According to research published in Current Opinion in Psychology, "Without privacy and confidentiality, therapy may not be effective." The stakes go beyond regulatory penalties to the therapeutic relationship itself.
For mental health practitioners navigating a digital world where clients expect text message reminders, teletherapy has become standard, and electronic health records dominate documentation, understanding protected health information (PHI) classification is required for ethical, legal, and clinically effective care.
PHI under HIPAA encompasses more than diagnosis codes and treatment plans. The regulations define PHI as "individually identifiable health information" that is transmitted or maintained in electronic or any other form.
According to Letzring and Snow in the International Journal of Play Therapy, individually identifiable health information includes any information that "relates to the past, present, or future physical or mental health or condition of an individual; the provision of health care to an individual; or the past, present, or future payment for the provision of health care to an individual," and that identifies the individual or provides a reasonable basis for identification.
In practical terms, the following elements constitute PHI when connected to health information:
HIPAA identifies 18 specific identifiers that, when combined with health information, create PHI.
The distinction lies in the combination. A phone number alone may not constitute PHI, but a phone number linked to information about a client's depression diagnosis unambiguously falls under HIPAA protection.
Mental health information receives the same baseline protections as other health information under HIPAA, with one exception. Psychotherapy notes occupy a specially protected category demanding additional safeguards.
The HHS guidance defines psychotherapy notes as "notes recorded by a health care provider who is a mental health professional documenting or analyzing the contents of a conversation during a private counseling session or a group, joint, or family counseling session and that are separate from the rest of the patient's medical record."
Psychotherapy notes must be maintained separately from the medical record to receive enhanced protection. The following elements do not qualify as psychotherapy notes:
As the HHS explains, psychotherapy notes "are treated differently from other mental health information both because they contain particularly sensitive information and because they are the personal notes of the therapist that typically are not required or useful for treatment, payment, or health care operations purposes."
Disclosure of psychotherapy notes requires specific written authorization from the client, even for treatment purposes when sharing with other providers. This stands in contrast to general PHI, which can be shared for treatment, payment, and healthcare operations without authorization.
Read more: What is, and isn't, marketing according to HIPAA?
Not every therapist automatically falls under HIPAA's jurisdiction. The regulations apply to "covered entities," defined as healthcare providers who transmit health information electronically in connection with HIPAA-defined transactions.
Two conditions must be met:
These transactions include health care claims, payment and remittance advice, eligibility verification, referral certifications, and claims attachments.
As Letzring and Snow note, "Electronic submission alone is not enough to require HIPAA compliance." However, they acknowledge that practitioners making no electronic communications related to payment or insurance are "likely a rare case or working completely pro bono." Once a practitioner meets the covered entity definition, all PHI falls under HIPAA protection, whether electronic, paper, or oral.
Research in the Current Opinion in Psychology identifies specific risks that exist in multiple digital channels.
Email presents concerns because "providers maintain less control over the third-party systems that send and maintain email." The researchers found that 24.8% of surveyed psychologists reported breaches to their digital mailboxes. Even beyond intentional attacks, unintended recipients may access messages.
Text messaging introduces distinct challenges. According to the research, "Threats to text messaging privacy can emerge from individual, corporate, and government actors." A perspective in the Journal of Perinatology adds that "text messaging is not considered a secure form of communication, given it is not secure at rest."
Teletherapy platforms returned to standard HIPAA requirements after COVID-19 relaxations ended. As reported in Psychiatric News, Shabana Khan, M.D., chair of the APA Committee on Telepsychiatry, stated that practitioners "cannot use standard video technologies such as Zoom, Skype, or Facebook to meet with patients" without proper compliance measures.
John Torous, M.D., chair of the APA Committee on Mental Health IT, emphasized Business Associate Agreements, "Often you can use the same product (such as Zoom) without a BAA, but to make it HIPAA compliant, a psychiatrist needs to use the version of Zoom that requires the signature of a BAA."
HIPAA establishes a default prohibition on PHI disclosure, then carves out specific exceptions.
While HIPAA's protections serve important purposes, emerging research sheds a light on unintended consequences. Researchers in the Journal of Perinatology, describe how "well-intentioned regulations can sometimes impede effective communication."
The researchers encountered this tension while developing a clinical trial for marginalized communities. Institutional interpretation of the Security Rule required switching from conventional text messaging to secure web links. "Although this approach ensured higher data security and privacy law compliance, it created a new challenge; it limited accessibility for patients from marginalized communities who lacked resources for smart phones and reliable internet access."
This paradox extends to therapy practices serving underserved populations. Text messaging offers distinct advantages; it's "cost-effective and provides a convenient and less intimidating platform for patients and providers to engage in real-time interactions, eliminating the need to step away from daily responsibilities and not requiring access to the internet or a smartphone."
The researchers advocate for "actively involving patients in decision-making processes regarding sharing their healthcare data," allowing clients to "provide informed consent and express preferences, allowing them to select a preferred form of communication on a somewhat less secure platform."
Go deeper: How HIPAA compliant email can improve healthcare access for rural patients
Navigating PHI protection requires systematic attention to policies, technology, and ongoing education.
Informed consent processes should explicitly address communication preferences and risks. Lustgarten et al (2020) recommend that "providers should discuss information security directly with clients at treatment onset, and revisit the topic periodically."
Technology selection demands careful vetting. Practitioners must use vendors who can assure HIPAA compliance and have signed Business Associate Agreements.
Environmental safeguards matter as much as technical ones. As Shabana Khan, M.D., advised in Psychiatric News, clinicians should connect from private spaces, disclose if others are present in the room, and guide clients to take similar precautions, practices that extend beyond teletherapy to any communication involving PHI
Documentation practices should distinguish psychotherapy notes from general clinical records. Maintaining this separation preserves the enhanced protections HIPAA affords.
A covered entity is a healthcare provider, health plan, or healthcare clearinghouse that transmits health information electronically in connection with HIPAA-defined transactions such as insurance claims, eligibility verification, or payment processing. Mental health practitioners who bill insurance electronically or verify client coverage usually qualify as covered entities and must comply with HIPAA's Privacy and Security Rules.
A BAA is a legally binding contract between a covered entity and any vendor that processes, stores, or transmits PHI on the entity's behalf. The agreement ensures the vendor implements required HIPAA safeguards and maintains patient data privacy and security. Telehealth platforms, electronic health record systems, cloud storage providers, and secure messaging services all require signed BAAs before use with client information.
The Privacy Rule governs all PHI regardless of format, electronic, paper, or oral, and establishes standards for when and how health information can be used or disclosed. The Security Rule is a subset focused specifically on electronic PHI (ePHI), requiring administrative, physical, and technical safeguards such as encryption, access controls, and audit logs to protect digital health information.
Encryption is a security method that converts readable data into coded text, making it unreadable to unauthorized users. HIPAA's Security Rule recommends encryption for electronic PHI both "in transit" (when being sent, such as via email) and "at rest" (when stored on devices or servers). Standard text messaging tends to lack encryption at rest, which is why it poses compliance risks.
A personal representative is someone legally authorized to make healthcare decisions on behalf of another person, such as a parent for a minor child, a healthcare power of attorney for an incapacitated adult, or a court-appointed guardian. HIPAA grants personal representatives the same rights to access PHI as the patient themselves, with limited exceptions for safety concerns or when state law permits minors to consent to treatment independently.