical safeguards

• Secure workstations and servers, restrict facility access, and implement device and media controls for laptops and removable media.

Lifecycle and data governance

• Maintain records retention schedules consistent with state law and payer rules; securely dispose of ePHI via media sanitization.
• Test backups and restore procedures; validate that encrypted archives remain readable over time.

Regulatory Differences Between HIPAA and 42 CFR Part 2

Scope and applicability

HIPAA applies broadly to covered entities and business associates handling PHI. 42 CFR Part 2 applies to records created by or received from a federally assisted substance use disorder (SUD) program. Eating disorder programs are typically governed by HIPAA; Part 2 applies only when a Part 2 SUD program is involved (e.g., integrated care for co-occurring substance use).

Consent and redisclosure

Under HIPAA, TPO disclosures generally do not require authorization, and recipients may redisclose PHI as permitted by HIPAA. Historically, Part 2 required specific written consent naming recipients, and it prohibited redisclosure. Following statutory changes, Part 2 now permits a single patient consent for TPO and allows HIPAA-consistent redisclosure once properly consented, while retaining heightened protections in other contexts.

Legal process

HIPAA allows disclosures in response to valid subpoenas and court orders with required safeguards. Part 2 is stricter: use of Part 2 records in civil, criminal, administrative, and legislative proceedings generally requires a specific court order that meets Part 2 criteria, even if a subpoena has issued.

Practical implications for eating disorder care

• If your program treats only eating disorders, HIPAA generally governs your records.
• If your program also functions as a Part 2 SUD program or receives Part 2-protected records, those records retain Part 2 protections and must be tagged, segregated, or otherwise identified to avoid improper redisclosure.

CARES Act Impacts on Record Confidentiality

Alignment to support care coordination

The CARES Act directed HHS to better align 42 CFR Part 2 with the HIPAA Privacy Rule. With a single Patient Authorization, Part 2 records may be used and disclosed for TPO and, once disclosed, may be redisclosed consistent with HIPAA, improving continuity across multidisciplinary teams.

Breach Notification and penalties

The CARES Act applies HIPAA’s Breach Notification requirements and enforcement framework to Part 2 violations. This means Part 2 breaches follow HIPAA’s notification standards, and Civil Enforcement under HIPAA’s tiered penalties now extends to Part 2, in addition to criminal penalties for certain wrongful disclosures.

Patient rights and notices

Patients continue to have strong confidentiality protections and the right to revoke consent going forward. Programs must provide clear notices explaining how Part 2 and HIPAA interact and when Patient Authorization is required.

Compliance with 2024 Part 2 Final Rule

Assess applicability and data flows

• Determine whether you are a Part 2 program or receive Part 2-protected records from outside SUD providers.
• Map where Part 2 data enters your EHR, billing, care coordination tools, and patient portal; identify redisclosure touchpoints.

Update consent and notice documents

• Adopt a single, plain-language Part 2 consent that permits TPO uses and HIPAA-consistent redisclosure where allowed.
• Revise patient notices to describe confidentiality protections, Patient Authorization requirements, breach processes, and complaint routes.

Configure systems and vendors

• Tag or segment Part 2 data; apply stricter access rules and enhanced auditing.
• Amend BAAs or Qualified Service Organization Agreements to reflect Part 2 obligations and Breach Notification duties.

Train, test, and document

• Provide targeted workforce training on HIPAA Privacy Rule, 42 CFR Part 2, minimum necessary, and emergency exceptions.
• Test release-of-information workflows to prevent improper redisclosure; validate denial templates for improper legal requests.
• Document policies, annual risk analyses, and mitigation steps; maintain an accounting of disclosures where required.

Timeline planning

The 2024 Part 2 Final Rule is effective, with a multi-year compliance window. Build your roadmap now—policy updates, EHR changes, vendor contracts, and training—so you are fully compliant by the applicable 2026 deadlines.

Enforcement and Penalties for Noncompliance

HIPAA enforcement

The Office for Civil Rights (OCR) enforces HIPAA through investigations, corrective action plans, resolution agreements, and civil monetary penalties that scale with the level of culpability. State attorneys general may also bring actions. Repeated or willful neglect increases exposure.

Part 2 enforcement

Part 2 violations now follow HIPAA-aligned Civil Enforcement and Breach Notification frameworks, with criminal penalties still available for certain intentional misconduct. Documentation, workforce training, and timely breach response significantly reduce risk.

Common pitfalls

• Releasing psychotherapy notes or Part 2 records without a proper authorization or court order.
• Failing to tag/segment Part 2 data, leading to unauthorized redisclosure.
• Inadequate vendor oversight or missing BAAs for telehealth and cloud services.

Handling Records in Emergency Situations

HIPAA allowances in emergencies

HIPAA permits disclosures for treatment without authorization, including during emergencies. You may also disclose PHI to prevent or lessen a serious and imminent threat to health or safety and share limited information with family or caregivers involved in the patient’s care when consistent with professional judgment.

42 CFR Part 2 medical emergency exception

When Part 2 applies, you may disclose SUD records without consent to medical personnel to meet a bona fide medical emergency. Document the emergency, what was disclosed, to whom, and when. After the emergency, return to standard Part 2 and HIPAA rules.

Practical steps for eating disorder programs

• Define “emergency” response workflows in policy; pre-identify on-call decision makers.
• Use minimum necessary information; share only what treating clinicians need.
• Record disclosures promptly and review for follow-up risk mitigation and patient communication.

Key takeaways

• HIPAA protects eating disorder treatment records, with extra safeguards for psychotherapy notes and clear Breach Notification duties.
• 42 CFR Part 2 applies only when SUD program records are involved; after CARES Act and the 2024 Final Rule, TPO sharing is easier with a single Patient Authorization but legal-process restrictions remain.
• Strong administrative, technical, and physical safeguards—plus careful consent, tagging, and training—are essential to compliance.

FAQs

What records does HIPAA protect in eating disorder treatment?

HIPAA protects all identifiable information related to a patient’s health status, diagnosis, treatment, and payment. In eating disorder care, that includes assessments, diagnoses (e.g., anorexia nervosa, bulimia nervosa, ARFID), therapy and nutrition notes, medication lists, labs, after-visit summaries, and billing data. Psychotherapy notes are protected even more strictly and usually require a separate Patient Authorization to disclose.

How does 42 CFR Part 2 affect eating disorder records?

Part 2 affects eating disorder records only when they originate from, or include, information from a federally assisted SUD program. Those records carry heightened confidentiality protections. With a valid Part 2 consent, TPO disclosures and HIPAA-consistent redisclosures are permitted, but use in legal proceedings typically still requires a Part 2 court order.

What are the new requirements under the 2024 Part 2 Final Rule?

The 2024 rule operationalizes the CARES Act: it allows a single patient consent for TPO, aligns Breach Notification and Civil Enforcement with HIPAA, clarifies redisclosure rules, strengthens notice and consent content, and emphasizes tagging/segmentation and auditing to prevent improper releases. Most organizations must complete updates to policies, systems, contracts, and training within the 2026 compliance window.

How do emergency situations impact confidentiality requirements?

During emergencies, HIPAA allows disclosures needed for treatment and to avert a serious, imminent threat, using the minimum necessary standard. If Part 2 applies, a medical emergency exception permits disclosure to medical personnel without consent, but you must document the emergency and disclosure details and revert to normal protections once the emergency ends.