Virginia Mental Health Record Privacy Laws Explained: Rights, Access, and Confidentiality

Overview of Privacy Protections

Core principles of confidentiality

Virginia protects your mental health information through a layered system that prioritizes health record confidentiality. Your records are private by default, shared only with your authorization or when a specific law permits or requires disclosure. Providers must apply the “minimum necessary” standard and maintain security safeguards at every stage of the record’s life cycle.

Key Virginia statutes and regulations

• Virginia Code § 32.1-127.1:03 establishes statewide rules for health records privacy, including mental health records.
• Virginia Code § 2.2-3705.5 exempts health and mental health records from public release under the Virginia Freedom of Information Act.
• Virginia Code § 37.2-804.2 addresses mental health information disclosure in certain behavioral health and judicial contexts.
• Virginia Administrative Code § 12VAC35-105-870 requires licensed behavioral health providers to maintain a records management policy and protect records throughout their retention period.

These Virginia rules operate alongside federal law, including HIPAA and, when applicable, 42 CFR Part 2 for substance use disorder records. Together, they set clear boundaries for mental health information disclosure and access.

Legal Framework for Disclosure

When disclosure is allowed or required

Under Virginia Code § 32.1-127.1:03, a provider may disclose mental health records with your written authorization or without it for limited purposes, such as treatment, payment, and health care operations. Disclosures may also occur when required by law, court order, or to protect against a serious and imminent threat to health or safety.

Mental health–specific contexts

Virginia Code § 37.2-804.2 governs targeted situations in the behavioral health system—such as court-related proceedings or emergency processes—where limited information may be shared with designated parties. The goal is to enable swift, appropriate care or lawful action while guarding the privacy of underlying clinical details.

FOIA does not open your records

Virginia Code § 2.2-3705.5 confirms that your mental health records are excluded from FOIA. Government agencies cannot release your identifiable mental health records to the public through FOIA requests.

Rights of Individuals

Your privacy and access rights

• Inspect and obtain copies of your mental health records, with limited exceptions permitted by law.
• Request amendments to correct or clarify information you believe is incomplete or inaccurate.
• Receive an accounting of certain disclosures made without your authorization.
• Request restrictions on specific disclosures, and ask for confidential communications via alternative addresses or phone numbers.
• Designate a personal representative or agent to exercise rights on your behalf when permitted.

Special notes for sensitive content

Some materials—such as psychotherapy notes maintained separately—have additional protections. Providers may also limit access when review could reasonably lead to substantial harm, but they must document the rationale and explain available review options.

Access Procedures

Step-by-step process to get your records

1. Submit a written request that identifies you, the records you want, and your preferred format (paper or electronic).
2. Expect identity verification; bring valid identification or follow the provider’s secure verification process.
3. The provider reviews your request under Virginia Code § 32.1-127.1:03 and federal law, then responds within the timelines those laws allow.
4. Reasonable, cost-based copy fees may apply; you can ask for an estimate in advance.
5. If a request is denied in part or whole, you should receive a written explanation and information about review or appeal pathways where available.

Parents, guardians, and representatives

Parents and legal guardians may access a minor’s records in many situations, but access can be restricted when the law requires confidentiality or when disclosure could endanger the minor. A personal representative or agent may act for an adult when recognized under state or federal law.

Record Management Policies

What providers must include

Virginia Administrative Code § 12VAC35-105-870 requires licensed behavioral health providers to maintain a written records management policy. A sound policy should define how records are created, updated, stored, accessed, retained, and destroyed, and it should align with all applicable retention schedules and privacy rules.

• Access controls and authentication to protect mental health information.
• Retention schedules that reflect clinical, legal, and regulatory requirements.
• Secure storage, encryption for electronic systems, and audit trails.
• Procedures for amendments, corrections, and release of information.
• Vendor management and business associate safeguards for third-party services.
• Secure destruction methods at the end of the retention period, with documentation.

Training and oversight

Providers should train workforce members on health record confidentiality, conduct periodic audits, and document compliance activities. Clear incident response procedures help contain and remediate any privacy incident quickly.

Exceptions to Confidentiality

Common scenarios where disclosure may occur

• Your written authorization specifying what may be shared and with whom.
• Treatment, payment, and health care operations, limited to the minimum necessary.
• When required by law, including mandatory reporting of abuse, neglect, or certain injuries.
• Court orders or valid subpoenas, consistent with Virginia Code § 32.1-127.1:03.
• Emergencies to avert a serious and imminent threat to health or safety.
• Behavioral health proceedings or emergency processes addressed in Virginia Code § 37.2-804.2.
• Public health and research uses permitted by law, often with de-identification or oversight.

Even when an exception applies, disclosures should be targeted and documented, preserving your dignity and privacy.

Enforcement and Compliance

Who enforces these rules

Compliance is monitored through multiple channels. Licensed behavioral health providers are subject to Virginia licensing requirements, including the records management policy obligations in § 12VAC35-105-870. Professional boards may discipline licensees, and federal regulators enforce HIPAA. Civil remedies may be available for unlawful disclosures under Virginia law.

Building a defensible compliance program

• Maintain up-to-date policies mirroring Virginia Code § 32.1-127.1:03 and related rules.
• Designate privacy and security leads; conduct regular risk assessments and audits.
• Use role-based access, encryption, and audit logs; test breach and incident response.
• Train staff routinely; document disclosures and requests; review vendors and contracts.

Key takeaways

Virginia law gives you strong rights to access and control your mental health records while setting narrow, well-defined paths for mental health information disclosure. Providers must follow robust records management policy requirements and only disclose what the law allows. Knowing these rules helps you request records confidently and safeguard your privacy.

FAQs

What rights do individuals have regarding their mental health records in Virginia?

You have the right to inspect and obtain copies of your records, request amendments, receive an accounting of certain disclosures, seek restrictions, and request confidential communications. These rights flow primarily from Virginia Code § 32.1-127.1:03 and complementary federal law, with added protections for sensitive materials like psychotherapy notes.

How can one access their mental health records according to Virginia law?

Submit a written request to your provider identifying the records you want and your preferred format. Expect identity verification, a response within legally allowed timelines, and cost-based copy fees. If access is limited—for example, due to risk of harm—the provider must document the reason and explain review options.

Under what circumstances can mental health records be disclosed?

Disclosures generally require your authorization unless an exception applies, such as treatment, payment, health care operations, requirements of law or court order, emergencies involving serious and imminent threats, or behavioral health proceedings contemplated in Virginia Code § 37.2-804.2. FOIA does not open your records to the public under Virginia Code § 2.2-3705.5.

What are the requirements for providers managing mental health records in Virginia?

Providers must maintain a comprehensive records management policy under Virginia Administrative Code § 12VAC35-105-870, protect records with technical and administrative safeguards, follow lawful retention and destruction practices, train staff, and document disclosures and requests. Policies should align with Virginia Code § 32.1-127.1:03 and applicable federal rules to ensure consistent, compliant handling of your information.