Writing HIPAA Compliant Psychotherapy Notes: 10 Tips & Apps

occupational therapy soap note

Psychologists, therapists, and psychiatrists always have privacy in mind when treating clients. Ensuring confidentiality, locking paper notes, and sealing correspondence are part of delivering professional care while maintaining client trust and engagement.

If you’re a mental health specialist, this article will help you write HIPAA-compliant psychotherapy notes more effectively and efficiently, so you can deliver a higher quality of care.

HIPAA Compliant Notes: What Does It Mean?

In traditional and e-mental health, clients’ privacy is protected by the Health Insurance Portability and Accountability Act (HIPAA).

HIPAA regulations, which became legal under the 1996 Kassebaum-Kennedy bill, dictate standards for therapists and professionals relating to:[1]

  1. The security of stored mental healthcare information
  2. Electronic claims transmission, and
  3. The privacy of patient mental health records.

Psychotherapy notes represent the most confidential healthcare information that a professional therapist creates and stores. They are classified as Protected Health Information (PHI) that HIPAA was designed to cover.

HIPAA-compliant notes are thus psychotherapy documents that are securely stored, sent, and protected in accordance with HIPAA legislation.

7 Tips For Writing HIPAA Compliant Notes

HIPAA-compliant notes are psychotherapy documents that are securely stored, sent, and protected in accordance with HIPAA legislation.

HIPAA covers a wide variety of national standards for e-psychology practitioners, but the Privacy Rule is particularly important when it comes to psychotherapy notes.

Officially, the HIPAA Privacy Rule requires “appropriate safeguards to protect the privacy of personal health information, and sets limits and conditions on the uses and disclosures that may be made of such information without patient authorization.”[2]

It dictates that therapy notes, and the observations they contain, can solely be used for treatment, payment, and healthcare operations, with a few specific exceptions. When writing and storing notes, this means therapists must know a few things and adhere to certain criteria.


  • First, under HIPAA, any mental health records that “document or analyze the contents of a counseling session and which are stored separately from the rest of the medical record” are considered psychotherapy notes. Unlike therapy progress notes, prescriptions, session times, treatments delivered, and treatment plans, they can only be released when a client signs a particular form.[3]
  • To remain HIPAA-compliant, this means practitioners cannot share psychotherapy notes with their clients, any of their other healthcare providers, or any caregivers without the appropriate release consent.


As mentioned, the HIPAA Act also includes a Security Rule, which governs how electronic information can be sent. Drawing on these guidelines, keeping psychotherapy notes secure and confidential means therapists must:[4]

  • Hold responsibility for maintaining and storing therapy notes. In practice, this means taking timely therapy notes and ensuring practice staff is trained in the relevant confidentiality requirements. Related to this, psychotherapy notes must be up-to-date, accurate, and relevant records of the patient’s therapy and sessions, demonstrating adequate steps to take to protect a patient’s confidentiality.
  • Inform clients of how their therapy notes will be stored, and to some extent, what they will cover. This should be detailed in an Informed Consent Form.
  • Take appropriate steps to protect a client’s notes from unauthorized access, as well as destruction or damage. Applying this guideline means being particularly cautious about the digital medium they are stored on, as well as any password protections they might require.
  • Stay up to date with HIPAA, PHI, and other mental health confidentiality laws. This means knowing how long to store psychotherapy documents and how to dispose of electronic therapy notes.
  • Be aware of how their EHR or practice management software stores therapy notes.

Staying HIPAA-compliant in the increasingly digital world of mental healthcare can sound overwhelming. Fortunately, many of these guidelines are easy to adhere to with best practices and the right clinical software:

Screenshot of Quenza client app login screen showing privacy features
Quenza is a HIPAA-compliant Therapy Notes App that combines pin codes and AES-256 encryption, among other safeguards, to secure patient data and interactions.

With HIPAA-compliant psychotherapy software like Quenza (pictured), many of the technological aspects of privacy and security are taken care of automatically.

3 Apps To Help You Write Psychotherapy Notes

Behavioral health software is specially designed to help blended care practitioners, so many private practice systems are built with HIPAA-compliance in mind.

Behavioral health software is specially designed to help blended care practitioners such as therapists and telecounselors, so almost all sector-specific private practice systems are built with HIPAA compliance in mind.

Here are some of the best HIPAA-compliant notes apps you can use to efficiently create and keep excellent therapy documents.



ICANotes logo green grey white smallHIPAA compliance is only one advantage of mental health software. When it comes to extensive features and capabilities, ICANotes is one of the most powerful EHRs for clinicians, psychiatrists, therapists, psychologists, and other e-mental health providers.

It features extensive treatment planning templates, Therapy Progress Notes templates – including HIPAA-compliant Psychotherapy notes – and customizable formats from SOAP layouts. Psychotherapy records can all be e-signed, locked, and stored securely on a cloud-based platform.

Price$6+ monthly
Good ForPsychiatrists, Psychologists, E-health Providers, Telemedicine
More InfoICANotes,



Clinicsource logo blue gray and whiteClinicSource provides easy-to-use BIRP and SOAP templates for your notes and stores PHI securely. It even integrates your confidential session notes into a client overview containing admin information such as appointment data. Each user’s access to the system is password protected for HIPAA compliance.

Its library includes Psychology Notes templates in formats for Counselors, Speech Therapists, Massage and Physical Therapists, and Social Workers. For easier treatment planning, ClinicSource includes discipline-specific dropdown menus and diagnostic codes.

Price$59+ monthly
Good ForPsychologists, Mental Health Coaches, e-Counselors, Physical Therapy, Speech Therapy, Occupational Therapy
More InfoClinicSource


Quenza app logo navy blue whiteQuenza is designed with privacy in mind, meaning that it’s both GDPR and HIPAA-compliant for therapists, counselors, and other mental healthcare practitioners. As well as being a user-friendly online tool for custom forms, it can be used to create fully bespoke interventions and treatment plans from scratch or templates.

The system comes with secure, private Client Portals (free patient Android/Apple apps), and real-time results tracking that gives insights into how patients are progressing with treatments and acts as a HIPAA-compliant system for storing assessment or activity results. Quenza comes with a $1, 30-day trial that practitioners can use to explore all its features and tools.

Price$1+ monthly
Good ForPsychiatrists, Psychologists, Therapists, E-health providers, Telemedicine, Mental Health Apps
More InfoQuenza

A Few Notes On Privacy Considerations

It is important to keep in mind that HIPAA-protected psychotherapy notes are just one part of offering legally compliant telepsychology services.

In the age of telehealth and e-therapy, there are many ways client information can be vulnerable to – and thus secured against – unauthorized access. It’s why selecting HIPAA-compliant therapy notes software is by far the most effective and cautious way to safeguard PHI, including session notes and other PHI:

Screenshot of practitioner logging into a psychotherapy note with hipaa compliant app quenza

Reputable blended care software solutions, such as Quenza (pictured), will thus come with inbuilt layers of encryption to secure confidential patient information against unauthorized access. As noted, this privacy and security apply both to patient information, and to therapist-client interactions.

Some further pointers to help blended care practitioners protect sensitive digital information include:

  1. Using password-protected screensavers and user logins
  2. Choosing HIPAA-protected videoconferencing technology
  3. Ensuring client correspondence takes place over encrypted and secure channels, such as HIPAA-compliant one-to-one messaging or in-app live chats
  4. Using only secured WiFi connections for clinical practice
  5. Training other providers and personnel in your office on the required security protocols, and
  6. Running anti-malware software on your practice computers.

As a final note on HIPAA compliance, be aware that mental health practitioners are required to document the steps they have taken to secure their PHI and patient confidentiality.

Keeping a one-pager to document your actions, along with any signed contracts you have with software providers, will make life much easier for you if you’re ever asked to evidence your privacy and security measures.

Final Thoughts

Keeping secure, confidential notes is far more than just a legal requirement. As a psychologist, it shows your commitment to delivering high-quality service and the best possible treatment for your client.

You’re creating peace of mind, and trust and building client engagement with every step you take to ensure HIPAA compliance in all aspects of your professional approach. Why not help other practitioners do the same by leaving any tips or software recommendations you might have?


About the author

Catherine specializes in Organizational and Positive Psychology, helping entrepreneurs, clinical psychologists and OD specialists grow their businesses by simplifying their digital journeys.

Leave a reply

Your email address will not be published.