Paubox blog: HIPAA compliant email made easy

What are the confidentiality rules in therapy?

Written by Sara Uzer | June 03, 2023

Maintaining confidentiality is an essential component of the therapist-patient relationship. While specific requirements vary by state, therapists must adhere to certain ethical and legal guidelines. 

 

Ethical responsibilities

The American Psychological Association (APA) Ethics Code states that mental health professionals have a "primary obligation to take reasonable precautions to protect confidential information obtained through or stored in any medium."

This includes staying transparent with patients by openly discussing privacy policies and how their information will be managed. In addition, therapists need to obtain permission before recording patients.  

APA also notes that therapists who provide services through any digital platform must communicate the potential privacy risks and limits of confidentiality. 

All of these conversations should happen at the start of the relationship and continue as needed. 

To reduce the risk of violations, APA advises therapists to "include in written and oral reports and consultations only information that pertains to the purpose for which the communication is made."

When it comes to disclosing confidential information, this is typically only allowed with proper consent from the patient or another legally authorized person on their behalf. 

Unless authorization has been obtained, therapists will not discuss confidential information with colleagues that could lead to the identification of a patient. 

Without patient or legal authorization, therapists will also not disclose confidential information about patients in their writings, lectures, or public media unless their identity has been sufficiently disguised. 

 

HIPAA guidelines

In addition to the ethical obligations around confidentiality, therapists and other mental health professionals are considered covered entities. Therefore, they must comply with the HIPAA Privacy Rule

This requires them to implement the necessary safeguards to secure protected health information (PHI) in all forms. It also places limits on how the data can be used and disclosed.  

This law aims to protect patient privacy while maintaining efficient operations. 

Under the HIPAA Privacy Rule, therapists must receive the patient's written authorization in order to use or disclose PHI.

The Privacy Rule also has extra protections in place for psychotherapy notes. These are the personal notes that a therapist takes about a session.

Since psychotherapy notes often contain highly confidential information, they must be stored separately from the patient's medical record. They can only be disclosed if a patient signs a detailed authorization form. 

Therapists also need to follow the HIPAA Security Rule, which requires them to maintain the confidentiality of all electronic protected health information (e-PHI) and take appropriate measures to protect this data from potential security threats. 

This can be accomplished by using secure storage and communication channels, including HIPAA compliant email and note-taking software.

Telehealth sessions should always be conducted through encrypted channels on a secure network. Certain platforms may also need to be further configured to achieve full HIPAA compliance.

 

Key exceptions

According to the APA, there are certain instances where therapists may need to break confidentiality. These include the need to provide necessary professional services, receive appropriate consultations, or collect payment for services.

Breaking confidentiality is also permitted if a therapist receives a court order or in cases where a patient presents a danger to themselves or others. 

Similarly, the HIPAA Privacy Rule notes that therapists can release confidential information without authorization when required by law, to fulfill a public health authority request, or to prevent serious threats to the individual or public. 

However, specific reporting requirements can vary by state. Therefore, therapists must be fully knowledgeable about the particular guidelines for the location where they work. 

 

Conclusion

All mental health professionals have an ethical and legal responsibility to maintain patient confidentiality. 

Therapists can take extra steps to protect sensitive information by discussing privacy policies, limiting identifying information in personal notes, and using HIPAA compliant platforms.