Mental health problems are surprisingly common. In the U.S., approximately 26 percent of 18 to 25 year olds and 23 percent of 26 to 49 year olds suffer from some sort of mental illness. This can include mood, anxiety, personality, or eating disorders. A significant number of U.S. adults — 59 percent, in fact — say that they somewhat or strongly disagree that people can handle their mental health issues on their own.
This growing need has led to a rapid increase in the number of mental health professionals. In fact, the U.S. Bureau of Labor Statistics estimates that job prospects for substance abuse, behavioral disorder, and mental health professionals will grow by 22 percent between 2018 and 2028, a level of growth that the agency describes as “much faster than average.” But with this surge comes the need to protect all of those patient psychotherapy notes in order to comply with the Health Insurance Portability and Accountability Act (HIPAA).
The HIPAA definition of “psychotherapy notes”
HIPAA defines “psychotherapy notes” as any note taken by a mental health professional during an individual or group counseling session that the professional may refer to later. These notes are separate from the patient’s medical record. Essentially, the notes are just about what the patient says and nothing else.
Psychotherapy notes don’t include things like medication information, the counseling session start and stop times, what types of treatments are used, and the results of clinical tests. They also don’t include a diagnosis summary, the treatment plan, or the progress the patient has made.
HIPAA protections for psychotherapy notes
Another important distinction HIPAA makes between psychotherapy notes and regular medical records is the right to access them. An individual can access protected health information (PHI) as long as the information isn’t psychotherapy notes.
HIPAA likely calls for stricter protection of psychotherapy notes because they are the therapist’s personal notes and can contain incredibly sensitive information. They are also unlikely to be shared with anyone.
However, a mental health professional may, upon request, share information like a diagnosis or patient’s progress. For example, a psychiatrist also treating the patient may request a diagnosis from the therapist, or a caregiver may need information on the medication that the patient is taking.
Staying HIPAA compliant with psychotherapy notes
There are only a few very rare reasons for a mental health professional to disclose psychotherapy notes. These permitted disclosures are for the purposes of therapists defending themselves in court, cooperating with a Department of Health and Human Services (HHS) investigation, notifying appropriate parties if public health and safety is threatened, or assisting a medical examiner or coroner.
Under HIPAA, psychotherapy providers don’t have to keep notes. You can write them by hand on a notepad or type them on a computer — as long as you keep them separate from the patient’s medical record or progress notes. However, you must prevent anyone else from reading the notes, so you should follow the same HIPAA guidelines you would use for any other PHI.
All the HIPAA protections that apply to medical records also apply to psychotherapy notes. You must conduct a complete risk analysis to identify any potential gaps in your security procedures — including training for staff. You also need to encrypt any electronic information and enter into a business associate agreement (BAA) with your software providers, including cloud storage providers.
If you’re taking notes on paper, you also need to take precautions to safeguard them. For example, after each session, you might tear the pages containing the notes off the notepad and store them in a locked filing cabinet so that no one else can access them.
When you destroy psychotherapy notes for patients who you haven’t seen in years, according to medical record retention laws, make sure that there is no way for someone to piece them back together. This may mean hiring a third-party shredding service. If you do work with such a service provider, make sure you have a signed BAA with them.
No matter how you take psychotherapy notes, you need to put the same protections in place for them that you do for medical records. This is the only way to make sure you’re staying HIPAA compliant and avoiding the hefty sanctions that can come with accidentally exposing PHI.