Skip to content

HIPAA Compliant Documentation for Therapists

HIPAA documentation requirements for therapists. Secure storage, client access rights, retention requirements, and billing documentation.

Last updated: January 2026 10 min read
On This Page

Your clinical documentation is protected health information. How you create it, store it, share it, and retain it all fall under HIPAA requirements. Get it wrong, and you risk violations. Get it right, and you protect both your clients and your practice.

This guide covers HIPAA's documentation requirements: what to include, how to store records securely, client access rights, and retention requirements that keep you compliant.

HIPAA Documentation Requirements

HIPAA doesn't dictate exactly what to put in your clinical notes—that's determined by clinical standards, licensing requirements, and payer expectations. However, HIPAA does govern:

  • How you protect documentation (security)
  • Who can access it (privacy)
  • How long you keep it (retention)
  • How clients can access and amend it (patient rights)

The Minimum Necessary Standard

HIPAA requires you to limit PHI use and disclosure to the "minimum necessary" to accomplish the purpose.

What This Means for Documentation

Don't over-document: Include what's clinically relevant. Extraneous personal details that aren't treatment-related create risk without benefit.

Match disclosure to purpose: When sharing records, share only what's needed:

  • Insurance claim? Diagnosis, CPT code, dates—not full session notes
  • Referral to psychiatrist? Relevant clinical summary—not entire file
  • Legal request? Only what's legally required

Documentation That Supports Billing

Your notes must support the services billed. This means documenting:

  • Date of service
  • Start and stop times (for time-based CPT codes)
  • Services provided
  • Medical necessity (diagnosis, symptoms, functional impairment)
  • Interventions and client response

CPT Codes for Therapists →

ICD-10 Codes for Mental Health →

Psychotherapy Notes: Special Protection

HIPAA creates a special category called "psychotherapy notes" with extra protection.

What Are Psychotherapy Notes?

Notes that are:

  • Documented by a mental health professional
  • Analyzing or summarizing a counseling session
  • Kept separate from the medical record
  • Used only by the therapist who wrote them

Examples: Your personal reflections on sessions, detailed process notes, impressions, hypotheses, countertransference notes.

What Psychotherapy Notes Are NOT

Regular clinical documentation including:

  • Medication management information
  • Session start/stop times
  • Treatment modalities used
  • Frequency of treatment
  • Functional status
  • Treatment plan
  • Symptoms
  • Prognosis
  • Progress to date

Most standard session notes are not psychotherapy notes under HIPAA's definition.

Why It Matters

Psychotherapy notes can never be disclosed without specific authorization—even for treatment, payment, or healthcare operations. Regular clinical notes can be disclosed for these purposes without separate authorization.

Practical implication: If you keep separate personal notes with your private reflections, those have extra protection. Your standard session notes documenting treatment don't have this extra protection.

Storing Documentation Securely

Electronic Records (ePHI)

If you use electronic health records—and most therapists do—the HIPAA Security Rule applies.

Required safeguards:

Safeguard Type Requirements
Access controls Unique user IDs, strong passwords, automatic logoff
Audit controls System tracks who accessed what records when
Integrity controls Records can't be improperly altered
Transmission security Encryption when sending records

Practical implementation:

  • Use HIPAA-compliant EHR (with signed BAA)
  • Strong, unique password for EHR access
  • Enable two-factor authentication if available
  • Log out when stepping away
  • Don't access records on public WiFi without VPN
  • Keep devices encrypted and password-protected

Paper Records

If you maintain any paper records:

  • Locked file cabinets
  • Restricted access (only you, authorized staff)
  • Secure disposal (shredding, not regular trash)
  • Physical office security (locks, limited access)

Backup and Recovery

  • Regular backups of electronic records
  • Backup storage must also be secure
  • Plan for recovering records if primary system fails

Client Access Rights

HIPAA gives clients significant rights regarding their records.

Right to Access

Clients can request copies of their records. You must:

  • Provide access within 30 days (one 30-day extension allowed)
  • Provide records in the format requested if reasonably possible
  • Charge only reasonable, cost-based fees for copies

Limited Exceptions to Access

You may deny access in limited circumstances:

  • Psychotherapy notes (separate authorization required)
  • Information compiled for legal proceedings
  • If access would endanger the client or another person

Denials must be in writing and explain the reason.

Right to Amend

Clients can request amendments to their records. You may:

  • Accept the amendment and make the change, or
  • Deny if the record is accurate/complete, was not created by you, or is not part of records used to make decisions about the client

If you deny, provide written explanation and allow the client to submit a statement of disagreement.

Right to Accounting of Disclosures

Clients can request a list of when their PHI was disclosed and to whom (with exceptions for treatment, payment, and operations).

Sharing Records

When You Can Share Without Authorization

Treatment: Sharing with other providers involved in client's care (psychiatrist, PCP, other therapist).

Payment: Sharing with payers to obtain reimbursement.

Healthcare Operations: Quality improvement, training, compliance activities.

When You Need Authorization

  • Sharing with family members (usually)
  • Legal proceedings (beyond what's required by law)
  • Employers
  • Life insurance companies
  • Marketing
  • Most other purposes

Authorization Requirements

Valid authorization must:

  • Be in writing
  • Specify what information can be disclosed
  • Identify who can receive it
  • State purpose (or "at client's request")
  • Have expiration date
  • Be signed and dated by client
  • Include right to revoke

Retention Requirements

HIPAA Requirements

HIPAA requires you to retain certain documentation for 6 years:

  • Privacy policies and procedures
  • Privacy practices notices
  • Authorization forms
  • Certain compliance documentation

State Law Requirements

State laws often require longer retention:

  • Adult records: 7-10 years after last service (varies by state)
  • Minor records: Until age of majority plus several years (often 21-25)

Follow the longest applicable requirement.

Retention Best Practices

  • Know your state's specific requirements
  • Retain records for longest applicable period
  • Have written retention policy
  • Secure storage throughout retention period
  • Proper destruction after retention period

Destroying Records

When retention period ends:

  • Paper: Shred or incinerate (not regular trash)
  • Electronic: Secure deletion or physical destruction of media
  • Document that records were destroyed (but don't document content)

Documentation for Telehealth

Telehealth sessions require additional documentation elements:

Telehealth-Specific Documentation

Date: [date]
Time: [start] - [end] ([X] minutes)
Modality: Telehealth via [platform name]
Client location: [city, state]
Client environment: Private residence, confidential setting confirmed
Technology: No disruptions [or describe any issues]

Why This Matters for HIPAA

  • Documents you used compliant platform
  • Establishes client location (licensing compliance)
  • Creates record if questions arise about service delivery

HIPAA for Telehealth: Complete Requirements →

Telehealth Billing for Therapists →

Documentation That Supports Billing

HIPAA intersects with billing documentation. Your records must support the services you bill.

Time Documentation

For time-based codes (90832, 90834, 90837), document exact times:

Compliant: "Session 2:00 PM - 2:47 PM (47 minutes face-to-face psychotherapy)"

Non-compliant: "45-minute session" (doesn't prove actual time)

Medical Necessity

Documentation should establish why the service was medically necessary:

  • Diagnosis
  • Symptoms and functional impairment
  • How treatment addresses the condition
  • Progress toward goals

Connecting Documentation to Codes

CPT Code Documentation Must Show
90832 16-37 minutes of psychotherapy
90834 38-52 minutes of psychotherapy
90837 53+ minutes of psychotherapy
90846 Family therapy without patient present
90847 Family therapy with patient present
90791 Comprehensive diagnostic evaluation

Audit-Ready Documentation

If your records were audited, could they support every claim you've billed?

  • Date of service matches claim
  • Time documented supports CPT code
  • Diagnosis documented matches billed ICD-10
  • Service description matches CPT code definition
  • Progress notes exist for each billed session

CPT Codes for Therapists →

90834 CPT Code Guide →

90837 CPT Code Guide →

Common Documentation Mistakes

HIPAA-Related Mistakes

  1. Storing records on personal devices without encryption
  2. Using non-compliant EHR without BAA
  3. Emailing records via regular email (not encrypted)
  4. Leaving screens visible to others
  5. Disposing of records improperly (regular trash)
  6. No backup system for electronic records
  7. Keeping records too briefly (not meeting retention requirements)

Clinical/Billing Documentation Mistakes

  1. Vague time documentation that doesn't support CPT codes
  2. Cookie-cutter notes that don't reflect actual session
  3. Missing diagnosis or diagnosis that doesn't support treatment
  4. No treatment plan or notes don't connect to plan
  5. Inconsistent documentation between clinical notes and billing

Frequently Asked Questions

Do I have to give clients their psychotherapy notes?
HIPAA allows you to deny access to psychotherapy notes (the narrow category of separate process notes). Regular session documentation is not psychotherapy notes and must be provided on request.
How detailed should my notes be?
Detailed enough to: support medical necessity, track treatment progress, communicate to other providers if needed, and support your billing. Not so detailed that they include extraneous information creating unnecessary risk.
Can I charge clients for copies of their records?
Yes, but only reasonable, cost-based fees—typically per-page copying costs, not a 'records retrieval' premium.
What if I'm subpoenaed for records?
Consult an attorney. You may need client authorization, court order, or have other options. A subpoena alone doesn't necessarily require disclosure.
Should I keep separate psychotherapy notes?
It's optional. Some therapists find separate process notes clinically valuable. If you keep them, they're more protected under HIPAA—but you must keep them genuinely separate from the medical record.

Your documentation serves multiple purposes: clinical care, legal protection, billing support, and continuity. HIPAA adds another layer—security, privacy, and client rights. Build documentation habits that serve all these purposes, and you'll have records that protect your clients and your practice.

Related Resources