Privacy by Design in Mental Health: A Founder-Clinician’s Checklist
Authored by: Brad Lieberman, JD (retired), MSN, PMHNP-BC
Most independent mental health practices have a privacy blind spot they did not put there on purpose. It usually shows up in the same place — the contracts they signed with vendors years ago, the intake form they cloned from a colleague, the AI scribe they trialed during a busy week and forgot to interrogate. These are not failures of intelligence. Most clinicians I know are sharper than the people who designed the platforms they rely on. The failure is that hospital compliance teams normally close these gaps for you, and when you go independent, no one closes them at all.
I came to this work from two directions. I practice psychiatry as a board-certified PMHNP in New York. I also spent the prior decade as an attorney. The combination shaped how I think about privacy in independent practice. You do not patch it. You design around it at the beginning.
Mental health practices carry a heavier privacy load than the average medical practice for three reasons. The data carries higher reidentification risk because diagnosis often correlates with specific demographics, geography, and prescribing patterns. State law layers heavily on top of HIPAA — New York’s SHIELD Act, California’s CIPA, state wiretap statutes — and each layer brings its own enforcement actor and damages framework. And the vendor ecosystem most practices touch (telehealth platforms, intake form services, scheduling tools, AI scribes, e-prescribing, marketing automation) was not built with psychiatric data as the design constraint.
Three items go on the checklist first.
One. Read your vendor BAA, line by line.
The standard BAA most vendors offer is calibrated to the floor of HIPAA, not the ceiling of your exposure. Look at the indemnification provision — most are limited to direct damages, which means consequential losses, including class actions, fall on you. Look at the breach notification timeline — some vendors quietly write themselves a 30-day window before they have to tell you, which puts you outside the 60-day OCR clock. Look at the subprocessor list — your AI scribe vendor may be running on cloud infrastructure with its own privacy posture, and your BAA chain only works if every link holds.
Two. Audit your intake forms.
The most common compliance error I see is not what the form collects — it is what the form does not say about how the data travels. Digital intake forms get emailed, stored on the vendor’s servers, sometimes routed through automation tools, and then occasionally synced back to a practice management system. Each handoff is a separate HIPAA-relevant disclosure. The consent language on the form needs to anticipate every link in that chain, not just the moment of collection.
Three. Interrogate your AI scribe.
The category is moving faster than the regulatory environment. The operative questions are: where does the audio file live, for how long, and who can access it. What happens to the transcript after the encounter is summarized. Whether the vendor uses your data — even de-identified — to train its model. Whether the vendor will sign a BAA at all, and whether that BAA covers the training-data question explicitly. A vendor that hedges on any of these answers is telling you something.
The work of running an independent practice is already enough. The argument I make to clinicians I advise is not that compliance has to consume your life. It is that these documents and decisions only need to be made once, correctly, at the beginning. After that, they hold.
That is the founder-clinician frame. You are running the practice. You are also the compliance team. The point is to build the practice so that role is small.
Author byline:
Brad Lieberman, JD (retired), MSN, PMHNP-BC, is a board-certified psychiatric mental health nurse practitioner and founder of The Lieberman Center for Psychotherapeutics in New York. He is also the founder of The Encrypted Chart, a privacy infrastructure product for solo and small-group healthcare practices. He writes on operational privacy and the gap between hospital compliance and independent practice at encryptedchart.com. Contact: 212-470-3603