Compliance foundations that don't break under audit.

HIPAA — the federal baseline

Every behavioral health treatment center is a HIPAA-covered entity. The practical implications:

• Privacy Officer and Security Officer — every program must designate both. Often the same person at smaller operators; should be separated as the program scales.
• Notice of Privacy Practices (NPP) — given to every client at admission, signed, and retained for six years after the relationship ends.
• Business Associate Agreements (BAAs) — required with any vendor that touches PHI. Your EMR, billing vendor, RCM, lab partners, IT vendors, even your shredding company need BAAs in place.
• Workforce training — every staff member trained at hire and annually. Documented.
• Risk assessment — formal HIPAA Security Risk Analysis conducted annually. Required by the Security Rule.
• Incident response and breach notification — process for detecting, investigating, and reporting breaches. HHS notification within 60 days for breaches affecting 500+ individuals; lower thresholds annually for smaller breaches.

42 CFR Part 2 — the SUD privacy regulation

42 CFR Part 2 applies to programs that hold themselves out as providing substance use disorder (SUD) treatment and that receive federal funding (broadly defined). For most SUD programs in the US, that's effectively everyone.

Part 2 is stricter than HIPAA in important ways:

• Patient consent for almost any disclosure. Even within an integrated care setting, SUD information cannot be shared with non-SUD providers without explicit, written consent that meets Part 2's specific requirements.
• Specific consent form requirements— must identify the recipient, the purpose, the information disclosed, the expiration, and the patient's right to revoke.
• Re-disclosure prohibition— the recipient of Part 2 information cannot redisclose without the patient's separate consent. Most operators use a standardized redisclosure prohibition statement on every transmitted record.
• Court order requirements— even a subpoena doesn't override Part 2; specific court-order procedures apply.

The 2024 Part 2 final rule aligned some Part 2 mechanics more closely with HIPAA (especially for treatment, payment, and operations purposes) — but Part 2 is still more restrictive than HIPAA in most practical scenarios. Your EMR and your consent workflows have to be built around Part 2 from day one.

State behavioral health rules

Every state has its own behavioral health licensing rule, and compliance with that rule is a separate (and sometimes competing) regulatory regime. Common state-level requirements:

• Incident reporting to the licensing agency within defined timeframes (commonly 24–72 hours for major incidents)
• Mandated reporter obligations for child abuse, elder abuse, and domestic violence
• Suicide and self-harm assessment protocols
• Medication administration record (MAR) requirements
• Background screening of staff (often Level 2 fingerprint-based)
• Continuing education requirements for clinical staff
• Specific consent and admission documentation

Policy and procedure manual — what it actually contains

The policy and procedure (P&P) manual is the single most important compliance document a treatment center has. It's what state licensing surveyors review, what accreditation bodies audit against, and what you train staff on. A complete P&P manual for a behavioral health treatment center typically covers:

• Governance — ownership, board, organizational structure
• Admissions and screening
• Clinical assessment and treatment planning
• Levels of care and length of stay
• Medication management and MAR
• Group and individual programming standards
• Family involvement
• Discharge planning and aftercare
• Client rights and grievance procedure
• Confidentiality (HIPAA and Part 2)
• Incident reporting and critical event management
• Infection control and health safety
• Medical and psychiatric emergency procedures
• Staffing and supervision
• Workforce training and continuing education
• Quality improvement program
• Records retention and destruction
• Drug and alcohol screening of clients
• Restraint and seclusion (often not used; explicitly stated)
• Disaster and emergency preparedness

Most manuals run 200–400 pages. Many programs use a starter template and customize — there's nothing wrong with that as long as the result actually matches how your program operates. Surveyors catch "template P&Ps that don't match real practice" almost every time.

Incident reporting program

State licensing rules and accreditation standards both require a functioning incident reporting program. The categories you have to be ready to report:

• Client death or serious injury
• Suicide attempt or completed suicide
• Allegation of abuse, neglect, or exploitation
• Allegation of staff-client boundary violation
• Medication errors with adverse outcomes
• Elopement (client leaves without staff knowledge)
• Major fire, flood, or facility incident
• Allegations of fraud or unethical billing practices
• Communicable disease outbreaks

Internal incident reports get filed within hours; state notifications follow within whatever your state rule requires — often 24 hours for major incidents, 72 hours for others. Build the workflow before you need it; trying to figure out the right path during a real incident is how things go badly.