You’ve likely heard the term “patient confidentiality” before, but do you know exactly where the boundaries lie? In your role as a mental health professional, you are privy to extremely sensitive information about your clients’ lives. Maintaining confidentiality is foundational to your practice. But it is also complex. There are legally and ethically defined exceptions, and understanding them is not optional.

This guide covers the main exceptions to confidentiality in counseling, explains how HIPAA applies specifically to psychotherapy notes, walks through client requests for note access, and offers best practices for securing sensitive records. The goal is to equip you with clear, practical guidance so you can uphold client privacy rights while meeting your legal and ethical obligations.

Why Therapist-Patient Confidentiality Matters

Confidentiality is the cornerstone of effective counseling and psychotherapy. Your primary responsibility is to protect your clients’ privacy. Confidentiality builds the trust and openness that make it possible for clients to share sensitive details about their lives, thoughts, and experiences.

Without this assurance, many people would avoid seeking counseling entirely, whether from fear of stigma, embarrassment, or legal consequences. The American Psychological Association (APA) and the National Association of Social Workers (NASW) both treat confidentiality as a core professional ethical obligation [1][2].

The 6 Main Exceptions to Confidentiality in Counseling

There are six recognized situations where a therapist may be legally or ethically required to break confidentiality. The specific rules vary by state, but these categories are standard across most jurisdictions:

1. Mandatory reporting of child abuse or neglect (required in all 50 states)

2. Mandatory reporting of elder or dependent adult abuse (required in most states)

3. Duty to warn or protect when a client poses imminent danger to an identifiable third party

4. Imminent risk of self-harm or suicide that meets the threshold for involuntary commitment

5. Court orders and legally valid subpoenas from a judge

6. National security investigations under federal law

Insurance and billing disclosures and therapist self-protection situations also permit limited disclosure in specific circumstances, covered below.

Understanding these limits is both an ethical obligation and a clinical safeguard for you and your client. Cover them explicitly in your informed consent process before the first session begins.

When Can a Therapist Break Confidentiality? Detailed Breakdown

1. Mandatory Reporting: Child Abuse and Neglect

All 50 states require mental health professionals to report suspected child abuse or neglect. This is a non-discretionary obligation: if you have reasonable suspicion, you report. The standard is not certainty. Reports cover physical abuse, emotional abuse, sexual abuse, and neglect when a child’s basic needs are unmet.

You do not need the client’s consent. You do not wait for confirmation. If a client discloses information that leads you to suspect a child is being harmed or is at risk, you contact the appropriate child protective services agency in your state.

2. Mandatory Reporting: Elder and Dependent Adult Abuse

In most states, mental health professionals are mandatory reporters for suspected abuse, neglect, financial exploitation, or abandonment of elderly or dependent adults who cannot protect themselves. State definitions of “elder” and “dependent adult” vary, so confirm the threshold in your jurisdiction.

As with child abuse reporting, the standard is reasonable suspicion, not confirmed evidence.

3. Duty to Warn: When a Client Poses Imminent Danger to a Third Party

This is among the most clinically nuanced exceptions. The duty-to-warn doctrine stems from the landmark 1976 California Supreme Court case Tarasoff v. Regents of the University of California [3]. In that case, the court held that a therapist has a duty to warn an identifiable victim when a client poses a serious and imminent threat of harm.

The “imminent” qualifier matters. A vague statement of anger or a historical grievance does not typically meet the threshold. Most states require the threat to be serious, credible, and imminent before the duty to warn is triggered.

The identifiable victim requirement also matters. Duty to warn generally applies when there is a specific, identifiable potential victim, not a generalized threat to the public.

State law varies significantly:

• Mandatory duty-to-warn states: require therapists to take protective action (warning the victim, notifying law enforcement, or seeking involuntary commitment) when the threshold is met.
• Permissive duty-to-warn states: give therapists discretion to disclose without creating an obligation to do so.
• States with no duty-to-warn statute: some states have no statute, leaving therapists to rely on their licensing board ethics codes and general negligence standards.

The National Conference of State Legislatures maintains a current breakdown of state-by-state duty-to-warn laws [8]. Familiarize yourself with the rules in every state where you are licensed.

When a client makes a threat that meets your state’s threshold, document your clinical reasoning thoroughly. For guidance on how to structure that documentation when self-harm is involved, see the Mentalyc guide on how to document suicidal ideation.

4. Imminent Risk of Self-Harm or Suicide

If a client is in imminent danger of harming themselves and is unwilling or unable to seek voluntary help, clinicians may be required to initiate an involuntary psychiatric hold or notify emergency services. The threshold typically requires the risk to be current and serious, not a historical disclosure or a passive statement.

This is a clinical judgment call informed by a structured risk assessment. Document your reasoning, the factors you weighed, and the steps you took regardless of the outcome.

5. Court Orders and Subpoenas

Therapists must comply with a court order signed by a judge requiring disclosure of confidential information. However, receiving a subpoena from an attorney is not the same as receiving a court order. A subpoena initiates a legal process but does not, by itself, compel immediate disclosure.

When you receive a subpoena: notify your client immediately, consult with a mental health attorney before releasing anything, and determine whether the subpoena is accompanied by a valid court order. If legally compelled to disclose, release only the minimum information specifically requested by the court.

For a detailed breakdown of this process, see the Mentalyc article on whether psychotherapy notes can be subpoenaed. If a judge orders you to release client records, also review the guidance on when clients can access mental health records.

6. National Security Investigations

Federal law requires therapists to disclose client information when a client is the subject of a national security investigation. This is one of the few exceptions where you cannot inform the client that you have disclosed their information. This provision exists under federal statutes governing intelligence and counterterrorism activities.

Insurance and Billing Disclosures

When a third-party payer, such as a health insurance company or a government program like Medicaid, covers treatment, you are generally required to share certain clinical information: diagnostic codes, treatment dates, and billing-related data. This does not typically include psychotherapy notes, but it does require disclosure beyond what a fully private-pay practice would involve.

Clients should understand this during the informed consent process before they decide how to pay for services. If you bill Medicare or Medicaid, the CMS psychotherapy documentation requirements add a layer of federal rules on top of HIPAA. See also the Mentalyc guide to insurance panels for therapists for context on payer disclosure requirements.

Protecting Yourself from Harm

In rare cases involving a clear and present threat to your safety, such as a client who persistently harasses you, makes unwanted contact, or physically attacks you, limited disclosure may be warranted. In these situations, consult with experienced colleagues, contact your licensing board, and disclose only the minimum information required to resolve the immediate threat. This exception applies narrowly and only when other options have been exhausted.

Consulting with Colleagues

Peer consultation and supervision are not exceptions to confidentiality in the strict legal sense, but they deserve mention. You may share case information with colleagues or supervisors to obtain clinical guidance. Do so using de-identified information whenever possible. If identification is unavoidable, obtain client consent in advance or limit disclosure to what is clinically necessary. In settings with co-treating providers, see the Mentalyc guide on collaborative and concurrent documentation for how to handle shared records properly.

Your advice or recommendations in consultation must be grounded in sound clinical judgment and evidence-based practice.

In all situations where you break confidentiality, be transparent with your client when clinically and legally appropriate. Focus on safety. After making a report, discuss the next steps with your client and support them in processing their feelings about the breach.

Privacy Distinction: Psychotherapy Notes vs. Progress Notes

Before covering HIPAA disclosure rules, you need to understand a foundational distinction. Psychotherapy notes are personal notes you take during or after a session. They capture your clinical impressions, hypotheses, and the nuances of a client’s story.

Progress notes are objective, factual records of treatment: symptoms, medications, diagnoses, and session content. They include treatment summaries, treatment plans, and clinical assessments. Understanding the difference between psychotherapy notes and progress notes is critical because they carry very different legal protections under HIPAA.

Psychotherapy notes are granted exceptional protection under HIPAA and are generally not accessible to anyone except the originating therapist. Progress notes are part of the formal medical record and can be shared with other treating providers under standard HIPAA rules.

How HIPAA Applies to Disclosing Psychotherapy Notes

HIPAA regulations require written client authorization before you can disclose psychotherapy notes to outside parties. This protection is stronger than what applies to standard medical records.

When can psychotherapy notes be disclosed without patient authorization? The following circumstances allow disclosure without a signed release:

1. Treatment by the originating therapist: you may use your own notes to treat the client who is the subject of those notes.

2. Training and supervision: mental health trainees working under clinical supervision may access notes for learning purposes.

3. Mandatory reporting and duty to warn: disclosures legally required by state or federal law, such as abuse reporting or imminent-harm situations.

4. Court orders: when a judge specifically orders the release of psychotherapy notes for a legal proceeding, you must comply. Provide only the minimum information the court requires.

5. Healthcare oversight: for audits or oversight activities by federal health oversight agencies or licensing boards.

6. Therapist’s defense in a client-initiated legal action: if a client sues you, your notes become available for your own defense.

7. Client-signed written authorization: the client has signed a written authorization specifying what information is released, to whom, and for what purpose. Verbal permission is not sufficient under HIPAA.

For a comprehensive treatment of this topic, see the Mentalyc guide on HIPAA and psychotherapy notes.

Handling Client Requests for Access to Psychotherapy Notes

Clients generally have a legal right to access their medical records under HIPAA. Psychotherapy notes are explicitly exempt from this general right. You may deny a client’s request for psychotherapy notes if you believe releasing them could cause harm.

When You Can Deny Access

HIPAA permits denying access in circumstances including:

• You believe releasing the notes could reasonably endanger the client’s life or physical safety, or that of another person (for example, if a client has expressed suicidal or homicidal thoughts not yet fully addressed in treatment).
• The notes contain information about a third party whose privacy would be breached by disclosure.
• You believe the client would be harmed or would not benefit from reading the notes without proper clinical context.
• The notes were written as a personal clinical tool capturing your thought process rather than objective facts about the client’s condition.

California law allows providers to deny access when providing it could lead to a substantial risk of significant adverse or detrimental consequences to the patient [9].

How to Deny a Request

If you choose to deny a client’s request for psychotherapy notes, HIPAA requires you to provide a written denial within 30 days. Your written denial should include:

• The reason for denial, including a statement that releasing the notes could endanger the client or a third party or breach another person’s privacy.
• A statement that the client has the right to have the denial reviewed by an independent mental health professional.
• Instructions for how the client can file a complaint or request a review.

Where appropriate, offer to summarize the notes or discuss their contents in session. This often addresses the client’s underlying need while still protecting the notes themselves.

Safeguarding Psychotherapy Notes

Your responsibility to protect client records does not end at the session door. Both physical and digital safeguards are required under HIPAA.

Physical Security

Keep all notes in a secure location accessible only to authorized personnel. Use a locked cabinet, drawer, or room. Never leave notes in plain sight. Keep backup copies in a secure off-site location to protect against fire or disaster.

Digital Security

Use password-protected, encrypted storage for any electronic notes. Enable two-factor authentication wherever possible. Avoid consumer cloud storage services such as Dropbox or standard Google Drive, which do not meet HIPAA compliance standards. For a full walkthrough, see the Mentalyc guide on how to keep psychotherapy notes HIPAA-compliant.

Mentalyc is HIPAA-compliant and signs BAAs with covered entities. If you use an AI note-taking tool for therapy sessions, confirm it meets HIPAA technical safeguard requirements before storing any protected health information. See also the Mentalyc guides on HIPAA-compliant transcription software and HIPAA-compliant note-taking apps for a breakdown of what to look for.

For a full overview of technical and administrative safeguards, see the Mentalyc security page.

Destruction of Records

When notes are no longer needed for treatment, obtain written permission from the client before deciding to destroy them. Shred all paper notes. Permanently delete electronic files in a way that prevents recovery. Keep a record of when and how destruction occurred.

Documentation Best Practices

Psychotherapy notes should contain only necessary clinical information. Avoid speculation or personal opinions not grounded in clinical observation. Poor documentation practices carry real consequences: see the Mentalyc guide on legal risks of poor therapy documentation for what boards and courts look for. Maintain a log of every disclosure of psychotherapy notes, including the date, recipient, and information disclosed. Inform clients in your disclosure statement that notes are kept private but may be accessed under specific circumstances described in your consent forms. For more on structuring these records, see the Mentalyc guides on progress notes for individual therapy, the purpose of progress notes, note-taking during therapy sessions, and the progress note generator for a practical template reference.

Having Open Conversations About Confidentiality With Clients

Transparent communication about confidentiality is not a one-time event during intake. It is an ongoing part of the therapeutic relationship.

Set Clear Expectations at the Start

At the beginning of therapy, explain what confidentiality means, its purpose, and its specific limits under your state’s laws and your licensing board’s code of ethics. Be clear that you will maintain their privacy except in the specific situations where you are legally or ethically required to act. Cover mandatory reporting for abuse, duty-to-warn obligations, and the possibility of court-ordered disclosure.

This conversation should happen as part of the formal informed consent process. Document that it occurred.

Address Questions and Concerns

Invite clients to ask questions and address concerns without dismissing them. Reassure clients that you will inform them before disclosing their information wherever you are legally permitted to do so. Make clear that they have the right to withdraw consent for treatment if they become uncomfortable with how their information is handled.

Review Throughout Treatment

Confidentiality is not a topic to cover once and set aside. Revisit it whenever clients disclose sensitive material, when state laws change, or when new reporting obligations are triggered. If a client expresses thoughts of harming themselves or others, remind them of mandatory reporting requirements in that moment, calmly and clearly.

If you need to break confidentiality, tell the client what you are doing and why before you act, when clinically appropriate. Explain what information will be disclosed and to whom. Seek their input wherever feasible. Discuss how to preserve the therapeutic relationship afterward.

If these situations are taking a toll on you, self-care for therapists is not a luxury. The emotional weight of breaking confidentiality is real, and seeking your own support is a sign of professional maturity.

Why other mental health professionals love Mentalyc

“I really like that the treatment plans make sense, and they’re based on the case notes I’ve been entering.”

“The treatment plan gives me a place to look with clients and say, here’s where we are and here’s where we’re aiming to go. It’s such a huge help.”

“Do yourself a favor, make your life easier. I found Mentalyc to be one of the best tools that I’ve ever used.”

“It immediately changed my quality of life, personally and professionally.”

Frequently Asked Questions About Confidentiality in Counseling

References

[1] American Psychological Association. (n.d.). Protecting your privacy: Understanding confidentiality in psychotherapy. https://www.apa.org/topics/psychotherapy/confidentiality

[2] American Psychological Association. (n.d.). Ethical Principles of Psychologists and Code of Conduct. https://www.apa.org/ethics/code

[3] Society for the Advancement of Psychotherapy. (n.d.). Confidentiality and its Exceptions: The Case of Duty to Warn. http://www.societyforpsychotherapy.org/confidentiality-and-its-exceptions-the-case-of-duty-to-warn

[4] GoodTherapy. (n.d.). Client Confidentiality. https://www.goodtherapy.org/blog/psychpedia/client-confidentiality

[5] Psychology Today. (n.d.). Therapy and Confidentiality. https://www.psychologytoday.com/us/basics/therapy/therapy-and-confidentiality

[6] U.S. Department of Health and Human Services. (n.d.). HIPAA and Mental Health. https://www.hhs.gov/hipaa/for-professionals/special-topics/mental-health/index.html

[7] U.S. Department of Health and Human Services. (n.d.). Does HIPAA provide extra protections for mental health information compared to other health information? https://www.hhs.gov/hipaa/for-professionals/faq/2088/does-hipaa-provide-extra-protections-mental-health-information-compared-other-health.html

[8] National Conference of State Legislatures. (n.d.). Mental Health Professionals’ Duty to Warn. https://www.ncsl.org/health/mental-health-professionals-duty-to-warn

[9] California Association of Marriage and Family Therapists. (n.d.). A Patient’s Mental Health Records Under HIPAA. https://www.camft.org/Resources/Legal-Articles/Chronological-Article-List/a-pati

[10] Compliancy Group. (2023). HIPAA Right of Access: Reasons for Denial of Access. https://compliancy-group.com/hipaa-right-of-access-reasons-for-denial-of-access/

[11] Holland and Hart LLP. (n.d.). HIPAA, Psychotherapy Notes, and Other Mental Health Records. https://www.hollandhart.com/hipaa-psychotherapy-notes-and-other-mental-health-records

[12] American Psychiatric Association. (n.d.). Psychotherapy Notes under HIPAA. https://www.psychiatry.org/File%20Library/Psychiatrists/Practice/Practice-Management/Practice-Management-Guides/GeneralIssues-psychotherapy-notes-HIPAA.pdf

Ready to start your free trial?

15 free notes for 14 days • No credit card required

Try for FREE View Pricing