North Dakota Mental Health Record Privacy Laws: Your Rights and Provider Obligations

Confidentiality of Mental Health Records

In North Dakota, your mental health records are confidential. State law works alongside federal HIPAA rules to restrict who may see diagnoses, medications, therapy notes, testing results, billing details, and other information created or maintained by your providers.

By default, providers may not share your information without your permission. Limited exceptions apply for treatment, payment, and healthcare operations, as well as when another law requires disclosure. Outside those narrow pathways, your written authorization is needed before a Health Information Disclosure occurs.

Psychotherapy notes—your therapist’s separate, personal notes about counseling sessions—receive heightened protection. They are not the same as the rest of your medical record and generally require specific authorization for most uses and disclosures.

Providers must also apply the “minimum necessary” principle for non-treatment uses, train staff on confidentiality, and ensure business partners safeguard your data. This overview is informational and does not constitute legal advice.

Physician and Mental Health Professional-Patient Privilege

Confidentiality governs day-to-day privacy; privilege governs courtroom and legal processes. North Dakota recognizes Physician-Patient Privilege and comparable protections for communications with licensed mental health professionals. The privilege usually belongs to you, meaning you control whether those confidential communications are revealed in legal proceedings.

Privilege is not absolute. Typical exceptions include when you put your mental condition at issue in a legal case, there is a risk of serious and imminent harm, suspected abuse or neglect must be reported, a lawful court order requires disclosure, or an evaluation is court-ordered. Even then, disclosures are limited to what the law or order requires.

If a subpoena seeks your records, providers should evaluate whether privilege applies, whether your authorization is present, and whether a court order is needed. You or your lawyer can assert privilege and request that a court review records in camera (privately) before any disclosure is considered.

Retention of Mental Health Records

Mental health records must be kept long enough to support safe, continuous care and to meet legal and professional standards. North Dakota statutes and licensing board rules set baseline requirements, and organizations may adopt longer periods in their policies for quality, risk, or accreditation reasons.

HIPAA does not set a clinical record-keeping duration, but it does require covered entities to retain privacy-related documentation for six years. Many providers keep adult records for several years after the last visit and retain minor records longer—often until after the age of majority plus an additional period—based on their Mental Health Record Retention policy.

You can ask your provider how long your records will be retained, when they may be archived, and how secure destruction occurs at the end of the retention schedule. If you anticipate changing providers, request copies in advance to avoid delays once records move offsite or enter long-term storage.

Use and Disclosure of Health Information

Without your written authorization, providers may use or disclose information for treatment (coordinating your care), payment (billing and coverage), and healthcare operations (quality improvement, auditing, and compliance). For most other Health Information Disclosure scenarios, written permission is required unless a specific legal exception applies.

Additional permitted or required disclosures can include public health reporting, law enforcement requests with proper legal process, compliance with court orders, organ and tissue donation, medical examiner or coroner needs, research approved by an ethics board, and averting a serious threat to health or safety. Disclosures to family or friends involved in your care may occur with your agreement or, if you are incapacitated, based on professional judgment.

Health Information Network Access may occur through a statewide health information exchange that helps your authorized providers securely view necessary information for your care. You can ask whether your providers participate, how your data flows, and whether options exist to limit or opt out of routine exchange participation, subject to emergencies and legal requirements.

Authorizations you sign must be specific and time-limited. You may revoke an authorization in writing at any time, which stops future disclosures except where a provider has already relied on it.

Rights to Access and Amend Health Information

You have the right to see and get copies of your records, usually within 30 days, with one allowable 30‑day extension when needed. You can ask for electronic copies in a readily producible format and request that records be sent to a designated third party. Fees must be reasonable and cost-based for labor, supplies, and postage.

You also have Record Amendment Rights. If something is incomplete or wrong, you may request an amendment. Providers normally respond within 60 days (with one 30‑day extension). If granted, they correct the record and notify others who need the update. If denied, you can submit a written statement of disagreement that must be linked or appended to future disclosures.

Additional options include requesting restrictions on certain disclosures, choosing confidential communication channels (for example, a different mailing address), and obtaining an accounting of certain non-routine disclosures from the past six years. Ask your provider for the forms or portal tools needed to exercise these rights.

Reporting of Mental Health Information

Some disclosures are mandated to protect individuals and the public. Mental Health Reporting Requirements commonly include suspected child abuse or neglect, abuse or exploitation of vulnerable adults, and threats of serious and imminent harm. Providers may also disclose information when necessary to prevent or lessen a specific, credible threat, consistent with professional standards and state law.

Court-ordered processes—such as evaluations for involuntary commitment or findings that a person is a danger to self or others—can trigger reporting to courts or governmental systems. Certain adjudications may be reported to background-check databases as required by law, with only the minimum necessary information disclosed.

Other required reports can include public health and safety events, licensing or regulatory audits, or compliance with valid subpoenas and court orders. In some circumstances you may not be notified of a report if doing so could compromise safety or an investigation.

Privacy and Security Protections

Providers must implement Privacy Safeguards Compliance measures across people, processes, and technology. Administrative safeguards include staff training, policies that limit access to those who need it, sanctions for misuse, and business associate agreements that bind vendors to privacy and security duties.

Technical safeguards protect electronic data: strong authentication, role-based access, encryption in transit and at rest where feasible, secure messaging, device management, and ongoing monitoring with audit logs. Physical safeguards include facility controls, secure storage for paper records, and approved destruction methods (such as shredding) consistent with the retention schedule.

If a breach of unsecured protected health information occurs, providers must investigate, mitigate harm, and notify affected individuals without unreasonable delay (and within HIPAA timelines). Large breaches also trigger regulator notifications and, in some cases, public notices. You can reduce risk by using secure patient portals, keeping your own copies in a safe location, and reviewing records for accuracy.

Conclusion

North Dakota law and HIPAA work together to protect the confidentiality of your mental health records, define when information can be shared, and give you clear rights to access and correct your data. Understanding privileges, retention, permitted disclosures, Health Information Network Access, and your Record Amendment Rights helps you make informed choices and advocate effectively for your privacy.

FAQs.

What protections exist for mental health record confidentiality in North Dakota?

Your records are protected by state confidentiality rules, HIPAA, and privilege doctrines. Providers must limit who can access your information, apply the minimum‑necessary standard for non-treatment uses, and obtain your authorization for most non-routine disclosures. Psychotherapy notes receive special protection distinct from the general record.

How can individuals access or amend their mental health records?

Submit a written request (or use your provider’s portal) to inspect or receive copies, typically within 30 days. To fix errors or incomplete entries, file an amendment request. If approved, the correction is added and relevant parties are notified; if denied, you can attach a statement of disagreement that accompanies future disclosures.

When can mental health information be legally disclosed?

Without authorization, disclosures are allowed for treatment, payment, and healthcare operations, and when another law requires or permits them—such as public health reporting, responding to court orders, preventing a serious and imminent threat, or specific Mental Health Reporting Requirements. Authorizations are needed for most other uses, including many marketing activities and most uses of psychotherapy notes.

What are provider obligations under North Dakota privacy laws?

Providers must maintain confidentiality, honor Physician-Patient Privilege and related professional privileges, follow documented Mental Health Record Retention schedules, implement security safeguards, provide timely access and Record Amendment Rights, and furnish breach notifications when required. They must also ensure compliant Health Information Disclosure practices and manage Health Information Network Access consistent with law and your preferences.