Mental Health Compliance, Behavioral Health Best Practices, Practice Management for Therapists, SUD & 42 CFR Part 2 Compliance ClearPath Compliance Mental Health Compliance, Behavioral Health Best Practices, Practice Management for Therapists, SUD & 42 CFR Part 2 Compliance ClearPath Compliance

The Mental Health Compliance Landscape in 2025: What Clinics Must Know Before 2026 Hits

By: Drew Duffy, MHA, FACHE

The landscape for mental health care is changing — fast.

Telehealth expansion, workforce shortages, billing scrutiny, and tightening federal and state oversight are creating a complex environment for behavioral health providers. While many changes won’t be fully implemented until 2026, 2025 is the critical year to prepare.

If you're a psychologist, therapist, psychiatrist, licensed social worker, or clinic owner, this guide breaks down what’s changing, what’s at risk, and what you need to do now to stay secure.

1. Increased Scrutiny on Telehealth and Virtual Mental Health

What's happening:

The telehealth flexibility that exploded during COVID is slowly tightening. The DEA, CMS, and state boards are issuing stricter rules about:

  • Prescribing controlled substances via telehealth (especially ADHD meds, benzos, and stimulants)

  • Out-of-state licensure and practice

  • HIPAA-compliant platforms (end of “good faith” waivers)

2026 preview:

  • The DEA’s final rule on tele-prescribing is expected to require in-person exams for controlled substances unless providers join an approved telemedicine referral registry.

  • Interstate licensing compacts (like PSYPACT) will become a requirement, not a convenience.

What to do now:

  • Audit your telehealth policies and vendor contracts — is your video platform HIPAA-compliant under the full rule?

  • Stop prescribing controlled substances virtually unless you’ve documented medical necessity and state law allows it.

  • Consider PSYPACT membership or cross-state licensure if you treat out-of-state clients.

2. HIPAA and 42 CFR Part 2 Alignment (and Enforcement)

What's happening:

The long-awaited alignment between HIPAA and 42 CFR Part 2 (federal rules governing substance use treatment records) was finalized in 2024, but enforcement ramps up in 2025–2026.

Key updates:

  • You can now use a single, HIPAA-style consent to disclose SUD records for treatment, payment, and operations (TPO) — but you must clearly inform patients of this during intake.

  • Breaches involving Part 2 records must follow HIPAA breach notification rules.

  • Redisclosure limitations remain strict — downstream providers can’t reuse SUD info unless permitted.

Why this matters:

  • Mental health clinics offering integrated therapy + SUD treatment are now held to stricter data-sharing standards.

  • Improperly sharing records — even between staff — can trigger federal fines or licensing complaints.

What to do now:

  • Review and update your Notice of Privacy Practices (NPP) to reflect 42 CFR changes.

  • Train all staff on new redisclosure and consent rules.

  • Use separate flags or access levels for SUD-related documentation in your EHR.

3. Credentialing, Billing & Audit Pressures Rising — Especially in Medicaid

What's happening:

Many mental health clinics rely on Medicaid or managed care for most of their income. These programs are becoming stricter, especially in:

  • Credentialing delays and tighter enrollment checks

  • Service documentation audits (especially for teletherapy and group sessions)

  • Recoupment of payments for improper supervision, scope violations, or missing notes

Minnesota-specific updates:

  • DHS has started post-payment reviews of outpatient therapy sessions, especially under fee-for-service.

  • Board supervision requirements are being spot-checked — e.g., LPCCs billing independently without valid supervisor registration.

2026 preview:

  • CMS is pushing new provider ID and NPI matching systems to catch “ghost billing” and billing by uncredentialed providers.

  • Cross-checking billing with licensure databases will become automated — increasing the risk of clawbacks.

What to do now:

  • Ensure all providers are credentialed under correct taxonomy codes, with updated licenses and NPI match.

  • Regularly audit documentation — especially for:

    • Group therapy

    • Supervised clinicians (pre-licensure)

    • Crisis codes or extended sessions

  • Use modifiers appropriately and maintain records for time-based billing.

4. Mental Health Clinics Are Now High-Risk for OSHA, HIPAA, and Labor Law Claims

Why:

  • Staff burnout, patient aggression, and solo site management all increase risk.

  • Behavioral health clinics often neglect OSHA or HIPAA because “we’re just talk therapy.”

  • Mobile or home-based services complicate safety, supervision, and privacy obligations.

Real risks in 2025:

  • OSHA is now citing clinics that lack workplace violence prevention plans — a major issue in behavioral health settings.

  • HIPAA complaints are rising for unencrypted therapy notes, remote session recordings, and insecure email exchanges.

  • Wage/hour audits are targeting clinical staff classified as contractors without valid independent licensure.

What to do now:

  • Draft or update your OSHA-required Emergency Action and Workplace Violence Prevention Plans.

  • Secure your telehealth, notes, and communications — including texting, voicemail, and client portal use.

  • Confirm that supervised clinicians are W-2 employees, not 1099s (unless truly independent by IRS and board standards).

What’s Coming in 2026 — and Why 2025 Is Critical

Major reforms are coming down the pipeline:

  • National mental health parity enforcement will increase, impacting how insurers must reimburse behavioral health.

  • Interstate licensure frameworks will become essential for teletherapy models.

  • Expanded data reporting rules will require even small clinics to participate in outcome tracking and CMS registries.

  • DEA and SAMHSA modernization rules will permanently reshape controlled substance and SUD treatment compliance.

Clinics that wait until 2026 to get compliant will be too late. The infrastructure needs to be in place now.

What ClearPath Compliance Offers to Mental Health Clinics

Whether you’re a solo LGSW or running a 50-provider therapy group, we offer real compliance solutions tailored to mental health:

  • HIPAA + 42 CFR Part 2 updates and documentation

  • Credentialing, revalidation, and billing risk reviews

  • OSHA plans and workplace violence programs

  • Telehealth policy development

  • Licensure supervision tracking tools

  • Employment classification audits

  • EHR documentation templates that match payer and board requirements

-Drew

📞 1-888-996-8376
📧 info@clearpathcompliance.org
🌐 www.clearpathcompliance.org

Discounted support for clinics serving publicly insured, rural, or underserved patients.

Read More