Montana Expands Health Care Privacy Law to Include Mental Health Digital Services

The Montana Legislature recently passed an update to the state’s Uniform Health Care Information Act (the Act), which creates standards for privacy and security of health care information maintained by Montana health care providers. Specifically, House Bill 397 provides that “mental health digital service” platforms will be subject to the Act, starting October 1, 2025.

Here are five takeaways to consider before the new law goes into effect:

1. What is a “mental health digital service”?

HB 397 defines the term broadly as a mobile-based application or internet website that:

• collects, obtains, uses, possesses or accesses information related to an individual’s inferred or diagnosed mental health or substance use disorder;
• markets itself as facilitating mental health or substance use disorder services to an individual; and
• uses the information provided to facilitate mental health services, including diagnosis, treatment, suggested therapies and management of the mental health or substance use disorder for an individual.

Companies such as management services organizations that offer web or mobile platforms through which licensed therapists provide online counseling and therapy services to patients will likely fall within the scope of the Act.

2. What does the Act require?

The Act requires Montana health care providers (and, as of October 1, 2025, mental health digital service platforms) that maintain health care information to comply with various privacy and security standards, many of which are similar to the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) standards. Some notable provisions include:

• Requiring providers to adopt reasonable safeguards for the security of all health care information they maintain;
• Prohibiting providers from disclosing health care information about a patient to any other person without the patient’s written authorization (with some exceptions noted below), and requiring providers to maintain a record of any disclosures;
• Permitting certain disclosures of health care information without a patient authorization in limited circumstances, such as, to persons providing health care services to the patient that need to know the information, and to federal, state or local public health authorities or law enforcement, if required;
• Requiring providers to follow certain processes for responding to requests from patients to examine or amend their recorded health care information; and
• Providing immunity to providers who disclose health care information in accordance with a written authorization that follows the Act’s requirements.

3. Are there any exceptions?

Yes. The Act only applies to Montana health care providers that are not subject to the privacy provisions of HIPAA. In other words, providers who are subject to HIPAA are exempt from the Act.

4. How is the Act enforced?

If a provider (or, as of October 1, 2025, a mental health digital service platform) violates the Act, a court may require compliance and may order relief for an aggrieved person, including monetary damages. Specifically, a provider may be required to pay to an aggrieved person any monetary losses incurred as a result of the violation. If the violation was willful or grossly negligent, the provider may also be required to pay the person up to $5,000 in addition to the monetary losses.

5. What should mental health providers and platforms do to prepare?

Providers and digital platforms should consider whether the new provisions of the Act may apply to their practice and assess whether their current privacy and security practices are in compliance.

If you have any questions, please contact the authors (Thora Johnson, Emily Brodkin and Melania Jankowski) or another Orrick Team member.