Client Confidentiality in Mental Health: Best Practices for Clinicians

A client decides what to disclose based on whether they trust the information will stay in the room. Returns to old behaviour, intrusive thoughts, things they’ve never said out loud: any of it gets edited or omitted when the client is not certain about how it will be handled.

That calculation is the reason client confidentiality in mental health is the foundation of therapeutic work. A client who says “things have been fine” instead of naming a relapse is making a safety decision, not a clinical one. Legal requirements follow from that.

Maintaining this standard has become harder in practice. Teletherapy means session content travels across networks the practitioner doesn’t control. Digital records sit on devices that get lost or shared. AI documentation tools route audio through third-party APIs that may train on it. Multi-provider care means more hands touch the same record.

This guide covers the practical steps mental health professionals need to protect client information across every part of their workflow: verbal, written, digital, and AI-assisted.

Technical review by Dr. Sofia Reyes, clinical psychologist with a forensic and healthcare-compliance specialty. Citations to HIPAA, the Privacy Act 1988, APA, ACA, and APS code provisions were verified against current source material as of May 2026.

Why client confidentiality in mental health matters beyond compliance

Most practitioners think about confidentiality as a legal obligation first. The legal framing is accurate, but it leads with the wrong concern. A client who says “I’ve been having thoughts about drinking again” instead of “things have been fine” is making a calculation about trust, not disclosure. Without that trust, the clinical work often doesn’t happen either.

There’s a self-protective case too. An accidental breach can trigger a licensing board complaint, a HIPAA investigation, and a civil claim in the same week. Documentation failures come up repeatedly in disciplinary proceedings as the primary issue, not a side detail.

Legal and ethical foundations

HIPAA and privacy legislation

In the U.S., HIPAA is the primary legal framework governing client health information. It requires covered entities (including therapy practices) to implement safeguards for protecting electronic protected health information (ePHI), restrict access to authorized personnel, and follow specific rules for disclosure.

In Australia, the Privacy Act 1988 and the Australian Privacy Principles (APPs) govern how personal and health information is handled. Other jurisdictions have their own frameworks; the key principle across all of them is the same: client data must be collected, stored, and shared with appropriate protections.

Ethical codes

Professional bodies like the APA, ACA, and APS treat client privacy as a core ethical obligation that goes beyond legal minimums. They frame it as a moral responsibility to the client, not just a regulatory requirement.

Limits to confidentiality

These protections are not absolute. Practitioners must be familiar with the exceptions in their jurisdiction:

• Mandatory reporting: suspected child abuse, elder abuse, or vulnerable person harm
• Duty to warn: credible threats of harm to an identifiable third party
• Court orders: legally compelled disclosure
• Client consent: voluntary, informed agreement to share specific information

These limits should be explained to clients during intake, documented in writing, and revisited when circumstances change.

Securing verbal and written communications

In the room

Protecting therapeutic privacy starts with the physical environment. Practical steps include:

• Conduct sessions in soundproofed or private spaces
• Avoid discussing client details in hallways, break rooms, or shared offices
• Use white noise machines near doors if sound carries
• Never leave client files visible on desks or screens

Progress notes (SOAP, DAP, BIRP)

Progress notes are both a clinical tool and a privacy risk. Best practices:

• Write concisely. Capture clinical meaning, not verbatim content. The less unnecessary detail in the record, the less exposure if it’s accessed inappropriately.
• Restrict access. Only authorised clinicians should view clinical notes. Admin staff handling billing should not need access to session content.
• Transmit securely. If notes need to be shared for referrals or supervision, use encrypted channels. Never send clinical content via standard email or messaging apps.
• Dispose properly. Shred physical notes. Use secure deletion for digital files, not just “move to trash.”

For structured note formats and templates, see our guide on progress note best practices.

Digital privacy and teletherapy

The problem isn’t the video platform. It’s everything around it. You can sign a BAA with your video provider and still have a serious breach if you’re logging into sessions from a shared device, reusing passwords across accounts, or leaving client notes open in a browser tab. A clinician we spoke with had switched to a well-regarded AI transcription tool after seeing it recommended in a clinician Facebook group, then discovered months later that the vendor’s terms permitted training on uploaded audio and no BAA had ever been signed. Notifying clients, documenting the incident, and rewriting consent policies took the better part of a month. The tool had been free.

Choosing a teletherapy platform

Not all video platforms are appropriate for clinical use. Requirements:

• HIPAA-compliant (or equivalent for your jurisdiction) with a signed Business Associate Agreement
• End-to-end encryption for video and audio
• No recording by default: recording should require explicit opt-in
• Access controls: only the clinician and client can join the session

Consumer tools like standard Zoom (non-healthcare), FaceTime, or WhatsApp do not meet these requirements in most jurisdictions.

Securing devices and networks

• Use strong, unique passwords on all devices used for client work
• Enable multi-factor authentication on clinical platforms
• Keep operating systems and applications updated
• Avoid public Wi-Fi for clinical work; use a VPN if needed
• Log out of clinical systems after each use

Client-side security

Some risks sit on the client’s side of the connection. Cover these during intake:

• Using a private space for video sessions (not a shared living room or car in a parking lot)
• Using headphones to prevent others from hearing the session
• Not recording sessions without mutual agreement
• Securing their own devices with passcodes

Privacy policies and informed consent

Writing a clear privacy policy

Your privacy policy should answer, in plain language:

• What information do you collect?
• How is it stored and protected?
• Who can access it?
• Under what circumstances might it be shared?
• How long is it retained?
• What are the client’s rights regarding their data?

Avoid legal jargon. A policy that clients can’t understand doesn’t serve its purpose.

Informed consent for third-party sharing

Before sharing any client information (with a GP, psychiatrist, insurer, or family member), obtain explicit, documented consent. The consent should specify:

• What information will be shared
• With whom
• For what purpose
• For how long the consent is valid

Clients should know they can revoke consent at any time. Even when sharing is legally permitted (e.g., for insurance claims), best practice is to share the minimum necessary information.

AI tools in clinical practice

Session transcription tools, AI-assisted note generators, and between-session check-in platforms are now common in therapy practices. These tools handle the same protected health information as clinical notes, but most consumer AI platforms weren’t built for clinical accountability. Many lack a Business Associate Agreement, offer no data retention guarantees, and actively use client-derived input to train future model versions.

Tools designed specifically for therapy practice, like Emosapien’s AI-assisted documentation features and the dedicated workflow for HIPAA-compliant therapy notes, are built with BAA compliance, encrypted storage, and no model training on client data. Those three are non-negotiable for any AI tool handling protected health information.

Key questions to ask any AI vendor

Before adopting an AI tool for your practice, clarify:

• Does the vendor sign a BAA? Without this, using the tool for ePHI is itself a HIPAA violation.
• Is data encrypted in transit and at rest? Look for TLS 1.2+ and AES-256.
• Does the vendor train models on client data? This should be a hard no. Confirm in writing.
• Where is data stored? Know the jurisdiction and whether data crosses borders.
• Can you delete client data on request? GDPR and some state laws require this capability.
• Are there audit trails? You need to know who accessed what and when.

AI-specific risks

• Model hallucination. AI-generated notes may contain inaccuracies. Always review and edit before finalising.
• Data leakage. Some AI platforms send data to third-party APIs. Confirm the full data flow.
• Over-reliance. AI drafts notes, but clinical judgment stays with you. Never auto-submit AI-generated documentation without review.

For a deeper dive into HIPAA and AI, see our guide on navigating HIPAA regulations for AI therapy.

What to do when a confidentiality breach occurs

Once a breach is discovered, the HIPAA 60-day clock starts running and so does the window in which an honest, contemporaneous account of what happened is still possible. A practice with a written response protocol can spend that window executing it. A practice without one spends it arguing about who saw what and when. The triggering event might be a stolen laptop, a misconfigured cloud storage folder shared with the wrong people, or an AI tool that turned out not to hold a BAA at all.

When a breach is suspected or confirmed, the sequence is consistent regardless of jurisdiction:

1. Document immediately. Note the date, what was accessed or disclosed, and by whom. Do this before memory fades or accounts diverge.
2. Determine notification obligations. Under HIPAA, covered entities must notify affected individuals within 60 days of discovering a breach. In Australia, the Notifiable Data Breaches scheme requires reporting when a breach is likely to result in “serious harm.”
3. Notify the relevant regulatory body. In the U.S., breaches affecting 500 or more individuals must be reported to the HHS Office for Civil Rights. In Australia, report to the Office of the Australian Information Commissioner (OAIC).
4. Notify affected clients in plain language. Explain what happened, what information was involved, what steps you’ve taken, and what clients can do to protect themselves.
5. Conduct a root-cause review. What failed? What changes prevent recurrence?

Confidentiality in group, couples, and family therapy

Privacy protections shift in multi-client settings, and the obligations become more complex when multiple people share the clinical space.

Group therapy

In a group, you as the facilitator hold standard disclosure obligations, but co-participants do not. Make this explicit during intake: what’s shared in the group is expected to stay in the group, but you cannot legally enforce that obligation on other members. Document that you’ve set and explained this norm.

Couples and family therapy

Establish at the outset whose records are whose. Is this couples therapy (one record for the dyad) or concurrent individual therapy with shared sessions (separate records)? If a couple separates mid-treatment, who has access to what? Answering these questions before they become contentious is far easier than resolving them under pressure.

Minor clients

Minor clients add a further layer of complexity. Under HIPAA, parents and guardians generally have the right to access their minor child’s health records, but many states carve out exceptions for minors seeking treatment for sensitive issues including mental health, substance use, and reproductive health. A teenager who believes their sessions are confidential may be wrong depending on their age and jurisdiction. Know your state or territory’s specific rules, document your policy clearly, and explain the limits to both the young person and their parent or guardian during intake.

Building a Confidentiality Culture in Your Practice

The HIPAA-compliant platform and the well-written privacy policy only do their job if staff actually use them. A clinician who drafts progress notes using a general-purpose AI tool, sends session summaries over personal email, or discusses a client in a shared hallway has created a breach.

The risks hardest to address are the ones embedded in day-to-day habit: a conversation about a client carried into the kitchen in a shared office suite, a supervision group where identifying details slip in without anyone noticing, a well-meaning colleague asking “how’s the client you mentioned last week?” in a corridor. These are the scenarios that show up in licensing board complaints.

Supervision and peer consultation deserve particular attention. Sharing clinical material in supervision is both necessary and appropriate, and it still counts as disclosing protected health information. Standard practice is to de-identify cases before discussing them, confirm your supervisor operates under equivalent privacy obligations, and check whether any video or transcription tool used in supervision holds a BAA. If it doesn’t, that’s a gap worth closing before your next session.

What training should cover

• How client data flows through your practice: intake form to notes to storage to sharing
• The specific risks that come with shared office spaces and co-tenancy arrangements
• How to de-identify client information in supervision and peer consultation
• How to recognise a potential breach and what to do in the first hour
• Which AI tools are approved for use in the practice and why others aren’t

Keeping it from slipping

Don’t save data privacy for the annual compliance training. Make it a standing agenda item in team meetings and use near-misses as low-stakes teaching opportunities. When a colleague mentions a client by name in a shared hallway, address it directly and without embarrassment. That’s how norms get reinforced. When your practice adopts a new tool, run a five-minute privacy check before it goes live, not six months after.

A practical privacy checklist

Use this as a periodic review for your practice:

• Privacy policy is current, clear, and accessible to clients
• Informed consent covers data collection, storage, sharing, and AI use
• Disclosure limits are explained during intake and documented
• Progress notes are concise, access-restricted, and securely stored
• Teletherapy platform is compliant with a signed BAA
• Devices are password-protected with MFA enabled
• AI tools have confirmed BAA, encryption, and no model training on client data
• Staff training is conducted at least quarterly
• Access logs are reviewed periodically
• Outdated records are disposed of securely

---

Looking for a documentation tool with HIPAA-grade controls built in from day one? Emosapien’s HIPAA-compliant therapy notes workflow ships with a signed BAA, AES-256 encryption, role-based access, and a no-training policy on client data, so the privacy infrastructure is part of the product rather than a checklist you have to verify yourself.

Key takeaways

Clients edit what they say when they don’t trust how their information is handled, and most of the small decisions in this guide are really decisions about that trust: which video platform to use, whether to reuse a password, which AI tool to let a contractor try. Client confidentiality in mental health is the starting point for all of it, and the compliance framework exists because that’s true, not the other way around.

A signed BAA with your video platform isn’t a data protection plan. It’s one item on a much longer list. Your devices, your note storage, your staff’s tool choices, and how your practice handles a breach are all separate decisions that no BAA touches.

Run the AI vendor checklist before adopting any new tool, and write your breach response protocol before you need it rather than during the first hour of an incident. Cover supervision and shared-space risks explicitly in training. Revisit the setup once a year, because a tool that was compliant twelve months ago may have quietly changed its data retention terms since then.

References

• U.S. Department of Health & Human Services, HIPAA Privacy Rule
• Australian Privacy Act 1988
• APA Ethical Principles of Psychologists and Code of Conduct
• ACA Code of Ethics
• Australian Psychological Society Code of Ethics