HIPAA applies to covered entities, which include healthcare providers who transmit health information electronically in connection with standard transactions. If you're a hypnotherapist who bills insurance companies, accepts credit cards through a clearinghouse, or transmits any protected health information (PHI) electronically, you're likely a covered entity under HIPAA.
Even if you're not technically covered by HIPAA, following its guidelines shows professionalism and protects your clients' privacy. Many states have their own privacy laws that may apply to mental health professionals, making HIPAA compliance a best practice regardless of your legal obligations.
Learn more: The HIPAA Privacy Rule's preemption of state law
According to the National Institutes of Health, “protected health information (PHI) is any health information that can identify an individual that is in possession of or transmitted by a "covered entity" or its business associates that relates to a patient's past, present, or future health. This data includes demographic information. It also includes but is not limited to, electronic and paper transmission.” In your hypnotherapy practice, PHI includes any information that could identify a client and relates to their health condition, treatment, or payment. This includes:
Read also: Examples of protected health information (PHI) in healthcare
Implementing proper privacy safeguards starts with your physical environment. Your office must provide adequate sound privacy so conversations cannot be overheard. If you practice in a shared building, consider white noise machines or sound-dampening materials. Your waiting area should be arranged so clients cannot see appointment books or client files.
The International Board of Hypnotherapy (IBH) Code of Ethics reinforces these privacy requirements, stating that members are to "respect the privacy of clients and hold in confidence information acquired during the course of professional service" in compliance with HIPAA regulations.
Develop clear policies for handling client information. Train any staff members on HIPAA requirements and have them sign confidentiality agreements. Establish procedures for how client information is accessed, used, and disclosed. Create a system for clients to request amendments to their records or file complaints about privacy practices.
Your Notice of Privacy Practices should be displayed and given to each new client. This document explains how you use and protect their health information, their rights regarding their PHI, and how they can file complaints if they believe their privacy has been violated.
Electronic security is important for hypnotherapists who may record sessions or maintain digital records. Use encrypted email services when communicating with clients about their treatment. Standard email is not secure enough for transmitting PHI, so consider platforms specifically designed for healthcare communications.
The IBH Code of Ethics emphasizes the importance of obtaining proper consent, requiring that "on the client intake form, the client is to give written permission for use of voicemail, email or emailing MP3 files of customized self-hypnosis." This requirement ensures clients understand how their information will be communicated and provides documented consent for these communications.
If you record hypnotherapy sessions, store these files on encrypted devices or secure cloud storage services that offer Business Associate Agreements (BAAs). Never store session recordings on personal devices or unsecured platforms. The IBH Code of Ethics specifically states that "members are to obtain consent of clients before audio or video recording or permitting others to be present during their sessions or activities."
Implement access controls so only authorized individuals can view client files. Use passwords for all systems containing PHI, and consider two-factor authentication for additional protection. Install security software and firewalls on all devices that access client information.
Learn more: HIPAA compliant email
The Department of Health and Human Services defines a business associate as “a person or entity that performs certain functions or activities that involve the use or disclosure of protected health information on behalf of, or provides services to, a covered entity.” Any vendor or service provider who has access to your clients' PHI must sign a Business Associate Agreement. This includes cloud storage providers, email services, billing companies, transcription services, and even cleaning services if they might encounter client files.
Common business associates in hypnotherapy practices include:
Before engaging any third-party service, verify they can provide a BAA and have appropriate security measures in place.
Learn more: What is the purpose of a business associate agreement?
The rise of telehealth has created new opportunities and challenges for hypnotherapists. When conducting sessions via video platforms, ensure you're using HIPAA compliant services. The IBH Code of Ethics specifically addresses this requirement, stating that "if members choose to communicate or conduct sessions via video conferencing, they are to use HIPAA compliant video conferencing software." Many popular video conferencing platforms are not suitable for healthcare use without proper BAAs and security configurations.
For information about whether specific service providers are HIPAA compliant, you can reference the Paubox blog, which features detailed analyses of various platforms and services to help healthcare professionals make informed decisions about their technology choices.
Consider the client's environment during virtual sessions. While you can't control their space, you can educate them about privacy considerations and recommend they use private locations with secure internet connections. Document any privacy risks and how you've addressed them.
Maintain detailed records of all privacy and security measures you've implemented. This includes training records, incident reports, risk assessments, and documentation of any privacy breaches. Keep logs of who accesses client files and when, especially if you have multiple staff members.
Establish retention schedules for different types of records. While HIPAA doesn't specify retention periods, state laws often do. Some states require mental health records to be kept for seven years after the last contact with the client, while others have different requirements.
Develop a breach response plan that includes immediate containment of the incident, assessment of the scope and cause, notification of affected clients, and reporting to appropriate authorities if required.
Not all privacy incidents constitute reportable breaches under HIPAA. The breach notification rule applies when there's unauthorized access, use, or disclosure of PHI that poses risk of financial, reputational, or other harm to the individual. However, even minor incidents should be documented and analyzed to prevent future occurrences.
Read also: Understanding and managing a HIPAA breach
Regularly review your policies and procedures, especially as your practice evolves or you adopt new technologies. Stay informed about changes in privacy laws and best practices in your field.
Consider joining professional associations that provide HIPAA training and updates specific to mental health professionals. Many organizations offer resources tailored to smaller practices that may not have dedicated compliance staff. The IBH Code of Ethics serves as a foundation for establishing these privacy practices, demonstrating that industry standards align with legal requirements to protect client confidentiality and maintain professional integrity.
No, but voluntarily following HIPAA standards still strengthens client trust and aligns with professional ethics.
You must ensure that no individual’s PHI is disclosed to other participants without consent, even in group settings.
Only if you use a secure, HIPAA-compliant platform and obtain explicit, written consent from the client.
You must use encrypted email and obtain signed permission documenting their understanding of the associated risks.
Yes, if they contain PHI and are shared or stored in connection with electronic transactions.