Therapy notes must be HIPAA compliant when they contain protected health information and are created, received, maintained, or transmitted by a HIPAA Covered Entity or Business Associate, with a separate category called psychotherapy notes subject to stricter HIPAA Privacy Rule controls and distinct handling under the HIPAA Security Rule when maintained electronically as electronic protected health information.
Most documentation created in a behavioral health setting is protected health information when it identifies the individual and relates to the individual’s health condition, care, or payment for care. This includes clinical documentation commonly labeled as progress notes, intake notes, assessment results, treatment plans, medication information, and appointment information when the content is linked to an identifiable patient. When these records are maintained or transmitted electronically, they are electronic protected health information and require the administrative, physical, and technical safeguards required by the HIPAA Security Rule.
Psychotherapy notes are a narrower category than routine therapy documentation. Psychotherapy notes are notes recorded by a mental health professional documenting or analyzing the contents of a counseling session and kept separate from the rest of the patient’s medical record, and they exclude items such as medication prescription and monitoring, session start and stop times, modalities and frequencies of treatment, test results, and summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress. When a provider stores counseling observations within the designated record set or within routine clinical documentation, those records are not psychotherapy notes even if they are created during therapy.
The HIPAA Privacy Rule applies different use and disclosure conditions to psychotherapy notes than to other protected health information. Uses and disclosures of psychotherapy notes typically require the individual’s authorization, including disclosures for treatment by a provider other than the originator of the notes, subject to limited exceptions permitted by the HIPAA Privacy Rule. By contrast, routine therapy documentation that is not psychotherapy notes may be used and disclosed without authorization for treatment, payment, and health care operations when the HIPAA Privacy Rule conditions are met.
Patient access rights also differ. The HIPAA Privacy Rule right of access applies to protected health information in the designated record set, subject to limited exceptions, but psychotherapy notes are excluded from the right of access. This distinction affects response workflows for record requests, portal access configuration, and release of information procedures for behavioral health documentation.
HIPAA compliant handling of therapy notes requires operational controls that match the medium and the risk. Paper records require physical safeguards such as controlled storage, controlled copying, and disposal controls. Electronic systems require access controls, audit controls, transmission security, device and media controls, workforce access management, and documented risk analysis and risk management actions under the HIPAA Security Rule. Organizations that use vendors to store or transmit therapy notes must address business associate agreement requirements and limit workflows to services covered under those agreements.
Organizations should also account for privacy obligations beyond HIPAA when applicable, including more restrictive state confidentiality rules and federal substance use disorder confidentiality requirements for certain records, because those requirements can restrict disclosures even when the HIPAA Privacy Rule would permit disclosure.