HIPAA + MHDDCA Compliance for Illinois Therapists — 2026 Guide
Illinois therapists must comply with HIPAA (federal) and the Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA) — one of the strongest mental health privacy laws in the United States. The MHDDCA routinely provides greater protections than HIPAA, which means Illinois therapists must follow the stricter standard. Here is your complete 2026 compliance guide.
$44,000
Avg fine in Illinois
60 Days
IL breach notification
2 Laws
HIPAA + MHDDCA
MHDDCA — What Illinois Therapists Must Know
The MHDDCA (740 ILCS 110) protects all mental health records with near-absolute confidentiality — disclosures require specific written consent that goes beyond standard HIPAA authorizations
Illinois prohibits disclosure of mental health records in civil proceedings without a court order, even if both parties consent — this is stricter than HIPAA
The MHDDCA applies to ALL mental health professionals including LCSWs, LMFTs, LPCs, and psychologists — not just psychiatrists
Illinois does not allow a client's attorney to access mental health records simply by presenting a subpoena — a judge must specifically order it
Insurance companies in Illinois cannot demand access to psychotherapy notes — they may only request a treatment summary with the client's specific written consent
Chicago-area therapists in group practices must have written confidentiality policies that reference both HIPAA and MHDDCA explicitly
Top 5 HIPAA + MHDDCA Violations in Illinois
Non-compliant authorization forms
Typical fine: $10,000–$35,000
Illinois MHDDCA requires more specific authorization language than standard HIPAA release forms. Using a generic HIPAA release in Illinois is insufficient.
Responding to subpoenas without a court order
Typical fine: $15,000–$50,000
Illinois therapists regularly receive subpoenas in divorce and custody cases. Releasing records in response to a subpoena alone — without a judge's order — violates the MHDDCA.
Sharing records with insurance without explicit consent
Typical fine: $12,000–$40,000
Illinois insurers may not access psychotherapy notes or detailed session records. Providing them voluntarily exposes the therapist to both MHDDCA and HIPAA liability.
Missing BAA with EHR or telehealth vendor
Typical fine: $15,000–$50,000
The most common HIPAA violation nationwide — and Illinois is no exception. BAAs must specifically cover PHI and be executed before any data sharing begins.
Insufficient breach notification documentation
Typical fine: $7,000–$25,000
Illinois requires breach notifications to affected individuals and the state AG. Many practices notify individuals but forget to file the required state-level report.
Trusted by 225,000+ Therapists — Recommended for Illinois Therapist in Illinois
Get Your Practice 100% HIPAA Compliant in 2026
SimplePractice is the #1 HIPAA-compliant practice management platform built specifically for therapists. Includes secure messaging, telehealth, billing, and a signed BAA — everything you need to stay compliant and protect your clients.
Start Free Trial with SimplePractice →30-day free trial · No credit card required
Need HIPAA-compliant email only? See Hushmail for Healthcare →
FAQ — Illinois Therapist HIPAA
What is the MHDDCA and how is it different from HIPAA?
The Mental Health and Developmental Disabilities Confidentiality Act (740 ILCS 110) is an Illinois state law that provides stronger privacy protections for mental health records than HIPAA. When both laws apply, Illinois therapists must follow whichever standard is stricter — which is usually the MHDDCA.
Can I respond to a subpoena for client records in Illinois?
Not automatically. Under the MHDDCA, a subpoena alone is not sufficient to compel disclosure of mental health records. You generally need a court order signed by a judge. You should consult an Illinois attorney before responding to any subpoena involving mental health records.
Do I need a separate MHDDCA-compliant consent form in addition to a HIPAA authorization?
Yes. Standard HIPAA authorization forms typically do not meet Illinois MHDDCA requirements. Illinois requires more specific language identifying exactly what information will be disclosed, to whom, and for what purpose. Using a generic HIPAA form for Illinois clients creates legal exposure.
Does the MHDDCA apply to telehealth therapists seeing Illinois clients from another state?
This is unsettled law, but the conservative approach is to treat any client physically located in Illinois as subject to MHDDCA protections. Most Illinois attorneys advising therapists recommend applying MHDDCA standards to all Illinois-based clients regardless of where the therapist is licensed.