7 Things You Need to Know to Avoid a HIPAA Violation with your Psychotherapy Notes

The work of a therapist is private and intimate. Every client you meet with needs to be able to trust that the information they share with you remains confidential at all times. This is part of the reason why HIPAA is in place, but it goes way beyond the paperwork

If a client feels that they can’t trust you, providing accurate treatment becomes much harder. They may withhold important information due to the fear of being turned into authorities or of having their personal experiences shared with guardians/family members. 

It’s your responsibility to create a strong sense of trust from the moment you meet a patient for the first time. More so, you have to work to maintain this trust by providing compassion and understanding and making sure your psychotherapy notes abide by all HIPAA regulations.

Here are 7 tips to help you avoid having a HIPAA violation on your hands – and worse, a seriously negative patient experience.  

1. Learn the Difference Between a Psychotherapy Note and General Medical Information

There’s a big difference between psychotherapy notes which need to be kept private and medical records that need to be shared for effective treatment. 

According to HIPAA, psychotherapy notes are “notes recorded in any medium by a mental health professional documenting or analyzing the contents of conversation during a private counseling session.” They typically pertain to sensitive matters like abuse or trauma, and they may record a patient’s feelings or personal matters. 

Medical records, on the other hand, are more practical. These records share a person’s diagnosis, treatment, and medications with other doctors. They can’t be shared with friends or family unless a client allows the release of information, but they aren’t as highly-protected as psychotherapy notes.

2. Always Keep Your Psychotherapy Notes Separate from Medical Records

Although there are times when you do need to share medical records with other doctors, it’s rare to ever have a need to share psychotherapy notes. More so, you don’t want your notes to accidentally be shared as you pass along medical records. 

This is why you should always keep your personal notes and a client’s records separate. Some psychotherapists go as far as to keep their notes in a password-protected program rather than writing them on paper. This ensures that no one stumbles across information that shouldn’t be shared, which falls on you, not the other person.

3. Store All Client Information in a Secure Place

The best way to keep client information from falling into the wrong hands is to establish a secure place for it. This goes for both your notes and their records. Ideally, you should have two separate locations for all of your notes and all of your patients’ records. 

Not only does this make you more compliant with HIPAA standards, but it creates a better sense of organization. Having two places you can easily access information when you need it and lock it away when not using it makes all the work you do more efficient.

4. Make Sure You Understand Your Patient’s Capacity to Consent to Sharing Information

There may be times when a client chooses to share your psychotherapy notes, completely by their own accord. You might also have to ask them for permission to share notes in certain situations. 

However, you have to be sure your client is in the proper position to give consent n both situations. They need to be in a clear state of mind, and it’s best to talk about the reasons why the question of sharing information has been brought up. 

5. Learn to Navigate Legal Situations

Traditionally, the only time you’re able to share psychotherapy notes or talk about patient treatment is when they’re posing a serious harm to themselves or others. 

But, there are a few legal situations in which you may have to share your notes. It’s important to understand when you’re obligated by law to share records and when you don’t have to share them. This can make a big difference as to whether or not your actions are HIPAA compliant.

6. Don’t Be Afraid to Consult Legal Advisors or Medical Colleagues

If you’re not sure how to handle a legal situation or if you’d like to brush up on the compliance regulations you need to meet, you can ask for help. There’s no reason for you to navigate all of the requirements established by HIPAA on your own. 

However, you should talk in general terms and be careful not to provide specifics. Never share a patient’s name when consulting legal advisors or talking with other psychotherapists about protecting your notes. Don’t discuss the content of your notes, either. 

Simply focus on the matter at hand: how to best protect your client’s information and your own professional integrity.

7. Focus on the Best Interest of Your Clients at All Times

At the end of the day, it’s not psychotherapy notes you need to worry so much about, but rather your clients’ best interest. If their sensitive information is shared, a patient is likely to stop seeking treatment and they may not ever go back. It only takes one break of trust to completely stop – and likely reverse – all the progress they’ve made. 

Not to mention, it’s a serious offense on your part. 

HIPAA Compliance Made Simple 

Although HIPAA regulations can seem a little complicated, they’re actually a lot easier to follow than one would think. Plus, there are all kinds of courses you can take about HIPAA to help you understand the specific implications it has on everything from psychotherapy notes to conversations with patients’ loved ones. 

You can also invest in HIPAA management services to make sure you’re not just compliant, but able to prove that the work you’ve done abides by HIPAA standards. 

Click here to learn more about the HIPAA security solutions available to you!


HIPAA Security Reminders


HIPAA Security Suite has developed a weekly HIPAA Security Reminder series that’s FREE for all of us who are responsible for, or engaged in, the use and protection of PHI.

Pursuant to Section 164.308(a)(5) of the HIPAA Security Rule, the Standard states: Implement a security awareness and training program for all members of its workforce (including management).

This standard is part of our Best Practices Recommendations for HIPAA Security Suite users, but it’s available for FREE to anyone who wants to comply with HIPAA using the easiest, best tools available.

Sign Up

Scroll to Top