Free up your evenings

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that protects the privacy of patient health information. The law requires covered entities, such as health care providers and health plans, to take steps to safeguard this information. One way the law does this is by restricting the disclosure of psychotherapy notes.

HIPAA applies to counselors, psychologists, social workers, and every other mental health professional who transmits protected health information (PHI) in electronic form in connection with a health care claim. If you submit even one insurance claim electronically, you must comply. The rules below are written for therapists in private practice, but HIPAA compliance for counselors in a group setting and HIPAA for psychologists in a hospital system follow the same federal floor.

The psychotherapy notes produced by psychotherapists are defined as notes recorded in any medium by a mental health professional documenting or analyzing the contents of a conversation during a private counseling session. Under HIPAA, psychotherapy notes can only be disclosed with patient authorization or in limited circumstances, such as when required by other laws or when necessary to protect the patient or others from serious harm.

HIPAA, PHIPA, SOC2 Compliance Logos
New! Transfer your notes to EHR with a single click. No more copy-pasting.

This protection is important because psychotherapy notes can contain sensitive information that could be used to embarrass or discriminate against a patient if they were made public. By restricting the disclosure of psychotherapy notes, HIPAA ensures that patients can receive the mental health care they need without having to worry about their private information being shared without their consent.

The Privacy Rule portion of HIPAA sets forth specific protections for psychotherapy notes. These are notes that a mental health professional makes about a counseling session. They must be kept separate from the rest of the patient’s medical record, and can only be disclosed with the patient’s detailed authorization.

The Privacy Rule also permits psychologists to consult with other healthcare professionals without the patient’s permission, as long as the consultation is for treatment purposes. Many states have their own laws that may provide even greater protection for patient privacy.

There are some exceptions to the confidentiality requirements, such as when disclosure is required by law, or when disclosure is necessary to prevent imminent harm to the patient or others. But in general, psychotherapy notes must be kept confidential and may only be disclosed with patient consent.

The penalties for violating the HIPAA Privacy Rule are severe and can include civil and criminal penalties. As of January 28, 2026, the inflation-adjusted civil monetary penalties range from a Tier 1 minimum of $141 per violation up to a Tier 4 annual cap of $2,190,294. The Department of Health and Human Services Office for Civil Rights (OCR) enforces the Privacy Rule, and OCR’s 2026 enforcement priorities include both the Right of Access initiative and an expanded Risk Analysis initiative now covering risk management.

But more importantly, HIPAA compliance is a requirement of the ethical practice of psychotherapy. Psychotherapists who do not take steps to ensure HIPAA compliance are putting their patients at risk, and are not living up to their ethical obligations.

What counts as a psychotherapy note

HIPAA’s definition is narrow. Two conditions must both be true (45 CFR 164.501):

1. Content test. The note documents or analyzes the contents of a private counseling session, which can be individual, group, joint, or family. It contains the therapist’s impressions, hypotheses, or reflections.

2. Separation test. The note is physically or electronically separated from the rest of the individual’s medical record.

The definition explicitly covers group, joint, and family counseling sessions, not only individual therapy. The documentation rules for the clinical portion of those sessions (the progress note) are different from the reflection portion (the psychotherapy note). For session-type-specific documentation guidance, see Group therapy notes (with template) and Family therapy notes.

If either condition fails, the document is not a psychotherapy note in the legal sense. It is a clinical record subject to standard access and disclosure rules.

What HIPAA explicitly excludes from “psychotherapy notes”

The regulation excludes the following. These belong in the medical record, not in psychotherapy notes:

  • Medication prescription and monitoring
  • Counseling session start and stop times
  • Modalities and frequencies of treatment
  • Results of clinical tests
  • Summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, or progress to date

A note containing any of these stops being a psychotherapy note. The extra protection disappears.

Psychotherapy notes vs progress notes

Psychotherapy notes Progress notes
Purpose Therapist’s private reflections, hypotheses, supervision prompts Official treatment record for continuity of care
HIPAA protection Extra: written authorization needed for almost all disclosures Standard PHI: disclosable for treatment, payment, operations
Required by ethics/insurance? No Yes
Client access right No (unreviewable denial under HIPAA) Yes
Storage Separate file, locked or encrypted Part of the medical record
Reach of a general subpoena Generally not reached Reached
Example “Defensive when father came up. Possible transference. Bring to supervision.” “Session 4. Reviewed sleep hygiene. Client reports panic reduced from daily to twice weekly. Continue CBT for panic.”

Progress notes are about the treatment. Psychotherapy notes are about your process.

PHI in psychotherapy notes: what to include, what to leave out

Psychotherapy notes have different requirements under HIPAA law. To protect yourself and your clients, learning what information goes into psychotherapy notes and what should be left out can be helpful. Psychotherapy notes are kept for your benefit and help you be a better therapist because you often write down your feelings, reflections, and observations. Many times, this information isn’t factual, but it does help you treat your client better. It would be best to keep process notes private and secure, as they have special legal protections.

Psychotherapy notes and PHI

Psychotherapy notes are notes that mental health clinicians often keep for themselves to help remind them of something, write down questions for supervision, or maybe record some general observations and feelings about the therapy session. Psychotherapy notes are for the benefit of the therapist or mental health professional and no one else.

There are multiple names for psychotherapy notes. Psychotherapy notes are sometimes also known as process notes. There is no requirement for clinicians to keep psychotherapy notes; therefore, there isn’t a right or wrong way to do them or a required format as there is with progress notes.

In any medical documentation, Protected Health Information (PHI) is any information that can help identify a client created, used, or disclosed while providing a healthcare service. According to the Department of Health and Human Services, there are 18 potential PHI identifiers, including:

  • Name
  • Geographic divisions smaller than a state
  • Phone numbers
  • Fax numbers
  • Dates associated with a client (date of birth, admission, discharge)
  • Medical record numbers
  • Health plan beneficiary numbers
  • Email addresses
  • Certificate or license numbers
  • Photos (including full-face photos)
  • Biometric identifiers (such as fingerprints)
  • Zip codes
  • Vehicle identifiers
  • URLs
  • Social security numbers
  • Account numbers
  • Device identifiers and serial numbers
  • IP addresses

Psychotherapy notes are not part of the client’s official medical record and should have limited PHI because these often involve the inner thoughts of the therapist. It’s best to protect yourself and keep these notes secure if you write them. Psychotherapy notes have special protections under HIPAA.

What to include in psychotherapy notes

Psychotherapy notes are notes that are kept for the benefit of the clinician. These may be observations about the client, questions to bring up in consultation or supervision, or hypotheses about the client. These do not include notes related to the client’s treatment. Useful content includes:

  • Your impressions of the client (defenses, transference, countertransference)
  • Hypotheses to test or revisit
  • Questions for supervision or consultation
  • Your own emotional reactions you are processing
  • Themes you are tracking across sessions
  • Reminders about your pacing, framing, or technique for next session

You may notate something that you want to come back to later. You may need to obtain consultation or supervision on a particular topic. These private notes are meant to help you and are not part of the client’s medical record.

When writing process notes, you focus less on the treatment and the therapy process. For example, maybe you are noticing some strong feelings in you that triggered you to want to notate this for your supervisor. In this situation, those strong feelings may be inappropriate to put in a client’s official medical record. In this case, writing a process note might be helpful.

Some suggest that you entirely anonymously write these notes and keep PHI out of them, as a judge can order the release of psychotherapy notes in specific situations. It’s up to you to judge your comfort level with what you write in psychotherapy notes.

What to keep out of psychotherapy notes

Since psychotherapy notes aren’t part of the client’s medical record, you should not put anything that constitutes medical or treatment information in the notes. Specifically, keep these in the progress note instead:

  • Medication prescription and monitoring
  • Start and stop times of psychotherapy sessions
  • Treatment modalities used (CBT, EMDR, DBT)
  • Results of any clinical tests or assessments (PHQ-9, GAD-7)
  • Diagnosis or diagnostic impressions
  • Functional status
  • Treatment plan
  • Prognosis
  • Symptom description
  • Any overview of the client’s progress
  • Treatment summaries
  • Billing or payment information

This information should be documented in mental health progress notes that are part of the client’s official medical record and should never be included in process notes. Psychotherapy notes should also exclude any information regarding payment of healthcare services.

A supervision habit worth building: write psychotherapy notes in a deliberately de-identified style. Refer to the client by initials or “the client.” Skip dates of birth and addresses. If a judge ever does compel disclosure, less revealing notes do less harm.

I once watched a newer clinician panic when their supervisor asked to review the chart for a case consultation. They had been writing psychotherapy-style reflections directly inside the EHR’s progress note field for two years. None of it had separation protection. None of it could be safely shared with anyone, including supervision, without authorization. Set up the separation on day one, not in year three.

Storage and access requirements (2026)

Three rules cover most of the work: keep notes separate, control access, document everything.

HIPAA-Compliant Note Checklist for Therapists

Separation, in practice

  • Paper records. A separate folder, clearly labeled “Psychotherapy Notes, Confidential.” Locked cabinet or locked drawer. Only you have the key.
  • Electronic records. A separate file or a restricted, encrypted section of your EHR that other staff cannot access. EHRs designed for behavioral health usually have a dedicated psychotherapy notes module. Use it.
  • Never quote psychotherapy notes verbatim in anything you share with insurers, courts, or other providers. Summarize in the progress note if you need to share clinical content.

If you mix psychotherapy notes into the regular chart, even by accident, they lose their HIPAA protection and become accessible to clients and disclosable under normal rules.

Access control

Only the originating therapist should have access. Administrative staff, billing, other clinicians, and supervisors should not have routine access. Narrow exceptions exist:

  • You can use your own notes for treatment of the same client
  • Use in supervision or training programs (limited)
  • Defense against a legal action brought by the client

Enforce this with role-based access in your EHR. Use multi-factor authentication. Lock the screen whenever you step away.

Storage best practices

Compliance area What to do Why it matters
Physical security Locked filing cabinet, locked office. No notes left visible. Casual disclosure to cleaning staff, other clients, or anyone in the space.
Digital security Encrypted storage, password-protected devices, MFA enabled. No notes on personal devices or consumer cloud services. Lost or stolen devices are a leading breach cause cited by OCR.
Backups Encrypted backups stored separately. Test recovery quarterly. Loss of records is itself a Security Rule violation.
Vendor agreements Every vendor touching PHI signs a Business Associate Agreement. Without a BAA, sharing PHI with a vendor is the violation.
Retention At least 6 years under HIPAA. State laws often require 7 to 10, longer for minors. HIPAA and state can differ. Follow the stricter.
Destruction Shred paper. Permanently delete (not just trash) digital files. Document the destruction. Records that should have been destroyed but weren’t can be a liability in litigation.
Staff training Annual HIPAA training for everyone with PHI access. Document attendance. Training records are reviewed during OCR audits.
Audit logs Your EMR must track every view, edit, or delete of a record. Required under 2026 technical safeguards.

When the storage in question is a cloud platform or AI tool, the encryption and audit-log requirements above are what a vendor’s SOC 2 Type II report exists to evidence. Ask for it before you store a single note there.

When you write notes matters

Write psychotherapy notes within 24 hours, while details are accurate. Long delays produce notes that are harder to trust and defend if they are ever reviewed. For corrections, never delete or overwrite the original. Strike through, initial, date. Electronic systems should maintain edit audit trails automatically.

Security Rule risk analysis (and the 2026 OCR priority)

The HIPAA Security Rule requires every covered entity, including a solo therapist, to conduct a documented security risk analysis (SRA) that identifies and addresses risks to ePHI. OCR’s stated 2026 enforcement priority expands the existing Risk Analysis initiative to also include risk management (the follow-through plan, not just the assessment).

For a therapy practice, the SRA should evaluate:

  • Your EHR or practice management system (encryption, access controls, audit logs)
  • Telehealth platforms and configurations
  • How psychotherapy notes are created and stored, including their separation enforcement
  • Email and messaging tools used for any patient communication
  • Mobile devices that access patient records
  • Cloud storage and backup systems
  • Any third-party apps or tools that touch patient data, with BAA status documented

The SRA itself must consist of at least: a risk analysis, an actioned remediation plan, a sanctions policy for staff violations, and procedures to regularly review information system activity (audit log review).

You must keep the SRA and all related documentation for at least 6 years. ONC and OCR jointly publish a free Security Risk Assessment Tool that small practices can use as a starting point. After the assessment, write a remediation plan that lists each identified deficiency with the action and timeline to fix it. Then actually do it. That is the “risk management” part OCR is now also enforcing.

Run the SRA at least annually and after any material change (new EHR, new staff member with PHI access, new vendor, breach incident).

Telehealth-specific considerations

If you provide telehealth, the storage rules above still apply, plus a few extras: the video platform itself must be HIPAA-compliant with a signed BAA, session recordings are PHI and need to be stored under the same separation rules, and you should know where the client is physically located when the session happens (it determines which state’s law applies). For platform selection, see Best HIPAA-compliant telehealth platforms for therapists.

BAAs for AI scribes and EHRs

A Business Associate Agreement is a legal contract between you and any vendor that creates, receives, maintains, or transmits PHI on your behalf. Under HIPAA it is not optional. Without a signed BAA before the first transcription, both you and the vendor are in violation, even if nothing else goes wrong. OCR has settled cases for millions where the only violation was a missing BAA.

For AI scribes and AI note-taking tools, your BAA should add:

  • Explicit prohibition on training models on your patient data. Generic vendor BAAs often miss this.
  • Breach notification timelines. HIPAA allows up to 60 days. Negotiate for 24 to 72 hours from discovery, with defined “discovery” and cooperation terms.
  • Audit rights. You retain the right to audit the vendor’s HIPAA compliance, security controls, access logs, incident response, and any subcontractor agreements. At minimum, require an annual SOC 2 Type II report.
  • Subcontractor BAAs. If the vendor sends audio to a third party for transcription, that third party is a subcontractor and needs its own BAA with your vendor. Verify the chain.
  • Data destruction. Specify timelines and require destruction certification when you cancel the service.

If you use an AI note-taker, check that the vendor signs a BAA with you (not just “claims HIPAA-compliant” on the website), holds SOC 2 Type II certification, does not train models on your client data, encrypts at rest and in transit, provides audit logs you can access, and has BAAs in place with every subcontractor in its pipeline.

A quick word on choosing psychotherapy notes software, because this is where most therapists actually make the compliance decision. General-purpose apps and consumer note tools are not built around the psychotherapy-notes / progress-notes distinction and rarely sign a BAA. Clinical documentation software built for therapy is. Mentalyc was built for therapy practice with these requirements as the design constraint, not an afterthought. It signs a BAA, is HIPAA and SOC 2 Type II compliant, keeps psychotherapy notes structurally separate from progress notes, encrypts end to end, does not train models on your data, gives you accessible audit logs, and maintains its own subcontractor BAA chain. Its HIPAA-compliant AI note-taking software generates SOAP, DAP, or BIRP progress notes in under two minutes per session, so you keep the structural separation HIPAA requires without doing it by hand after every client.

The 2026 HIPAA changes you cannot miss

Three changes for 2026 affect almost every private practice:

1. Encryption and MFA are effectively mandatory. All ePHI must be encrypted at rest and in transit at NIST-level (256-bit minimum). MFA on every account that touches PHI. The “addressable” framing many small practices relied on is no longer a defense.

2. Notice of Privacy Practices deadline was February 16, 2026. Every covered entity must post the revised NPP. New required language covers Substance Use Disorder records (post-Part 2 alignment) and a mandatory statement that patient information may be subject to redisclosure once shared.

3. Updated penalty tiers, effective January 28, 2026. Per-violation amounts range from $141 (Tier 1, lack of knowledge) up to $2,190,294 annual cap for Tier 4 (willful neglect, not corrected). OCR continues to exercise enforcement discretion for lower tiers, but the published numbers are what shows up in settlements.

OCR’s stated 2026 enforcement priorities: the HIPAA Right of Access initiative continues, and the Risk Analysis initiative expands to include risk management. If you have not done a documented risk analysis recently, do one this quarter.

When psychotherapy notes can be disclosed

Default rule: psychotherapy notes cannot be disclosed without the client’s written authorization. This is stricter than the rule for ordinary PHI, which can move freely for treatment, payment, and healthcare operations.

Exceptions where authorization is not required:

1. Originating therapist using their own notes for treatment of the same client

2. Supervision and training in mental health training programs

Write less, focus more

Automate notes, treatment plans and progress tracking while keeping your clinical style and the Golden Thread.
  • SOAP, DAP, BIRP, EMDR notes and more
  • AI Treatment Planner
  • AI Progress Tracker
  • Alliance signals
  • HIPAA & PHIPA compliant
Try Mentalyc for FREE
New! Transfer your notes to EHR with a single click. No more copy-pasting.
Mentalyc notes and documentation preview

3. Defense of a legal action brought by the client against you

4. Mandatory reporting of abuse, neglect, or duty-to-warn situations

5. Imminent threat to the health or safety of the patient or others

6. Court order specifically naming the psychotherapy notes (a subpoena alone is generally not enough)

7. Health oversight activities directed at the originating therapist

8. Coroner or medical examiner following the client’s death

Outside these, you need written authorization, including for another treating provider, and including when the client gives verbal permission.

For the full disclosure walkthrough with example scenarios and authorization templates, see When can psychotherapy notes be disclosed?. For the broader question of when confidentiality can be broken outside the psychotherapy-notes context (and what the duty-to-warn standard actually requires in your state), see When can a therapist break confidentiality? and Exceptions to confidentiality in counseling.

Subpoenas and court orders

The short version: a general subpoena does not automatically reach your psychotherapy notes. HIPAA generally requires a court order that specifically names the psychotherapy notes before you can disclose them. A judge can also order in camera review, where the judge reviews the notes privately and decides what is admitted.

This is a topic with enough operational depth that it lives in a dedicated guide. For the full subpoena response workflow, the difference between attorney-issued subpoenas and court orders, what to do in the first 24 hours, how to assert privilege on the client’s behalf, and email templates for each subpoena type, see Can psychotherapy notes be subpoenaed?.

Client access requests and your right to deny

Clients generally have a HIPAA right to access their medical records. Psychotherapy notes are an explicit exception. Clients do not have a HIPAA right to access psychotherapy notes, and this is an unreviewable denial under 45 CFR 164.524(a)(1)(i). Some state laws (notably California) set a higher bar for denial than federal law, so check your state before responding.

For the response options when a client requests their notes, the 30-day deadline (and the 15-day 2026 digital best practice), what a denial letter must contain, and a downloadable denial letter template, see When can psychotherapy notes be disclosed?.

Minor clients and parent access

When the client is a minor, parents are usually their “personal representative” under HIPAA and can access the medical record, including diagnosis, symptoms, and treatment plans. They cannot access psychotherapy notes about the child, because the psychotherapy notes exception applies regardless of who the client is.

The personal-representative rule has three big HIPAA exceptions where parents do not get access to the rest of the record:

1. The minor consents to the care on their own and state law allows it without parental consent.

2. The minor obtains care at the direction of a court or a court-appointed person.

3. The parent agrees that the minor and the provider may have a confidential relationship.

State law determines exception 1 and varies widely. Some states let a minor as young as 12 to 14 consent to outpatient mental health treatment without a parent involved. In those states, the consenting minor controls access to the record, including from their parents.

Two more practical points:

  • Safety override. HIPAA permits a provider to withhold information from a parent if, in professional judgment, disclosure could place the child at risk of harm. Document the basis.
  • Divorced or separated parents. Either legal parent typically has access unless a court order says otherwise. Read the custody order carefully. “Joint legal custody” usually means both can request records.

Check your state’s age of consent for mental health treatment and your state’s rules on parental access to a minor’s records before responding to any parent request.

Insurance company audit and records requests

Insurers can request records to verify medical necessity and adjudicate claims. They are bound by HIPAA’s minimum necessary standard. They are not entitled to your psychotherapy notes.

When an insurer (or its audit contractor) requests records:

1. Confirm the request is valid. The patient’s signed authorization usually covers normal claim submission, but a broad audit request often requires a separate authorization or a contractual basis under your network agreement.

2. Apply minimum necessary. Send the smallest amount of PHI that satisfies the request. For utilization review, this is usually the diagnosis, treatment plan, dates of service, modality, and progress notes for the period in question. Not the entire chart. Not psychotherapy notes.

3. Out-of-network audits get extra scrutiny. APA Practice guidance is to require the patient’s specific authorization before releasing records to an out-of-network insurer that’s auditing.

4. Document the disclosure. Date, recipient, what was sent, legal/contractual basis. File in the client’s record.

5. Talk to the client first when you can. They may want to involve their own attorney, especially if the audit is part of a coverage dispute.

If an insurer demands psychotherapy notes, refuse. They are not entitled to them under HIPAA. Cite 45 CFR 164.508(a)(2) in writing.

A clinician I supervised was once told by a payer that “all clinical documentation” was required for an audit, including any private notes. The audit team backed off the moment she sent the citation in writing and offered the relevant progress notes only. Payers often ask for more than they are entitled to. Knowing the line, in writing, is usually enough.

Breach notification: what to do if it happens

A breach is an impermissible use or disclosure of PHI that compromises its security or privacy. Lost laptop, misdirected email, ransomware, theft, a curious staff member viewing a record they shouldn’t, an accidental file share. These are all potential breaches.

Immediate steps (first 24 to 72 hours)

1. Contain. Stop the ongoing exposure. Disable accounts, lock devices, take systems offline if needed.

2. Investigate. What PHI was involved? How many individuals? What caused it? Document everything as you go.

3. Risk assessment. HIPAA allows you to determine the breach has a low probability of compromising PHI, in which case formal notification may not be required. The assessment considers: the nature and extent of the PHI involved, the unauthorized person who used it or to whom it was disclosed, whether it was actually acquired or viewed, and the extent to which the risk has been mitigated. Document the assessment regardless of conclusion.

Notification timelines

  • Affected individuals: written notice without unreasonable delay and no later than 60 days from discovery, by first-class mail to the last known address (or email if the patient has agreed to email contact).
  • HHS, breach of fewer than 500 individuals: annual log submitted within 60 days of the end of the calendar year.
  • HHS, breach of 500 or more individuals: notify HHS immediately, no later than 60 days from discovery.
  • Media: required for breaches affecting 500 or more residents of a state or jurisdiction, to prominent media outlets in that area, within 60 days.
  • Business associate breaches: the BA must notify you no later than 60 days from discovery. Negotiate your BAA for 24 to 72 hours.

What the individual notice must include

  • A brief description of what happened
  • The types of unsecured PHI involved
  • Steps individuals should take to protect themselves
  • What you are doing to investigate, mitigate harm, and prevent future breaches
  • Contact information for the practice

Practical recommendations

  • Call an attorney before sending. Run the notification through an attorney or your professional liability insurer. Wording matters for liability.
  • Notify your malpractice carrier early. Many policies have separate cyber/breach coverage and may require prompt notice.
  • Document the timeline meticulously. When you discovered the breach, what you did, who you notified, when. OCR will ask if it ever audits.
  • Update your risk analysis. Whatever the breach revealed becomes a Security Rule finding to address in remediation.

The most common scenario I’ve seen in practice: a therapist’s laptop is stolen from a car. The device was unencrypted because “it was easier.” That single decision turned what could have been an internal incident into a reportable breach involving every active client on the laptop, plus the cost of letters, attorney time, and a multi-year OCR audit risk. Encryption is the single highest-leverage thing a solo practice can do.

Cures Act and OpenNotes for therapists

The 21st Century Cures Act was signed into law in December 2016. Some of the sections of this law are more pertinent to the work of psychotherapy than others. The most important parts for therapists involve information blocking and patient access to electronic health information.

An important part of the Cures Act for therapists is about information blocking. Cures defines info-blocking as “business, technical, and organizational practices that prevent or materially discourage the access, exchange, or use of electronic health information (EHI).” The Cures Act makes sharing electronic health information the expected norm in health care by authorizing the Secretary of Health and Human Services to identify “reasonable and necessary activities that do not constitute information blocking.”

That means patients can get on-demand access to certain information within their medical records, including clinical notes, test results, and medications. The Information Blocking rule fully took effect April 5, 2021. Many now routinely have patient portals where information about upcoming visits, billing, and clinical records can be easily accessed.

All healthcare providers are expected to comply with the Cures Act, including mental health professionals. It really only applies to electronic health information. If you are using paper records, the Information Blocking rule does not apply, though HIPAA’s separate patient access right still does. Using paper charts does not exempt providers from complying with patients’ rights to access their own records.

Psychotherapy notes are explicitly excluded from the Cures Act information-sharing requirements, as long as they meet HIPAA’s definition (separate, content-limited). Progress notes are subject to Information Blocking rules. The Act also allows withholding progress notes when sharing would substantially reduce a risk of harm to the patient or another person.

Does the Cures Act actually apply to your practice?

The Information Blocking rule applies to providers using certified EHR technology. Many solo practitioners using non-certified systems or paper records may not be technically subject. But HIPAA’s separate patient access right still applies to the medical record (not psychotherapy notes), and client expectations have shifted. More therapists are now getting access requests even when not legally required.

How can sharing notes help clients?

While therapists’ fear of sharing notes in psychotherapy is a common and understandable concern, the emerging research demonstrates a more optimistic view. In health systems where practitioners have already piloted transparent note-taking practices, there seems to be an overwhelmingly positive response. Both clients and providers report benefits like empowerment to address mental health issues proactively, reducing the stigma associated with treatment, and enhancing the therapeutic alliance.

Watch real stories from Mentalyc users

Try Mentalyc for Free

For some clients, access to the notes can even serve to extend the life of the therapy session between visits. It can serve as a tool that empowers clients to review what was said to ensure its accuracy or as a reminder of important takeaways or homework recommendations from the therapist. How many times have you asked a follow-up question from the previous week’s session and the client forgot entirely about what they were supposed to do?

Should you change how you write notes?

Long before laws like the Cures Act took effect, therapists have generally been guided to write notes as if a client or other concerned party were going to read them. In graduate school, the guidance was usually some version of “write as if your note will be read aloud by a judge or jury.” This was not intended as a scare tactic so much as a call to action to give succinct and accurate information that is pertinent to the client and the work you are doing.

  • Keep progress notes clinical, behavioral, observational. Not interpretive.
  • Put interpretation, hypothesis, and emotional reaction in psychotherapy notes (which the client cannot access).
  • Avoid jargon a client wouldn’t recognize.
  • Avoid speculation about other people (family, partners) who haven’t consented.

As transparency and note-taking become a more integral part of healthcare delivery, this can create additional stress for new and seasoned clinicians alike. A behavioral health note-taker that auto-structures progress notes into SOAP, DAP, or BIRP (like Mentalyc’s AI note taker) helps maintain the separation discipline by design rather than memory, and you always have the autonomy to edit or delete aspects of the note to your clinical or client preferences.

State laws that go further

HIPAA is the federal floor, not the ceiling. State laws can and frequently do require more. When they do, follow the stricter rule.

  • Retention periods. HIPAA: 6 years. Many states: 7 to 10. Minor’s records often must be kept until the minor reaches a certain age plus the standard period.
  • Client access rights. Some states require disclosure with fewer denial grounds.
  • Mandatory reporting and duty to warn. Wide variation.
  • Substance use disorder records. Federal 42 CFR Part 2 provides extra protection beyond HIPAA.
  • HIV/AIDS records. Many states have specific stricter rules.
  • Minor’s records. Rules about parental access vary widely.
  • Court-ordered disclosure. Some states have stronger psychotherapist-patient privilege than HIPAA contemplates.

If you practice telehealth across state lines, follow the law of the state where the client is physically located when service is provided. Check with your state licensing board and a healthcare attorney familiar with your jurisdiction.

Group practice and supervisor considerations

If you own or supervise in a group practice, the separation rule has team-level implications:

  • Each clinician’s psychotherapy notes belong only to that clinician. Other staff (including the practice owner) should not have routine access. Build your EHR roles so this is structural, not discretionary.
  • Supervision review. A supervisor reviewing a supervisee’s psychotherapy notes is generally permitted under the “supervision and training” exception, but document the arrangement in supervision contracts and the practice’s privacy policies. For the format of supervision documentation itself (which is a separate document type from both progress notes and psychotherapy notes), see Supervision notes and the Supervision notes template.
  • Practice ownership transitions. When a clinician leaves, their psychotherapy notes do not transfer automatically with the practice. Have a written policy on what happens to those notes and follow it.
  • Shared infrastructure. If you share an EHR, the psychotherapy notes module must enforce per-clinician access, not just “anyone with EHR login can see anything.”

Group-practice owners are a common source of avoidable HIPAA findings in OCR enforcement actions against mental health practices, almost always around access control. Build the structural fix into your EHR setup before you hire, not after.

Common HIPAA violations in private practice and how to avoid them

Most violations are not dramatic breaches. They are routine habits:

  • Discussing client details in unsecured email or text
  • Saving notes to personal devices
  • Using consumer cloud services (Dropbox, Google Drive, iCloud) without a BAA
  • Mixing psychotherapy notes into the general chart
  • Sharing PHI with a referral source without written authorization
  • Letting admin staff see notes that should be restricted
  • Failing to renew BAAs annually
  • Not training new staff, interns, or contractors
  • Not handing every client a Notice of Privacy Practices
  • Not documenting disclosures

Six habits that prevent most violations:

1. Default to no. If you’re unsure whether you can share something, the answer is no until you confirm.

2. Document every disclosure. Date, recipient, what was shared, legal basis. Keep this log in the client’s record.

3. Use HIPAA-compliant tools only. No BAA, no PHI. This includes email. Standard Gmail and Outlook are not HIPAA-compliant.

4. Train annually. Yourself and anyone in the office. Document it.

5. Audit yourself quarterly. Spot-check separation, access controls, BAA renewals.

6. Have a breach response plan. Notification is 60 days for breaches affecting 500 or more. Smaller breaches go in your annual log to HHS.

Free downloadable: 2026 HIPAA Psychotherapy Notes Compliance Checklist

A one-page reference you can tape inside your notes folder. Covers:

  • What goes in psychotherapy notes vs progress notes
  • 2026 encryption and MFA requirements
  • Access control checklist
  • Retention rules
  • Annual review prompts
  • BAA verification checklist for AI tools

Download the 2026 HIPAA Psychotherapy Notes Compliance Checklist (PDF)

FAQ

References

  • U.S. Department of Health and Human Services. 45 CFR § 164.501. HHS.gov regulations
  • U.S. Department of Health and Human Services. Does HIPAA provide extra protections for mental health information? HHS FAQ 2088
  • U.S. Department of Health and Human Services. Court Orders and Subpoenas. HHS.gov
  • U.S. Department of Health and Human Services. Information Related to Mental and Behavioral Health. HHS.gov Mental Health
  • American Psychiatric Association. Psychotherapy Notes under HIPAA. Psychiatry.org PDF
  • American Psychological Association. CE Corner: Protecting patient privacy when the court calls. APA Monitor
  • HHS / OMB. Civil Monetary Penalty Inflation Adjustments, effective January 28, 2026. Federal Register summary
  • ONC. Cures Act Final Rule, Information Blocking. HealthIT.gov
  • OpenNotes. Federal Rule on Open Notes. OpenNotes.org
  • HIPAA Journal. HIPAA for Therapists, 2026 Update. HIPAA Journal

Disclaimer: This article is for informational purposes only and is not legal advice. HIPAA application varies by practice circumstance and state law. Consult a healthcare attorney for guidance specific to your situation. All examples of mental health documentation are fictional.

Ready to start your free trial?

15 free notes for 14 days • No credit card required

Why other mental health professionals love Mentalyc

Jack Marchant
“By the end of the day, usually by the end of the session, I have my documentation done. I have a thorough, comprehensive note … It’s just saving me hours every week.
Jack Marchant
CDCII
Liliana Palacios
“A lot of my clients love the functionality where I can send them a summary of what we addressed during the session, and they find it very helpful and enlightening.
Liliana Palacios
Therapist
Ileana Oxley
“It takes me less than 5 minutes to complete notes … it’s a huge time saver, a huge stress reliever.”
Ileana Oxley
Licensed Marriage and Family Therapist
Karen Martin
“Having Mentalyc take away some of the work from me has allowed me to be more present when I’m in session with clients … it took a lot of pressure off.”
Karen Martin
LPC

Your Author

Dr. Salwa Zeineddine, MD, is a physician in Internal Medicine and researcher at the American University of Beirut Medical Center (AUBMC). She holds a Doctor of Medicine degree and a BS in Biology with High Distinction from AUB, where she was the recipient of a full scholarship from the Faculty of Medicine after ranking among the top students on the Lebanese baccalaureate. Her achievements over the years made her realize that real success is one in which she can genuinely affect people’s lives, the reason why she became passionate about helping people better understand and manage their mental health. Salwa is an advocate for mental health, is committed to providing the best possible care for her patients, and works to ensure that everyone has access to the resources they need. At Mentalyc, Dr. Zeineddine writes clinical content on DSM-5 diagnostic criteria, clinical documentation standards, mental health outcome measures, and therapy note formats for mental health practitioners.

More related posts

  • Eleos Health Review & Pricing (2026): Is Eleos AI Worth It, and the Best Alternative for Group Practices

    If you are evaluating Eleos Health (often searched as Eleos AI) for your group practice or agency, here is the short version. Eleos is a capable, enterprise-grade behavioral health AI built for large organizations, community mental health, and substance use disorder programs. It does group documentation genuinely well. But it is sold through demos and […]
    Tracy Collins, LCP Avatar
    Tracy Collins, LCP
    ·
    10 min read
  • Heidi Review for Therapists (2026)

    Heidi Review for Therapists (2026): Features, Pricing, Pros & Cons

    Therapists exploring Heidi reviews are typically trying to understand: This article breaks down what Heidi Health does well, where clinicians report limitations, and what those trade-offs mean for everyday clinical work. We examine Heidi’s transcription and note-generation workflow, pricing structure, compliance posture, and real therapist experience, using publicly available feedback and documented features. We also […]
    Tracy Collins, LCP Avatar
    Tracy Collins, LCP
    ·
    15 min read
  • Upheal Review for Therapists (2026)

    Upheal Review for Therapists (2026): Features, Pricing, Pros & Cons

    Therapists evaluating Upheal reviews are often trying to decide whether transcription-driven AI documentation can keep up with real therapy sessions–especially when accuracy, modality support (like couples or family therapy), and workflow reliability matter. This article breaks down how Upheal performs in day-to-day clinical use, where clinicians report strengths and limitations, and how Upheal compares with […]
    Tracy Collins, LCP Avatar
    Tracy Collins, LCP
    ·
    11 min read
Load More