Therapists and counselors occupy a unique position when it comes to privacy. You are legally obligated to protect your clients' most sensitive information under HIPAA and state licensing laws, yet your own personal data — home address, phone number, family details — is often freely available on data broker sites. This dual exposure creates real risks for both your clients and yourself.
Why Therapists Face Heightened Privacy Risks
Mental health professionals are particularly vulnerable to privacy threats for several reasons:
- Client safety concerns: Some clients may attempt to contact you outside of sessions, show up at your home, or engage in boundary-violating behavior. Publicly available home addresses make this easier.
- Licensing databases: State licensing boards publish your name, license number, and sometimes your practice address in public directories that data brokers scrape.
- Professional liability: If a client's protected health information (PHI) is exposed due to inadequate security, you face HIPAA penalties, malpractice liability, and damage to your practice.
- Online reviews and exposure: Therapists listed on directories like Psychology Today or GoodTherapy may have personal details harvested and cross-referenced with data broker profiles.
Protecting Client Data: HIPAA Essentials
If you are a covered entity under HIPAA — which includes most therapists who accept insurance or transmit health information electronically — you must comply with the Privacy Rule, Security Rule, and Breach Notification Rule. Here is what that means in practice:
The Privacy Rule
The HIPAA Privacy Rule governs how you use and disclose protected health information. Key requirements include:
- Minimum necessary standard: Only access, use, or share the minimum amount of PHI needed for a specific purpose.
- Notice of Privacy Practices: Provide every client with a written notice explaining how you use and protect their information.
- Client authorization: Obtain written authorization before disclosing PHI for purposes outside of treatment, payment, or healthcare operations.
Psychotherapy Notes Get Extra Protection
HIPAA provides special protections for psychotherapy notes — your personal notes recorded during or after a counseling session that are kept separate from the medical record. With very few exceptions, you must obtain explicit client authorization before disclosing psychotherapy notes for any reason, including to other healthcare providers. This is one of the strongest protections in HIPAA.
What Qualifies as Psychotherapy Notes?
Psychotherapy notes are notes recorded by a mental health professional documenting or analyzing the contents of a conversation during a private, group, joint, or family counseling session that are kept separate from the rest of the patient's medical record. Session summaries, diagnoses, treatment plans, and prescriptions are NOT psychotherapy notes and receive standard HIPAA protection.
The Security Rule
The Security Rule requires you to implement safeguards to protect electronic PHI (ePHI). For a therapy practice, this means:
- Use encrypted communication: Email, messaging, and telehealth platforms must use encryption. Standard email and SMS are not HIPAA-compliant.
- Secure your devices: Use strong passwords, enable full-disk encryption, and set up automatic screen locks on all devices that access client data.
- HIPAA-compliant telehealth: If you offer virtual sessions, use platforms that provide a signed Business Associate Agreement (BAA). Zoom for Healthcare, Doxy.me, and SimplePractice are common choices.
- Conduct risk assessments: HIPAA requires regular security risk assessments to identify and address vulnerabilities.
- Business Associate Agreements: Any vendor that handles your client data — EHR systems, billing services, cloud storage — must sign a BAA.
Common HIPAA Mistakes Therapists Make
Using standard Gmail or Yahoo email to communicate with clients. Texting appointment reminders with session details. Storing client notes in unsecured cloud folders like personal Google Drive or Dropbox without a BAA. Discussing client cases on social media, even without names. Using your personal phone for client calls without a separate HIPAA-compliant line. Each of these can result in civil penalties ranging from $100 to $50,000 per violation.
Protecting Your Own Personal Information
While you focus on protecting client data, your own personal information is likely sitting on dozens of data broker sites. A quick search for your name on Spokeo, BeenVerified, or TruePeopleSearch may reveal your home address, phone number, family members' names, and more.
This is a safety issue for therapists. Clients who develop unhealthy attachments, former clients with grievances, or individuals involved in custody disputes may use this information to find you outside of your professional setting.
Steps to Remove Your Personal Data
- Search for yourself: Look up your name on Google, Spokeo, WhitePages, BeenVerified, and other people search sites.
- Submit opt-out requests: Each site has an opt-out process. Work through them systematically.
- Separate your practice and personal information: Use your practice address (not your home) for professional registrations, licensing boards, and directories.
- Use a P.O. Box or registered agent: If you run a solo practice, register your business with a P.O. Box rather than your home address.
- Lock down social media: Make personal accounts private and avoid cross-linking personal and professional profiles.
Digital Privacy Best Practices for Your Practice
- Use a practice management platform: Systems like SimplePractice, TherapyNotes, or Jane App handle scheduling, notes, billing, and telehealth in a HIPAA-compliant environment.
- Enable two-factor authentication: Require 2FA on all accounts that access client data — EHR, email, telehealth, and cloud storage.
- Create a data breach response plan: Know exactly what steps you will take if client data is compromised. HIPAA requires you to notify affected individuals within 60 days of discovering a breach.
- Train your staff: If you have administrative staff, interns, or associates, they need HIPAA training and must understand your privacy and security policies.
- Secure your physical space: Lock file cabinets, use privacy screens on monitors in shared spaces, and ensure that conversations in your office cannot be overheard.
State Licensing and Privacy Obligations
Beyond HIPAA, your state licensing board imposes additional privacy requirements. Most states require therapists to:
- Maintain client confidentiality except in specific circumstances (duty to warn, mandated reporting, court orders).
- Keep records for a minimum retention period (typically 5–10 years, depending on the state).
- Dispose of records securely when the retention period expires.
Check your state licensing board's website for specific requirements. Violations of state confidentiality rules can result in disciplinary action including license suspension or revocation.
How PrivacyOn Helps Therapists
Managing data broker removals while running a therapy practice is time-consuming and never truly finished — brokers re-list your information regularly. PrivacyOn automates the entire process, removing your personal data from over 100 data broker sites, monitoring for re-listings, and scanning the dark web for exposed credentials or personal information.
For therapists, this means your home address stays off people search sites, your personal phone number remains private, and you can focus on your clients without worrying about your own data exposure. Plans start at $8.33/month with family coverage for up to 5 people — ideal for therapists who want to protect their spouse and children as well.
Take Action Today
As a therapist, you understand the importance of boundaries. Extending that concept to your digital life is essential. Protect your clients' data with rigorous HIPAA compliance, and protect your own personal information by removing it from the data broker ecosystem. Your safety and your clients' trust depend on it.