The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Psychotherapy Notes and HIPAA

Posted By on May 3, 2023

The relationship between psychotherapy notes and HIPAA is more complex than with most other types of health information. This is because, under HIPAA, psychotherapy notes are considered to be Protected Health Information not usually required for treatment, payment, or health care operations other than by the healthcare professional who created them.

Explaining what psychotherapy notes are under HIPAA is not straightforward because you have to combine multiple definitions in different areas of the Administrative Simplification Regulations to reach a conclusion. Certainly, psychotherapy notes qualify as individually identifiable health information under HIPAA as individually identifiable health information is (loosely) defined as:

“Health information […] collected from an individual […] by a healthcare provider […] that relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care […] that identifies the individual or […] can be used to identify the individual.”

This definition qualifies psychotherapy notes as Protected Health Information and subject to the protections of the Privacy, Security, and Breach Notification Rules. However, to qualify as psychotherapy notes as defined by §164.501 of the Privacy Rule, the content of the notes must not include any information that would be included in the patient’s medical record.

Get the FREE
HIPAA Compliance Checklist

Delivered via email so please ensure you enter your email address correctly.

Your Privacy Respected

HIPAA Journal Privacy Policy

This means psychotherapy notes have to maintained in a separate designated record set from other Protected Health Information and cannot include any information about medication prescription and monitoring, counseling session start and stop times, the types and frequencies of treatment, or results of clinical tests. Additionally, psychotherapy notes cannot include summaries of diagnoses, functional statuses, treatment plans, symptoms, prognosis, and patients’ progress to date.

What can be Included in Psychotherapy Notes under HIPAA?

The content of psychotherapy notes under HIPAA is limited to records of conversations during private counseling sessions or a group, joint, or family counseling sessions. The notes have to be recorded by a registered mental health professional who is a Covered Entity, who is employed by a Covered Entity, or who is providing a service for or on behalf of a Covered Entity as a Business Associate.

Because the notes are not usually required for treatment, payment, or health care operations other than by the healthcare professional who created them, they are subject to stricter conditions for uses and disclosures than other Protected Health Information. Generally, psychotherapy notes can only be disclosed with a patient’s authorization other than in a limited number of circumstances:

  • When used for HIPAA training in which mental health trainees learn under supervision how to improve their counselling skills.
  • When used by the mental health professional or Covered Entity to defend a legal action brought by the subject of the psychotherapy notes.
  • When required by law – for example to comply with state-mandated “duty to warn” requirements or to report abuse.
  • When disclosed to the National Instant Criminal Background Check System (subject to additional conditions).
  • When used by the healthcare professional who created the psychotherapy notes for treatment of the subject of the notes.
  • For healthcare oversight purposes when the subject of the oversight is the originator of the psychotherapy notes.

Psychotherapy Notes and HIPAA: Summary

According to HHS´ Breach Report, data breaches involving psychotherapy notes and HIPAA violations are not common. This may be because HHS only publishes details of data breaches in which more than 500 individuals have been affected. There could be many more smaller data breaches affecting fewer individuals, so it is difficult to determine whether the relationship between psychotherapy notes and HIPAA is challenging for mental health professionals.

Nonetheless, it is important Covered Entities and Business Associates providing mental health services on behalf of a Covered Entity understand how HIPAA defines psychotherapy notes, how notes should be kept in separate designated record sets, and when they can be used or disclosed without a patient authorization. Covered Entities and Business Associates unsure about the relationship between psychotherapy notes and HIPAA should seek professional compliance advice.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist