Mental health practitioners have a legal and ethical duty to protect their clients’ privacy. Cybersecurity attacks can expose clients to financial harm, fraud, and even physical danger when abusive partners and other criminals seek access to private data.

Many therapists think their businesses are too small to warrant the attention of cyber criminals, but 58% of cyber attacks in 2017 targeted small businesses. These attacks can be devastating. In some cases, they even include exorbitant ransom fees to regain access to critical data. Sixty percent of small businesses go out of business within 6 months of an attack. You may also face lawsuits and licensing board complaints from clients. If your security practices are severely or knowingly negligent, you could even face criminal charges. 

Shoring up your digital security takes just a few minutes and can save you months of time and thousands of dollars in needless expenses. Here are nine cybersecurity policies therapists should adopt now.

1. Ensure You Can Always Access Records 

Clients own their medical records, including their therapy records. This means you must be able to access these records and provide them to clients at their request. This presents a dilemma: while records must be accessible, they must also be secure. Storing records on your computer is unsafe because you may lose these records in a technical glitch, and third parties may access them if they gain control of your computer. Instead, back up client files to a secure cloud storage space.

2. Be Mindful of Email Scams

Many cyberattacks aren’t particularly sophisticated. Instead, criminals take advantage of people who are rushed, inattentive, or who have trouble navigating technology. Email scams are abundant, but you can avoid most of them with the following steps:

  • Never open or run a program on your computer if you do not know what it does.
  • Do not download or open attachments from unknown senders.
  • Do not give sensitive information, such as passwords or account access, to senders who request this information via email. If you think your bank, data storage provider, or another entity is trying to contact you, navigate directly to the website or call them instead.

3. Encrypt Sensitive Data 

HIPAA cybersecurity rules are clear: clinicians must encrypt sensitive client data. When you digitally store patient information, ensure their records are encrypted, not sitting in an open and easily accessible file. Similarly, ensure you communicate with clients only across secure, encrypted channels. Most email providers do not automatically encrypt messages, which means you may need to pay for encrypted email or use practice management software to send messages. Perhaps most importantly, if you offer telemental health services, ensure you do so only across an encrypted channel and never on an unsecured network.

4. Secure Your Physical Space 

A person doesn’t have to hack into your email to get sensitive client data. If they gain access to your physical space, they can steal private information with little or no technical expertise. These strategies can mitigate the risk:

  • Keep your office door locked when you are not present.
  • Do not leave your laptop or phone in your car, even if the door is locked.
  • Do not store sensitive data in a physical location, such as a file cabinet or on your computer.
  • Lock your phone and laptop with passwords so that even if they are stolen, it is more difficult to use them.
  • Consider installing an auto-wipe feature that allows you to wipe all data from your phone or laptop if someone steals these devices. 

5. Be Careful with Telemental Health

Telemental health is a great tool that can make therapy more accessible and expand a therapist’s reach. It also presents some serious risks when not implemented correctly. Offering therapy through an insecure channel could give criminals access to your client’s entire therapy session. Reduce the risks of telemental health by:

  • Never offering telemental health from a public location.
  • Using only secure, encrypted telemental health providers.
  • Educating clients about security issues, such as the risk that third parties might overhear their therapy session or access treatment data if they attend therapy via a public network.

6. Carefully Manage Your Passwords

Research consistently finds that most people use inadequate passwords and rarely change them. This puts your practice and your clients at risk. These tips can strengthen your passwords and lock up your data:

  • Choose long, complex passwords. Do not use terms that are easy to guess, such as the name of your dog or variations of the word “password.” Incorporate letters, numbers, and symbols.
  • Change your passwords regularly—ideally every month.
  • Use different passwords on different websites such that if one site is compromised, it doesn’t open access to all your accounts.
  • Use a secure password log if you need help remembering your passwords.
  • Avoid entering passwords on public computers, since criminals can easily install keystroke loggers on these devices.
  • Do not store passwords on your computer or phone.

7. Assign User-Specific Permissions

If you operate your own practice, you probably use practice management software to integrate treatment notes, manage billing, and communicate with other providers. Do not give everyone in the practice the same level of access or share a password across providers. Instead, give everyone their own account, and set up user-specific permissions. No one should have access to data that they do not need, or information that they could use to intrude on a client’s privacy. 

8. Use a Secure Internet Connection 

No matter how many security measures you adopt, your clients won’t be safe if you access the internet or therapy notes on an unsecured channel. Never use public networks to view patient notes, open emails from clients, or deliver telemental health. Instead, use only your own encrypted network, and set your preferences to always require a password to log in.

9. Add Additional Layers of Security Where Necessary

Therapy cybersecurity requires you to think critically and intelligently. Take stock of your practices every few months and identify your biggest areas of exposure and risk—especially if you’ve recently experienced a security breach. Add additional layers of security where there are significant risks or potential liabilities. For example, adding two-factor authentication for secure email on your phone can thwart a thief’s attempt to access secure client data. Storing patient records on a password-protected hard drive that you keep in a safe can help back these records up without creating an easy point of access for intruders. 

GoodTherapy helps clinicians meet their ethical duties, including to protect client privacy. We offer a vast array of continuing education seminars, as well as interesting blog posts and lively discussions on topics that can help you run a better, more effective practice. Members also get listed in our popular therapist directory. Become a member and get listed today!


  1. Health industry cybersecurity practices: managing threats and protecting patients [PDF]. (n.d.). Retrieved from
  2. Townsend, P. (2016, April 1). Does HIPAA require encryption of patient information (EPHI)? Retrieved from