Client Confidentiality in Therapy: Laws, Ethics, and Best Practices

Confidentiality in therapy is not simply a professional courtesy — it is the structural foundation on which every therapeutic relationship is built. Without the assurance that what a client says in session stays in session, the entire enterprise of psychotherapy collapses. Clients do not disclose trauma, suicidal ideation, relationship difficulties, or substance use to a stranger in a chair because they trust that person’s clinical skill. They disclose it because they trust that person’s silence.

The empirical evidence is unambiguous. A 2015 study published in the Journal of Counseling Psychology found that 73% of clients reported withholding information from their therapist at least once, with fear of judgment and confidentiality concerns ranking among the top reasons. A subsequent 2019 meta-analysis in Psychotherapy Research demonstrated that perceived confidentiality directly predicted client self-disclosure depth, which in turn predicted treatment outcomes. When clients believe their information is secure, they disclose more. When they disclose more, therapy works better.

Yet confidentiality in mental health practice is not absolute. It operates within a complex web of federal regulations, state statutes, case law, and professional ethics codes that create both protections and exceptions. A therapist who promises blanket confidentiality is making a promise they cannot keep — and may be violating the very ethics codes they are bound by. A therapist who fails to maintain confidentiality where it is required may face malpractice suits, licensing board complaints, and the destruction of client trust.

This guide covers every dimension of client confidentiality that therapists need to understand: the legal frameworks that define it, the exceptions that limit it, the special populations that complicate it, the digital tools that threaten it, and the best practices that protect it.

What Is Confidentiality in Therapy and Why It Matters

Client confidentiality in therapy refers to the ethical and legal obligation of a therapist to protect all information disclosed by a client during the course of treatment from unauthorized disclosure to third parties. This obligation covers not only what a client says in session, but also the fact that the client is in therapy at all, the content of clinical records, test results, diagnoses, billing information, and any communication between therapist and client.

Confidentiality is distinct from, but related to, two adjacent concepts:

Privacy is the client’s right to control who has access to their personal information. Privacy is the broader principle; confidentiality is one mechanism for protecting it.

Privilege is a legal term referring to the client’s right to prevent their therapist from testifying about the content of therapy in legal proceedings. Privilege belongs to the client, not the therapist, and varies by state and by the type of proceeding (civil, criminal, federal). The U.S. Supreme Court established a psychotherapist-patient privilege in federal courts in Jaffee v. Redmond (1996), but states define the scope and exceptions of privilege independently.

Why Confidentiality Is the Foundation of Therapeutic Alliance

The therapeutic alliance — the collaborative bond between therapist and client — is the single strongest predictor of therapy outcomes across virtually all treatment modalities. A landmark meta-analysis by Horvath, Del Re, Fluckiger, and Symonds (2011), published in Psychotherapy, found an effect size of d = 0.57 for the alliance-outcome relationship, a finding that has been replicated consistently.

Confidentiality is what makes the alliance possible. The therapy relationship is structurally unlike any other: a client is asked to disclose their most painful experiences, shameful thoughts, and dangerous impulses to a relative stranger. The asymmetry of vulnerability is extreme. Confidentiality is the explicit contract that makes this asymmetry tolerable.

When confidentiality is breached — or when a client perceives it has been breached — the consequences are severe. The client may terminate treatment, withhold critical information, lose trust in the mental health system entirely, or experience re-traumatization if the breach exposes sensitive material to family members, employers, or the public. For the therapist, the consequences include licensing board complaints, malpractice liability, loss of professional reputation, and personal distress.

This is why every ethical code in the mental health professions treats confidentiality as a core obligation, not a peripheral guideline. It is also why the exceptions to confidentiality must be communicated clearly at the start of treatment, so clients can make an informed consent decision about what they choose to share.

The Legal Framework for Therapist Confidentiality

Confidentiality in therapy is governed by overlapping layers of federal law, state law, and professional ethics codes. Therapists must comply with all applicable layers simultaneously, and when they conflict, the more protective standard generally controls.

HIPAA: The Federal Baseline

The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule (45 CFR Part 160 and Part 164, Subparts A and E) establishes the federal floor for protecting individually identifiable health information — called protected health information (PHI) — held by covered entities and their business associates.

Most therapists in private practice are covered entities if they transmit any health information electronically in connection with a HIPAA-covered transaction (e.g., electronic claims, eligibility inquiries). If you bill insurance electronically or use an EHR that transmits data, HIPAA applies to you.

Key HIPAA requirements for therapists:

• Minimum necessary standard. Disclosures of PHI must be limited to the minimum amount necessary to accomplish the purpose of the disclosure. A therapist responding to an insurance company’s request for clinical information should not send the entire client file.
• Notice of Privacy Practices (NPP). Covered entities must provide clients with a written notice describing how their PHI may be used and disclosed, their rights regarding their PHI, and the therapist’s legal duties. This must be provided at the first service encounter.
• Client rights. Under HIPAA, clients have the right to access their records, request amendments, receive an accounting of disclosures, and request restrictions on certain uses and disclosures.
• Business Associate Agreements (BAAs). Any third party that creates, receives, maintains, or transmits PHI on behalf of the therapist (EHR vendors, billing services, transcription services, cloud storage providers) must sign a BAA.
• Psychotherapy notes protection. HIPAA provides special protections for psychotherapy notes (as defined in 45 CFR 164.501) — a therapist’s personal notes about session content that are maintained separately from the medical record. These notes require separate client authorization for most disclosures, even to the client’s insurance company.
• Breach notification. Unauthorized disclosure of unsecured PHI requires notification to affected individuals within 60 days and, for breaches affecting 500 or more individuals, notification to HHS and media.

For a comprehensive overview of HIPAA requirements, see our HIPAA compliance checklist for therapists.

42 CFR Part 2: Substance Use Disorder Records

If you treat clients with substance use disorder (SUD) diagnoses, an additional layer of federal protection applies. 42 CFR Part 2 imposes more restrictive confidentiality requirements than HIPAA for records created by federally assisted SUD treatment programs. Under Part 2, client-identifying information cannot be disclosed without specific written consent — even to other treating providers — except in narrow circumstances such as medical emergencies or court orders that meet strict criteria.

The 2024 amendments to 42 CFR Part 2 brought these protections into closer alignment with HIPAA in some respects, but Part 2 still imposes additional consent requirements that therapists treating SUD must understand and follow.

State Confidentiality Laws

Every state has its own statutes and regulations governing mental health confidentiality, and in many cases these are more protective than HIPAA. Under HIPAA’s preemption rule, when state law provides greater privacy protection, the state law controls.

Common areas where states add protections beyond HIPAA:

• Mandatory reporting thresholds. State laws define who is a mandated reporter, what conditions trigger reporting, and to which agency reports must be made. These vary significantly.
• Privilege statutes. States define the scope of therapist-client privilege differently. Some states recognize privilege broadly; others limit it in certain legal proceedings.
• Minor consent laws. States set different ages at which minors can consent to mental health treatment without parental knowledge or consent, which directly affects what therapists can disclose to parents.
• Duty to warn/protect. Some states mandate that therapists warn identifiable potential victims of client-threatened violence; others permit but do not require it; and some (like Texas) have no statutory duty to warn at all.
• Record retention. State laws specify how long records must be retained after termination and, in some cases, after client death.

Therapists must know the specific confidentiality laws of every state in which they are licensed and practice. This is particularly important for therapists providing telehealth therapy across state lines.

Professional Ethics Codes

In addition to legal requirements, therapists are bound by the ethics codes of their professional associations and licensing boards. The major codes address confidentiality in detail:

APA Ethics Code (Standard 4: Privacy and Confidentiality) — Standard 4.01 establishes the general obligation to protect confidential information. Standard 4.02 requires psychologists to discuss the limits of confidentiality with clients at the outset and as new circumstances arise. Standard 4.04 addresses minimizing intrusions on privacy. Standard 4.05 permits disclosures with consent or as mandated by law. Standard 4.07 addresses the use of confidential information in teaching, writing, and public presentations.

NASW Code of Ethics (Standard 1.07: Privacy and Confidentiality) — This is one of the most detailed confidentiality standards across the mental health professions, with 18 subsections covering topics from general confidentiality principles (1.07a) to electronic communications (1.07r). Standard 1.07(c) requires social workers to protect confidentiality “during legal proceedings to the extent permitted by law” and to request that courts limit disclosure.

ACA Code of Ethics (Section B: Confidentiality and Privacy) — Section B.1 establishes the general duty. Section B.2 covers exceptions. Section B.4 addresses groups and families. Section B.5 covers clients lacking capacity. Section B.6 addresses records and documentation.

AAMFT Code of Ethics (Standard 2: Confidentiality) — Standard 2.1 establishes the baseline. Standard 2.2 requires disclosure of limitations at the start of treatment. Standard 2.4 addresses confidentiality in research. Standard 2.5 covers use of case material.

Violations of these ethics codes are actionable through licensing board complaints and professional association disciplinary proceedings. They also serve as evidence of the standard of care in malpractice litigation. A therapist who violates their ethics code’s confidentiality provisions faces both regulatory and civil liability.

Exceptions to Confidentiality in Therapy

No confidentiality obligation in therapy is absolute. Both law and ethics recognize situations where the duty to protect a client’s privacy is outweighed by other obligations. Therapists must understand each exception, communicate it to clients during the informed consent process, and document carefully when an exception is invoked.

Duty to Warn and Duty to Protect (Tarasoff)

The most well-known exception to confidentiality originated in Tarasoff v. Regents of the University of California (1976). In that case, a University of California psychologist’s client, Prosenjit Poddar, told the psychologist he intended to kill Tatiana Tarasoff. The psychologist notified campus police, who briefly detained Poddar and released him. The psychologist’s supervisor directed that no further action be taken. Poddar murdered Tarasoff two months later. Her parents sued, and the California Supreme Court held that “when a therapist determines, or pursuant to the standards of the profession should determine, that a patient presents a serious danger of violence to another, the therapist incurs an obligation to use reasonable care to protect the intended victim.”

The ruling produced the now-famous formulation: “The protective privilege ends where the public peril begins.”

The scope and nature of Tarasoff obligations vary significantly by state:

• Mandatory duty to warn and/or protect. California, Colorado, Connecticut, Indiana, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Ohio, Pennsylvania, Tennessee, Utah, Virginia, Washington, and others impose a mandatory duty to take protective action when a client poses a serious threat to an identifiable third party. The required action varies: some states require warning the potential victim directly; others allow or require notifying law enforcement, seeking involuntary hospitalization, or taking other protective measures.
• Permissive duty. Some states, including Alaska, Delaware, Hawaii, Illinois, and West Virginia, permit therapists to breach confidentiality to protect potential victims but do not mandate it. Under a permissive standard, a therapist who does not warn is shielded from liability for failing to warn, but a therapist who does warn is protected from liability for breaching confidentiality.
• No statutory duty. A small number of states, notably Texas, have no statutory duty to warn or protect. In these states, therapists must rely on common law, ethics codes, and professional judgment. The absence of a statutory duty does not necessarily mean a therapist has no common-law obligation — case law may impose one.

The practical implications are significant. A therapist practicing in multiple states, as many telehealth practitioners do, must know the Tarasoff obligations of each state in which they provide services.

Mandatory Reporting: Child Abuse and Neglect

All 50 states, the District of Columbia, and U.S. territories have mandatory child abuse and neglect reporting laws. Mental health professionals are mandated reporters in every U.S. jurisdiction. The specifics vary:

• Reporting trigger. Most states require a report when the therapist has “reasonable suspicion” or “reasonable cause to believe” that a child is being abused or neglected. The standard is not certainty — it is reasonable suspicion based on what the therapist has observed or been told.
• What constitutes abuse/neglect. Definitions vary by state and typically include physical abuse, sexual abuse, emotional abuse, and neglect (failure to provide adequate food, shelter, supervision, or medical care). Some states include witnessing domestic violence or parental substance abuse that endangers the child.
• Reporting procedure. Reports are typically made to the state’s child protective services agency and/or law enforcement. Most states require an immediate oral report followed by a written report within 24 to 72 hours.
• Penalties for failure to report. In most states, failure to report is a misdemeanor. Some states impose civil liability as well. Therapists have been disciplined by licensing boards and held liable in civil court for failure to report.

Critically, mandatory reporting obligations override therapist-client privilege. A therapist cannot refuse to report suspected child abuse on the grounds that the information was disclosed in therapy.

Mandatory Reporting: Elder and Dependent Adult Abuse

A growing number of states (currently 48 states and D.C.) mandate reporting of suspected abuse, neglect, or exploitation of elderly persons (typically defined as age 60 or 65 and older) and dependent adults. Mental health professionals are mandated reporters in most of these jurisdictions. The reporting standards and procedures parallel those for child abuse, though the specific definitions of abuse and the designated receiving agencies differ.

Court Orders and Subpoenas

A subpoena and a court order are not the same thing, and this distinction matters enormously for confidentiality.

A subpoena is a request — typically issued by an attorney, not a judge — to produce documents or testimony. Receiving a subpoena does not, by itself, authorize or require a therapist to disclose confidential information. The standard professional response is:

1. Notify the client immediately.
2. Do not release records or testify unless the client provides written authorization, a valid court order compels disclosure, or a HIPAA-permitted exception applies.
3. If appropriate, file a motion to quash or a protective order to limit the scope of disclosure.
4. Consult with an attorney before responding.

A court order, by contrast, is issued by a judge and carries the force of law. A therapist who receives a valid court order compelling disclosure must generally comply, though they should still attempt to limit disclosure to the minimum necessary information and may seek to have the order narrowed.

The distinction is critical. Many therapists receive subpoenas and mistakenly believe they must immediately hand over their entire client file. This is incorrect and may itself constitute a confidentiality violation.

Client Consent and Authorization

Clients can authorize disclosure of their own confidential information. Under HIPAA, a valid authorization must be written, specific about what information is to be disclosed, to whom, and for what purpose, include an expiration date or event, and inform the client of their right to revoke the authorization.

A general authorization to “release all records” should be interpreted narrowly. Best practice is to discuss with the client exactly what information will be disclosed and to document that discussion.

Insurance and Billing Disclosures

When a client uses insurance to pay for therapy, certain information must be disclosed to the insurer as a condition of payment. This typically includes the client’s diagnosis, dates of service, procedure codes, and sometimes treatment plans or clinical summaries to justify medical necessity. HIPAA permits these disclosures for “treatment, payment, and healthcare operations” (TPO) without a separate authorization, but the minimum necessary standard still applies.

This disclosure requirement is one of the most practically significant limitations on therapy confidentiality, and it is one that many clients do not fully understand at intake. Therapists should explicitly discuss what information insurance companies will receive, particularly regarding diagnosis, as part of the intake process. For details on insurance billing workflows, see our guide to therapy billing and superbilling.

Imminent Danger to Self

When a client presents with imminent risk of suicide, therapists may breach confidentiality to protect the client’s life. This may include contacting emergency services, family members, or other support persons. While the legal and ethical analyses differ from duty-to-warn situations (which involve danger to others), the principle is similar: the obligation to preserve life outweighs the obligation to preserve confidentiality.

Most ethics codes support this exception. APA Standard 4.05(b) permits disclosure without consent “as mandated by law, or where permitted by law for a valid purpose such as to… protect the client/patient, psychologist, or others from harm.”

Confidentiality with Minors and Families

Confidentiality becomes significantly more complex when the client is a minor or when therapy involves multiple family members.

Minor Clients

The confidentiality framework for minors involves a tension between the minor’s privacy interest in what they disclose in therapy, the parent or guardian’s legal right to access their child’s health information, and state laws governing minor consent to treatment.

Key considerations:

• Age of consent for mental health treatment. Many states allow minors above a certain age (commonly 12-16) to consent to outpatient mental health treatment without parental consent. In these states, the minor generally controls the confidentiality of the treatment — the therapist cannot disclose session content to parents without the minor’s authorization, except in situations involving safety.
• Parental access to records. Under HIPAA, a parent who is the “personal representative” of a minor generally has the right to access the minor’s PHI. However, HIPAA defers to state law: if state law permits the minor to consent to treatment without parental involvement, HIPAA does not give the parent automatic access to those records.
• Clinical judgment exceptions. Many states allow therapists to withhold information from parents when, in the therapist’s professional judgment, disclosure would be detrimental to the minor.

Best practice is to establish a clear confidentiality agreement with both the minor and the parent or guardian at the start of treatment. The agreement should specify what information will be shared with parents (typically general themes and safety concerns) and what will remain confidential (specific content of sessions). Document this agreement in the informed consent paperwork.

Couples Therapy

Couples therapy introduces a structural confidentiality challenge: the therapist has one client (the couple/relationship), but two individuals are disclosing information. The core question is whether information disclosed by one partner outside of a joint session (e.g., in an individual session or phone call) is confidential from the other partner.

There are two primary approaches:

• No-secrets policy. The therapist informs both partners at the outset that any information disclosed to the therapist by either partner — whether in joint or individual sessions — may be shared with the other partner at the therapist’s clinical discretion. This prevents the therapist from holding secrets that could distort the treatment.
• Confidentiality-within-couples policy. The therapist agrees to keep information from individual sessions confidential from the other partner, except in cases of safety risk. This approach encourages individual disclosure but risks putting the therapist in an untenable position if, for example, one partner discloses an ongoing affair.

Neither approach is universally mandated by ethics codes, but all major codes require that the approach be disclosed and agreed upon at the start of treatment. The AAMFT Code of Ethics (Standard 2.2) specifically states that therapists “do not disclose client confidences except by written authorization or waiver, or where mandated or permitted by law” and requires that the limits of confidentiality be discussed at the outset. The APA (Standard 10.02) requires that when a psychologist agrees to provide services to multiple persons who have a relationship, the psychologist “clarifies at the outset… the role of the psychologist and the probable uses of the services provided.”

Failing to establish a clear confidentiality policy in couples therapy is one of the most common clinical errors. It should be addressed explicitly during the first session and documented in writing.

Group Therapy

In group therapy, confidentiality is inherently more fragile because the therapist cannot legally bind other group members to maintain confidentiality. The therapist can establish confidentiality as a group norm and have all members sign a confidentiality agreement, but a breach by a group member is not a HIPAA violation (the group member is not a covered entity) and is generally not actionable by the therapist.

What the therapist can and must do:

• Discuss confidentiality expectations thoroughly at the start of the group.
• Have all members sign a group confidentiality agreement.
• Reinforce confidentiality norms regularly.
• Address any breaches immediately within the group process.
• Be transparent with prospective members that confidentiality in group settings cannot be guaranteed in the same way as in individual therapy.

Digital Confidentiality: Email, Text, Telehealth, and Social Media

The digital transformation of therapy practice has introduced confidentiality challenges that did not exist when confidentiality law and ethics were originally developed. Every digital communication channel used by a therapist is a potential vector for confidentiality breaches.

Email and Text Communication

Email and standard text messaging are not secure communication channels. They can be intercepted, stored on servers, accessed by IT administrators, and subpoenaed. Emails sent through standard providers (Gmail, Outlook) are typically encrypted in transit but are not end-to-end encrypted and may be stored in readable form on the provider’s servers.

Best practices for email and text:

• Use a HIPAA-compliant secure messaging platform for any communication containing PHI. Many practice management platforms include secure messaging features.
• Obtain written consent before communicating with clients via email or text, specifying what types of information may be communicated through each channel.
• Limit content. If you must use email, limit it to scheduling and logistics. Never include diagnosis, session content, treatment plans, or other clinical information in unencrypted email.
• Include a confidentiality notice in your email signature stating that the message may contain protected health information and instructing unintended recipients to delete it.
• Be aware of the client’s environment. A text message notification appearing on a client’s phone screen in a shared space can reveal the therapeutic relationship to others.

Telehealth

Telehealth therapy sessions involve the transmission of PHI (both audio and video) through digital infrastructure. The confidentiality risks include platform security, the client’s physical environment, and recording/interception.

HIPAA requires that telehealth platforms used for therapy have a signed BAA, end-to-end encryption, access controls, and audit logging. Our telehealth guide for providers covers platform selection and compliance requirements in detail.

Beyond platform security, therapists must also consider environmental confidentiality: Is the client in a private space? Can others overhear the session? Is the client using a shared device? These questions should be addressed at the start of every telehealth session, and the answers should be documented.

Social Media

Social media presents unique confidentiality risks for therapists:

• Do not acknowledge therapeutic relationships. A therapist who responds to a client’s comment on social media, follows a client back, or accepts a friend/follow request may be inadvertently confirming the therapeutic relationship to a public audience. Even a “like” on a client’s post can be perceived as a boundary violation.
• Do not search for clients online without clinical justification and informed consent. If you do conduct an online search (e.g., because of safety concerns), document the reason, what you found, and how it informed your clinical decision-making.
• Be cautious with clinical content. Even de-identified case examples shared on social media can sometimes be recognized by the client or others. When in doubt, do not post.
• Have a social media policy included in your intake paperwork that explains your social media boundaries.

Electronic Health Records and Practice Management Software

Your EHR or practice management system is the primary repository of client PHI. Its security directly determines the confidentiality of your client records.

Requirements for maintaining confidentiality through your EHR:

• The vendor must sign a BAA.
• Data must be encrypted at rest and in transit.
• Access must be controlled through individual user accounts with strong passwords and, ideally, multi-factor authentication.
• Audit logs must track who accessed which records and when.
• The system should support role-based access so that administrative staff can access scheduling information without accessing clinical notes.
• Backups must be encrypted and stored securely.

When choosing a practice management platform, confidentiality and security features should be among your top evaluation criteria — not afterthoughts. Platforms like Galenie are built from the ground up with HIPAA and GDPR compliance, including encrypted storage, granular consent tracking, and audit logging.

Confidentiality When Using AI Tools in Therapy Practice

The integration of artificial intelligence into therapy practice management introduces a new category of confidentiality risk that the existing legal and ethical frameworks are still catching up with. Therapists using AI tools for documentation, transcription, note generation, or clinical decision support must evaluate how client PHI is handled at every stage.

The Core Confidentiality Question with AI

When a therapist uses an AI tool to process session recordings, generate clinical notes, or summarize client information, the client’s PHI is being transmitted to and processed by a third-party system. This raises several confidentiality concerns:

• Where is the data processed? Is the AI model running locally, on a dedicated server, or on a shared cloud infrastructure? Data processed on shared infrastructure may be accessible to the vendor’s engineers or, in some architectures, used to train future models.
• Is the data retained? Does the AI vendor store the input data (e.g., session recordings, transcripts) after processing? For how long? In what form? Is it aggregated with data from other users?
• Who has access? Can the vendor’s employees access the client data? Under what circumstances?
• Is there a BAA? If the AI tool processes PHI, it is a business associate under HIPAA and must sign a BAA. Many AI tools — particularly consumer-grade products like ChatGPT, Claude, or Gemini used through their standard interfaces — do not sign BAAs and are not appropriate for processing PHI.

Best Practices for AI and Confidentiality

• Only use AI tools that have signed a BAA with your practice. This is non-negotiable under HIPAA.
• Verify data handling practices. Read the vendor’s privacy policy and terms of service. Ask explicitly whether data is used for model training, whether it is retained after processing, and whether employees can access it.
• Obtain informed consent. Clients must be informed that AI tools are being used to process their clinical information and must consent to this use. The informed consent form should specify what AI tools are used, what data they process, and how the data is protected. Platforms that track consent granularly — allowing separate consent for audio recording, transcription, and AI summarization — provide the strongest compliance posture.
• Maintain human oversight. AI-generated notes, summaries, and clinical suggestions must be reviewed and verified by the therapist before being incorporated into the clinical record. The therapist, not the AI tool, is responsible for the accuracy and confidentiality of the record.
• Document AI use. The clinical record should reflect when AI tools were used in generating documentation, including which tool was used and what the therapist reviewed and approved.

For a deeper exploration of AI integration in therapy practice, see our guide on AI in therapy practice management.

How to Discuss Confidentiality with Clients During Intake

The confidentiality discussion at intake is not a formality to rush through before getting to the “real” clinical work. It is a clinical intervention that sets the tone for the entire therapeutic relationship. How a therapist explains confidentiality affects what the client will disclose, how safe they feel, and how they will respond if a confidentiality exception is ever triggered.

What to Cover

The intake confidentiality discussion should address:

1. The general rule. Explain that everything discussed in therapy is confidential and will not be shared with anyone without the client’s written authorization — then explain the exceptions.
2. Mandatory reporting obligations. Be specific: “I am required by law to report if I have reason to believe a child, elderly person, or dependent adult is being abused or neglected.”
3. Duty to warn/protect. Be clear about what this means: “If I believe you pose an imminent danger to yourself or to another person, I may need to take steps to protect safety, which could include contacting emergency services or a potential victim.”
4. Court-ordered disclosures. Explain the difference between subpoenas and court orders and what you will do if you receive either.
5. Insurance disclosures. If the client is using insurance, explain what information the insurance company will receive: “Your insurance company will receive your diagnosis, dates of service, and procedure codes. They may request additional clinical information to authorize treatment.”
6. Consultation. Many therapists consult with colleagues about clinical cases. Inform clients: “I may consult with other professionals about your care, but I will not use your name or identifying information unless you have given consent.”
7. Digital communications. Explain how you communicate outside of sessions and what the security implications are.
8. AI tools. If you use AI for documentation or other clinical functions, disclose this and obtain consent.
9. Record keeping. Explain who has access to client records, how they are stored, and how long they are retained.

How to Deliver the Discussion

• Use plain language. Avoid legal jargon. “Mandatory reporter” means nothing to most clients. “I am legally required to report certain things” is clearer.
• Normalize it. Frame the discussion as something every therapist does, not as a warning sign: “Before we begin, I want to explain how I handle your privacy, because I want you to feel completely informed.”
• Invite questions. The client should have the opportunity to ask questions and express concerns.
• Provide it in writing. The confidentiality discussion should be documented in the informed consent form, which the client signs. But the written document supplements, rather than replaces, the verbal discussion.
• Revisit as needed. If a new confidentiality-relevant situation arises (e.g., the client begins couples therapy, a minor begins treatment, the therapist starts using a new AI tool), revisit the confidentiality discussion.

Using a well-designed intake form that includes a clear confidentiality section ensures that no element is missed and that the discussion is documented.

Documentation Practices That Protect Confidentiality

How you write and store clinical notes has direct implications for confidentiality. Notes that are overly detailed, carelessly stored, or poorly organized increase the risk that confidential information will be disclosed inappropriately.

Writing Notes with Confidentiality in Mind

• Document what is clinically necessary. Clinical notes should contain the information needed to support treatment planning, continuity of care, and clinical decision-making. They should not contain gratuitous detail about the client’s personal life, verbatim accounts of sensitive disclosures (unless clinically critical), or speculative interpretations.
• Use HIPAA psychotherapy notes for sensitive content. If you need to record process notes, countertransference reflections, or sensitive session content for your own clinical use, consider maintaining these as psychotherapy notes under HIPAA (45 CFR 164.501). Psychotherapy notes that are kept separate from the medical record receive enhanced protection under HIPAA and cannot be disclosed to insurance companies without separate, specific authorization.
• Be precise with language. Avoid vague or stigmatizing language. Document objective observations, clinical formulations, and treatment decisions. For guidance on writing clinical notes, see our guides on SOAP notes, DAP notes, and progress notes.
• De-identify when possible. When referencing third parties (family members, friends, colleagues of the client), use roles rather than names where possible (“client’s partner” rather than “John Smith”).
• Document confidentiality-related decisions. If you invoke an exception to confidentiality (e.g., a mandatory report), document the circumstances, your clinical reasoning, the actions you took, and the legal basis for the disclosure. This documentation protects you if the decision is later challenged.

Storing and Transmitting Records Securely

• Use encrypted storage. All electronic records containing PHI must be encrypted at rest and in transit.
• Limit physical records. If you maintain paper records, they must be stored in a locked cabinet in a secure location. Paper records should never be left on a desk, in a car, or in an unlocked office.
• Dispose of records properly. Paper records must be shredded (cross-cut, not strip-cut). Electronic records must be wiped using methods that prevent recovery.
• Transmit securely. Client records should never be sent via unencrypted email, fax to unverified numbers, or standard file-sharing services. Use secure transmission methods: encrypted email, secure client portals, or HIPAA-compliant file transfer services.

Record Retention

State laws specify minimum record retention periods, typically ranging from 5 to 10 years after termination of treatment (longer for minors, often until several years after the age of majority). Even after the retention period expires, records must be disposed of in a manner that protects confidentiality.

Confidentiality After Client Termination or Death

Confidentiality obligations do not end when therapy ends.

After Termination

When a client terminates therapy, the therapist’s confidentiality obligations continue for as long as the records exist. A former client’s records are still PHI, and all HIPAA, state law, and ethics code protections still apply. A therapist cannot disclose information about a former client any more than they can disclose information about a current client.

This is relevant in several practical contexts:

• Reference requests. If a former client asks you to speak with a new therapist, an employer, or an attorney, you need the client’s written authorization before making any disclosure.
• Clinical consultations. You can consult about a former client’s case in the same way you consult about a current client’s case — using de-identified information or with appropriate consent.
• Social encounters. If you encounter a former client in a social setting, the same principle applies: do not acknowledge the therapeutic relationship unless the client initiates it.
• Practice closure or transition. If you close your practice or retire, you must have a plan for the continued protection of client records. This includes notifying clients, providing access to records upon request, transferring records to a successor with appropriate authorization, and ensuring secure storage for the duration of the retention period.

After Client Death

The legal landscape for confidentiality after a client’s death varies by jurisdiction. Under HIPAA, PHI remains protected after death. The client’s “personal representative” — typically the executor or administrator of the estate — generally has the right to access the deceased client’s records. Some state laws impose additional protections, particularly for sensitive content like psychotherapy notes.

Clinically, therapists should consider the deceased client’s wishes (if known), the potential harm to surviving family members from disclosure, and the legal requirements of the jurisdiction. When in doubt, consult with a healthcare attorney before releasing records of a deceased client.

Common Confidentiality Mistakes Therapists Make

Even well-intentioned therapists make confidentiality errors. Awareness of the most common mistakes is the first step toward avoiding them.

1. Overreacting to Subpoenas

A subpoena is not a court order. Many therapists receive a subpoena from an attorney and immediately release their entire client file, believing they are legally required to comply. This is almost always wrong. The correct response is to notify the client, consult with an attorney if necessary, and not release records unless the client authorizes it or a court order compels it.

2. Discussing Clients in Identifiable Ways

Talking about clients in hallways, elevators, waiting rooms, or lunch rooms — even without using names — can violate confidentiality if the discussion includes enough detail for the client to be identified. This includes discussing cases with colleagues who are not involved in the client’s care and do not have a clinical need to know.

3. Inadequate Intake Discussions

Rushing through confidentiality during intake, or relying solely on the written consent form without a meaningful verbal discussion, leaves clients unprepared for situations where confidentiality limits apply. When a therapist later needs to file a mandatory report, a client who was not adequately informed feels blindsided and betrayed.

4. Using Non-Compliant Technology

Using standard email, consumer-grade video conferencing, standard SMS, or general-purpose AI tools (ChatGPT, etc.) for communications or processes that involve PHI is a HIPAA violation, regardless of how convenient it is. If the tool does not have a BAA, it should not touch PHI.

5. Failing to Secure the Physical Environment

Conversations about clients that can be overheard through thin office walls, client files visible on a computer screen when the therapist steps out, intake forms left on a reception desk — these physical security failures are just as much confidentiality breaches as digital ones.

6. Social Media Boundary Failures

Following clients on social media, responding to client reviews (even to say “thank you”), or posting identifiable case material are all confidentiality violations. Even a response to a negative review that references the therapeutic relationship or client information constitutes a breach.

7. Releasing Records Without Proper Authorization

Sending records to a client’s family member who calls and says the client “wanted them to have it,” or sending records in response to a verbal request, without a written, HIPAA-compliant authorization form, is a violation. Every release requires proper documentation.

8. Inadequate Safeguards for Shared Practice Spaces

Therapists in group practices or shared office spaces must ensure that appointment schedules are not visible to other therapists’ clients, that sound insulation is adequate, and that administrative staff understand confidentiality requirements. Shared printers, fax machines, and waiting rooms are all potential breach points.

Best Practices for Maintaining Confidentiality in Your Practice

The following practices, implemented systematically, create a confidentiality infrastructure that protects clients, satisfies legal requirements, and reduces your liability exposure.

Develop a Written Confidentiality Policy

Your practice should have a written confidentiality policy that covers:

• What information is considered confidential
• How confidential information is stored, transmitted, and disposed of
• Who has access to client information and under what circumstances
• How confidentiality exceptions are handled and documented
• Staff training requirements
• Breach notification procedures

This policy should be reviewed annually and updated when regulations, technology, or practice circumstances change.

Train All Staff

Every person in your practice who has access to PHI — including administrative staff, billing personnel, interns, and supervisees — must be trained on confidentiality requirements. Training should cover HIPAA basics, the practice’s confidentiality policy, handling of phone inquiries about clients, proper record storage and disposal, and the procedures for reporting potential breaches.

Conduct Regular Risk Assessments

HIPAA requires covered entities to conduct periodic risk assessments to identify potential vulnerabilities in the protection of PHI. Even if your practice is small, a structured review of your physical space, technology, procedures, and vendor relationships will help you identify and remediate risks before they become breaches.

Use HIPAA-Compliant Technology Throughout Your Workflow

Every technology tool that touches PHI needs a BAA and appropriate security features. This includes your EHR, scheduling software, billing system, email provider, video conferencing platform, cloud storage, and any AI tools used in clinical workflows. A practice management platform designed specifically for therapists, like Galenie, integrates these functions with built-in compliance features, reducing the risk of using disparate tools with inconsistent security postures.

Implement Strong Authentication and Access Controls

• Require strong, unique passwords for all systems containing PHI.
• Enable multi-factor authentication wherever available.
• Use role-based access to ensure that each person in the practice has access only to the information they need.
• Configure automatic session timeouts on all devices.
• Implement device encryption on all laptops, tablets, and phones that may contain or access PHI.

Separate Psychotherapy Notes

If you maintain psychotherapy notes (process notes, countertransference observations, sensitive session content), keep them in a separate, secure location from the rest of the clinical record. Under HIPAA, psychotherapy notes maintained separately receive additional protections and cannot be disclosed in most circumstances without specific written authorization.

Plan for Confidentiality Emergencies

Have a documented protocol for situations requiring emergency disclosure:

• Imminent danger to self or others. Know your state’s duty-to-warn requirements and have the contact information for local emergency services, crisis teams, and relevant law enforcement readily accessible.
• Mandatory reporting. Know the reporting procedures and contact information for your state’s child protective services, adult protective services, and law enforcement.
• Data breaches. Have a breach notification protocol that complies with HIPAA requirements, including templates for notification letters and contact information for the HHS Office for Civil Rights.

Obtain Comprehensive Informed Consent

Your informed consent document and intake process should cover all confidentiality topics discussed in this guide. Clients who are thoroughly informed at the outset are less likely to feel betrayed when confidentiality exceptions arise and more likely to participate fully in therapy knowing the boundaries of privacy.

For a detailed guide to building your informed consent process, see our informed consent guide. For a comprehensive overview of the intake workflow, see our guide to therapy intake forms.

Document Everything

Every confidentiality-relevant decision should be documented in the clinical record:

• That the confidentiality discussion occurred and what was covered
• That the client signed the informed consent
• Any confidentiality-related questions the client raised
• Any mandatory reports filed, including the basis for the report and the reporting steps taken
• Any duty-to-warn actions taken, including the clinical reasoning
• Any records released, to whom, the authorization on which the release was based, and what was disclosed
• Any breaches or suspected breaches, the response taken, and the outcome

This documentation creates an evidentiary record that protects you if your decisions are ever scrutinized by a licensing board, court, or malpractice insurer.

Stay Current

Confidentiality law and ethics are not static. HIPAA regulations are periodically updated. State laws change. Ethics codes are revised. Case law evolves. New technologies create new risks. Commit to ongoing education through continuing education courses, consultation with healthcare attorneys, professional association updates, and peer consultation groups.

Therapists who treat confidentiality as a living, evolving practice obligation — rather than a form signed once and forgotten — provide safer, more ethical, and ultimately more effective treatment.

Conclusion

Confidentiality in therapy is simultaneously the simplest and most complex of clinical obligations. The principle is simple: protect your client’s information. The execution is complex: navigate overlapping federal and state laws, communicate nuanced exceptions clearly, adapt to digital technologies, manage special populations with competing interests, and make real-time decisions under clinical pressure.

The therapists who handle confidentiality well are not the ones who memorize every statute. They are the ones who have built systems — informed consent processes, documentation habits, technology choices, staff training protocols, and consultation relationships — that make good confidentiality practice automatic. They discuss confidentiality as a clinical conversation, not a compliance checklist. They prepare for exceptions before they arise. And they recognize that protecting a client’s privacy is not separate from the therapeutic work — it is part of the therapeutic work.

If you are building a private practice, designing your confidentiality infrastructure from the beginning is far easier than retrofitting it after a breach. If you are an established practitioner, an honest audit of your confidentiality practices — from your intake forms to your technology stack to your consultation habits — is one of the highest-value investments you can make in the quality and safety of your clinical work.

The clients who walk through your door are trusting you with their most vulnerable selves. That trust deserves systems worthy of it.