This site is owned and operated by 

HIPAA For Therapists: Understanding The Basics

August 24, 2023


Two women sitting on a couch looking at each other seriously while engaged in a conversation

Note: This article is not intended to replace legal advice from a legal professional. If you are unsure about your rights or duties under the HIPAA law, consult a healthcare attorney for support. 

Several laws and regulations govern the field of healthcare, including mental healthcare. For that reason, it can be essential for therapists to grasp the laws that most affect them, including HIPAA. Understanding HIPAA can ensure you provide fair and legal care to your clients and don’t accidentally share protected health information. Keep reading to learn more about the components of HIPAA and how to ensure that you’re staying within its guidelines as a therapist. 

What Is HIPAA? 

HIPAA stands for Health Insurance Portability and Accountability Act (HIPAA), which includes a section on the privacy of information for clients of healthcare providers. This section is called the HIPAA Privacy Rule, which is a federal law that gives clients rights over their health information. The information that clients are legally entitled to includes, but is not limited to: 

  • Information put on a client’s medical record 
  • Billing information about a client
  • Conversations a provider has with other care providers in a healthcare system 
  • A client’s diagnosis 
  • Therapy notes 
  • Information shared by the client in session, with a few exceptions

Who Is Required To Follow HIPAA Laws? 

The following types of healthcare professionals are required to follow HIPAA: 

  • Employees of covered entities, including health plans, healthcare organizations, doctors, and healthcare clearinghouses
  • Healthcare billing companies 
  • Healthcare administration companies 
  • Outside workers who perform contracts for covered healthcare workers, such as lawyers or IT workers
  • Companies that store healthcare records
  • Therapy office receptionists 
  • Some other business associates 

Covered entities are businesses or practices that must follow HIPAA according to law. Some healthcare providers might not have to follow HIPAA if they don’t fall into one of these categories. The following are examples of people who may not have to follow the privacy rules: 

  • Life insurers 
  • Employers 
  • Schools and school districts 
  • Law enforcement agencies 
  • Child protective services (CPS) and some health and human services government departments 
  • Workers’ compensation carriers 
A man and woman with serious looking faces sitting at a table in front of a laptop

Are There Differences In How HIPAA Protects Mental Health Information? 

HIPAA is slightly different for mental health professionals than for general healthcare providers because of the sensitive nature of mental healthcare and the protection of clients. Although therapists are required to protect client information, there are a few exceptions, including the following: 

  • The client has shared they are going to harm themselves. 
  • The client has shared they are going to harm someone else. 
  • The client is abusing someone vulnerable, such as a child, an elderly person, or someone with a disability. 
  • The client has not paid for services, and the therapist must break some confidentiality to receive payment. 
  • The state or federal government requests records through an official process, such as a court order. 

If a client has directly threatened to harm themselves, the therapist may contact any individual necessary to report this behavior. For example, they may contact the authorities or a client’s partner. If the therapist believes abuse is occurring, they might contact child protective services on behalf of a child. As mandated reporters by law, therapists must report this information, even if it may hurt the client-therapist relationship. 

In addition, therapists must report if a client is attempting to commit the crime of inflicting serious bodily injury on a reasonably identifiable individual. This law was developed after the Tarasoff v. Regents of the University of California ruling. In 1976, a client told his therapists he wanted to harm a woman he later killed. Because of this ruling, therapists today are required to report these threats. 

If you are experiencing suicidal thoughts or urges, call the 988 Suicide & Crisis Lifeline at 988 or text 988 to talk to a crisis provider over SMS. They are available 24/7 to offer support. 988 also offers an online chat for those with an internet connection.

If you are facing or witnessing abuse of any kind, the National Domestic Violence Hotline is available 24/7 for support. Call 1-800-799-SAFE (7233) or text “START” to 88788. You can also use the online chat.

What Classifies As A HIPAA Violation? 

A HIPAA violation may have occurred when a covered healthcare professional shares a client’s information without consent or an official release form. Note that information can be shared with a client’s emergency contact unless they object. 

However, healthcare information cannot be shared without written permission unless the law allows it. For example, suppose a therapist wants to share their client’s records and receive information from prior therapists. In that case, they must have the client sign an official legal release form with specifics on what information can be shared. In addition, the other provider who receives the form must sign and use the form as noted by the client. 

Pertinent information may be shared with someone in a client’s life if the client has agreed, has been given an opportunity to object and has not done so, and has indicated the other individual is involved in their treatment (for example, taking them to appointments or picking up medication). In some cases, people deemed legally incapable of making decisions because of unconsciousness or another incapacity may have another person legally appointed to receive information about their care. 

A therapist may be committing a HIPAA violation in the following scenarios: 

  • The therapist shares a client’s therapy notes with their partner. 
  • The therapist reports a client for a past crime. 
  • The therapist shares a story about their client with another therapist but uses the client’s name and identifiable information in the story. 
  • The therapist does not get rid of old information when a client is no longer with them. 
  • The therapist stores protected client, billing, or insurance information on a public hard drive or shares it with a third party. 
  • A therapist looks at the health records of other clients in their organization who are not their clients out of curiosity. 
An eldelry woman with glasses smiling while sitting at table working on her laptop

How To Inform Clients Of Their HIPAA Rights 

To avoid HIPAA violations, healthcare professionals often read clients’ rights and offer contracts and paperwork upon establishing an official client-therapist relationship. Printing a copy of your practice’s policies and HIPAA compliance can show clients you are committed to protecting their sensitive information. It is required by HIPAA to share a Notice of Privacy Practices with all clients. 

If you want to share a client’s information or receive information from a previous healthcare provider, you can have your client complete a HIPAA release form. A release form may grant you access to a client’s past therapy notes. However, the client can mark on the form which information they don’t want you to access and how long you may be able to access their records. Clients have the legal right to reject a release form, as well. These forms are in place to protect you from legal backlash from sharing protected information. 

Are Therapy Notes Protected Under HIPAA? 

Therapy notes are protected under HIPAA, as they may discuss clients’ private information, such as their diagnosis, symptoms, or challenges. However, you can share these notes with another provider if a client signs a release specifically stating you will be sharing these notes. 

You do not require authorization to use notes for purposes of training, defending yourself in a lawsuit by your client, in an investigation on HIPAA compliance, or offering the notes to a medical examiner or coroner after the death of a client. 

Do Therapists Have To Show Clients Their Records? 

According to the Right of Access section in HIPAA, clients have a right to view copies of their medical records within 30 days of their request in their desired format. Therapists can charge a fee for printing, paper, or other reasonable costs, not including time spent retrieving the records. In addition, you do not have to show clients your therapy notes, as these notes are not considered the same as medical history or charting information. 

If you decide to share therapy notes with your client, remind them that the notes are not part of their medical record in this case, and what they view in the notes could upset them. Some therapists may show their clients therapy notes in session so they can discuss the content of the notes together and keep an open dialogue and trust between them. However, this is not a requirement. 

How To Protect Yourself As A Therapist

To protect yourself from HIPAA violations, below are a few tips to consider: 

  • If using insecure methods of communication, such as email or chat, remind your client that the method of communicating is not secure. 
  • Do not share medical records or information over email or text. 
  • Don’t interact with clients on social media. 
  • Don’t contact your clients’ family members, friends, or partners unless your client has requested you do so for treatment purposes. 
  • Don’t talk to a client in public unless they approach you to start a conversation. 
  • Store client information in a protected file or encrypted healthcare management system. 
  • Use proper disclosure forms and retrieve a client’s signature, ensuring the client filled out the form correctly. 
  • Take a HIPAA training course for therapists. 
  • Protect your devices from hacking using antivirus, firewall, and encryption software. 
  • Keep physical notes and records locked in your office. 
  • Don’t share client information unless you have a reason and are confident it is HIPAA compliant.
  • Consider speaking to a healthcare lawyer before starting a private practice. 

Support Options 

Therapists and clients can sometimes face barriers in seeking mental health support. In these cases, it may be beneficial to try online therapy platforms like BetterHelp, which have benefits for providers and clients alike. 

Through an online platform, clients can sign up to get matched with a provider and partake in phone, video, or live chat sessions. Providers working for the platform can choose their workload and take on as many or as few clients as they’d like. In addition, clients can access unique tools like journal prompts, worksheets, and support group sessions.

HIPAA also extends to online counseling platforms, making them a safe option for those who wish to use them. Chats are conducted over a secure network, allowing clients to share freely without worrying about their information being mishandled or misused. 

Research also backs up the effectiveness of online therapy. One study found that online therapy could be more effective than face-to-face methods in reducing the symptom severity of various mental health conditions. Researchers also concluded that teletherapy generally offers more affordability and quality of life. 


HIPAA can be complex to understand, but therapists may benefit from reviewing each detail of the law to ensure full compliance whether they deliver their services in person or online. Note that therapists may not have to follow HIPAA if they are not a covered entity. If you’re a contractor or private practice provider and want to understand your qualifications, consider speaking to an attorney specializing in healthcare privacy acts to learn more.