Man sitting on couch and talking to his therapistMost health care professionals are familiar with the Health Insurance Portability and Accountability Act, most commonly known as HIPAA, and the importance of upholding its requirements. In short, HIPAA works to protect the confidentiality of people receiving medical treatment.

The Privacy Rule, added to this legislation in 2000, set further standards to prevent inappropriate use or disclosure of protected health information (PHI). Importantly, it also:

  • Clarified when therapists and counselors were able to share treatment information with other care providers and a client’s family members.
  • Made provisions to allow therapists and counselors to keep psychotherapy notes separate and confidential.

Protecting the confidentiality of people in therapy has been a primary concern of mental health professionals, even before HIPAA became law. But having a law that enforces privacy requirements by penalizing health care providers who aren’t compliant can make it more likely people seeking help will trust their disclosures will remain private, except in a few specific circumstances. This is relevant for the mental health profession because privacy concerns may act as a barrier to many people who might otherwise seek help.

Why Is HIPAA So Important for Therapists?

HIPAA’s primary purpose is to protect the privacy of people receiving health care services. But during the course of mental health treatment, there may come a point where the therapist providing care believes it necessary to share certain information with a client’s partner, parent, or doctor, or with law enforcement. HIPAA establishes standards for sharing this kind of information with other people involved in someone’s care.

HIPAA requirements help protect not only people in therapy, but also the therapists providing treatment. The protections offered by HIPAA not only protect confidentiality of people receiving health care, they can also lead to improved treatment by allowing health care professionals and family members to collaborate.

Under HIPAA, therapists may share pertinent information (information directly related to treatment) with people involved in a person’s care if the person in treatment:

  • Has agreed.
  • Has been given an opportunity to object and has not objected.
  • Has indicated they don’t object by bringing a partner to treatment or having a parent help schedule sessions and pick up prescriptions.
  • Is unconscious, delirious, experiencing psychosis, intoxicated, or otherwise incapable of making decisions.

Therapists are allowed to discuss information that’s relevant to a person’s care with other members of their health care team. This wouldn’t include information from psychotherapy notes or any information about substance abuse treatment from a licensed treatment program.

In the case of a minor or client who can’t make their own health care decisions, a therapist can share information directly related to care with the caregiver or representative, unless there is reasonable concern they are causing harm or acting against that person’s best interests. Information shared might include symptoms, treatment, or progress, but not psychotherapy notes.

It’s important to note HIPAA requirements only go one way. A therapist (or other health care provider) must protect the information of the person they’re working with, but it’s always permitted for family members and loved ones to share information about a person’s mental health with the care provider.

Provisions under HIPAA allowing therapists to communicate certain information can help therapists, doctors, and family members collaborate on treatment, which can lead to improved, more supportive care.

HIPAA in the Mental Health Field: What Makes It Unique?

Because some of HIPAA’s broader requirements don’t readily translate to the needs of a small private practice, HIPAA training for therapists may vary somewhat from standard HIPAA training for health care providers. Therapists are responsible for upholding the same requirements and must comply with HIPAA, but it’s often the case that they must use the information provided in training to determine the best way to become compliant with HIPAA. For example, therapists who use technology that isn’t HIPAA-compliant, such as email, must take care to inform clients that email communications, for example, may not be secure.

An important aspect of HIPAA in the mental health field is that it allows therapists to decide when sharing information about their client is in that person’s best interest—such as to reduce suicide risk or prevent them from harming someone else. If someone in therapy has expressed thoughts of suicide, for example, and has a plan and the means to carry it out, a therapist may contact and notify anyone with a reasonable ability to reduce the risk of harm. This could be a partner, parent, doctor, emergency services, or all of the above. Part of HIPAA training for therapists can involve learning what situations might require this type of “best-interest” action. A therapist acting on the belief their client is in danger or putting someone else in danger will typically not be penalized.

Some therapists keep psychotherapy notes, or documentation of their personal thoughts during a session about their client’s progress or condition. These notes are protected under HIPAA. When they are kept separately from the rest of the person’s record, they can remain private in most circumstances. They do not have to be shared with insurance companies, parents of clients, other care providers, or even the client.

How to Learn More About Your HIPAA Requirements

If you’re interested in learning more about HIPAA requirements, a number of online sources offer clear, detailed information about the act, including any recent updates. If you’re doing research online, it’s best to get your information from a verified source, such as websites run by hospitals or other medical agencies, government agencies, or not-for-profit agencies that operate with a goal of sharing factual information with the public.


Making sure you understand HIPAA requirements and how they apply to you is essential for the success of your private practice.

HIPAA helps increase the likelihood of successful mental health treatment. People who don’t fear unnecessary disclosure of things they’ve shared during a session may be more likely to reach out for help, knowing they are protected. Similarly, therapists with a valid concern about a client’s risk can, in compliance with HIPAA, share information to help protect the safety of the client or someone close to them.

Learning more about this complicated legislation can help you develop more confidence in navigating privacy and ethical dilemmas in therapy. GoodTherapy has several continuing education courses providing more information about HIPAA and ethics in a variety of contexts. You can find those, along with other CE events on a wide range of mental health topics, here.


  1. Does a parent have a right to receive a copy of psychotherapy notes about a child’s mental health treatment? (2017, September 12). Office of Civil Rights. Retrieved from
  2. HIPAA helps caregiving connections. (n.d.). U.S. Department of Health and Human Services. Retrieved from
  3. HIPAA privacy rule and provider to provider communication. (n.d.). American Academy of Pediatrics. Retrieved from
  4. HIPAA privacy rule and sharing information related to mental health. (n.d.). U.S. Department of Health and Human Services. Retrieved from
  5. Holloway, J. D. (2003). More protections for patients and psychologists under HIPAA. Monitor on Psychology, 34(2), 22. Retrieved from
  6. Legal and Regulatory Affairs Staff. (n.d.). The HIPAA privacy rule: Frequently asked questions. American Psychological Association. Retrieved from
  7. Nicholson, R. (2002). The dilemma of psychotherapy notes and HIPAA. Journal of AHIMA, 73(2), 38-39. Retrieved from 
  8. Understanding what HIPAA means for mental illness. (2014, April 15). National Alliance on Mental Illness. Retrieved from