• Call Us: +1 833 990 1500 (Toll Free) (Mon - Fri, 7am - 3pm EST)
  • Email Us: info@medical-webinars.com

Psychotherapy notes – Are They Really Private Under HIPAA and How Can you Get Them?

02/13/2026
Live Webinar
25 day
14 hr
25 min
13 sec
Psychotherapy notes - Are They Really Private Under HIPAA and How Can you Get Them?

HIPAA is often described as giving patients broad rights to access their own medical records, and in most cases that is true. Under the HIPAA Privacy Rule, individuals generally have a legal right to inspect and obtain copies of their protected health information (PHI) contained in a provider’s or health plan’s “designated record set”. This includes medical records, billing records, clinical notes, test results, diagnoses, treatment plans, and other information used to make decisions about a person’s care. However, psychotherapy notes are a notable and deliberate exception to this general rule.

HIPAA defines psychotherapy notes narrowly. They are notes recorded by a mental health professional that document or analyze the contents of a counseling session and are kept separate from the rest of the patient’s medical record. Importantly, psychotherapy notes do not include information such as medication prescriptions, session start and stop times, treatment modalities, diagnoses, symptoms, prognoses, or progress summaries. Those types of information remain part of the standard medical record and are subject to the individual’s right of access.

Unlike most mental health information, psychotherapy notes receive special protection under HIPAA. While HIPAA generally treats mental health information the same as other health information, psychotherapy notes are singled out because they often contain highly sensitive, personal impressions and clinical hypotheses intended primarily for the therapist’s own use. As a result, individuals do not have an automatic right under HIPAA to access their psychotherapy notes, even though they may access nearly all other mental health records.

Disclosure rules for psychotherapy notes are also more restrictive. In most circumstances, a covered entity must obtain the patient’s specific written authorization before disclosing psychotherapy notes. This requirement is stricter than the rules governing other PHI, which can often be shared for treatment, payment,or health care operations without special authorization. HIPAA allows only limited exceptions where psychotherapy notes may be disclosed without authorization, such as for the therapist’s own use in treatment, for training purposes under supervision, or to defend against a legal action brought by the patient.

Despite these strong privacy protections, psychotherapy notes are not absolutely private. HIPAA permits disclosures when required by law or when necessary to prevent or lessen a serious and imminent threat to the health or safety of the patient or others. In such situations, a provider may disclose relevant information to appropriate parties, consistent with professional judgment and applicable state laws, including duty-to-warn or mandatory reporting statutes.

Finally, while HIPAA establishes a federal baseline, state laws may expand or further restrict access to psychotherapy notes. If state law provides greater privacy protections, those protections prevail. Conversely, state law may also create specific legal mechanisms—such as court orders or subpoenas—that affect whether psychotherapy notes can be obtained.

Note also state licensure laws that mandate what must be in a mental health record.

In short, psychotherapy notes occupy a unique position under HIPAA: they are more protected than other health records, excluded from the standard right of access, and subject to stricter disclosure rules—yet they are not immune from disclosure in all circumstances.

Areas Covered in the Session

  • Overview of HIPAA’s general Right of Access
  • Definition of designated record sets
  • What information individuals can usually access under HIPAA
  • Definition of psychotherapy notes under HIPAA
  • Why HIPAA provides extra protections for psychotherapy notes
  • Authorization requirements for disclosure
  • Permitted disclosures without authorization
  • Safety exceptions (serious and imminent threat)
  • Interaction between HIPAA and state laws
  • Tips and techniques to avoid psychotherapy note battles

Why should you Attend?

Learn just how private a health care practitioner’s psychotherapy notes actually are and the circumstances in which they can become un-private.

Who will Benefit?

Healthcare practitioners offering mental health counseling

Date: 02/13/2026

Time: 12:00 pm - 1:00 pm (EST)

Reg. deadline: 02/12/2026

Venue: Live Webinar

Enrollment option

Speaker

Mark R. Brengelman
Mark holds Bachelor’s and Master’s degrees in Philosophy from Emory University and a Juris Doctorate from the University of Kentucky. Retiring as an Assistant Attorney General, he now represents: health care professionals; two government health care licensure boards; a government ethics commission, and; parents and kids in confidential child abuse and neglect cases, termination of…
Show More

Related Events

The Future of Telehealth
Compliance Webinars
Live Webinar

The Future of Telehealth

Telehealth completely changed in 2020 when the Public Health Emergency was put into effect. Now in 2025, many of those temporary changes are expiring and the telehealth business has exploded. These methods of communication between provider and patient are loved by many, and the convenience of telehealth in healthcare has become a common occurrence. This webinar will be reviewing the current parts of telehealth that are being considered permanent in the 2026 Physicians Fee Schedule Final Rule and the new evaluation and management services that are new codes for CPT in 2025 related to telehealth. We will find out what the do’s and don’ts of telehealth that are here to stay, as well as implementing these new codes and regulations into your practice. These new rules and codes are important to any one currently offering telehealth as well all who are considering it to add it to their practice in order to be compliant and maximize reimbursement for the services performed. Areas Covered in this Webinar The CMS Telehealth List and how to use it Medicare’s rules G codes for Medicare telehealth CPT addition of 17 codes to the E/M section for Telehealth Education for office staff Implementation on your software programs Who Will Benefit Physicians Advanced Nurses Physicians Assistant Billers Coders Compliance Managers Administrators Case Managers Claims Processors

01/20/2026
Enroll/Buy Now
HIPAA Breach Risk Assessment for Ransomware Attacks
Compliance Webinars
Live Webinar

HIPAA Breach Risk Assessment for Ransomware Attacks

HIPAA Breach Risk Assessments determine whether a Ransomware attack constitutes a HIPAA Breach that triggers Breach Notification Rule reports and notifications. A Ransomware attack is automatically presumed to be a HIPAA Breach unless you do a HIPAA Breach Risk Assessment that demonstrates the attack resulted in only a low probability of compromise to the affected protected health information (PHI). This webinar explains how to do a Ransomware HIPAA Breach Risk Assessment. The Problem Solved by this Webinar The HHS Office for Civil Rights (OCR) declared that a breach of unsecured PHI is presumed to have occurred when electronic protected health information (ePHI) is encrypted as the result of a ransomware attack on a HIPAA-regulated entity (health care provider, health plan, health care clearinghouse, or business associate). The entity must then comply with the applicable breach notification provisions, including notifying affected individuals without unreasonable delay, the Secretary of HHS, and the media (for breaches affecting over 500 individuals), in accordance with HIPAA breach notification requirements. However, it is not a breach if the ransomware-victimized entity can demonstrate that there is a low probability that the encrypted ePHI has been compromised. This webinar explains how to do that. Areas Covered in the Webinar A Breach Risk Assessment can determine whether a ransomware attack is a breach of unsecured ePHI, triggering embarrassing reports and notifications. Factors that can be applied in performing a Breach Risk Assessment. OCR’s guidance about specific factors that can demonstrate a low probability of compromise to ePHI encrypted by a ransomware attack. How to perform a Breach Risk Assessment step-by-step. How to document a Breach Risk Assessment and why you must document it. What to do if you cannot demonstrate a low probability of compromise to ePHI. Why You Should Attend This Webinar Attend this webinar to learn how to perform a Breach Risk Assessment with a special emphasis on ransomware attacks. Ransomware attacks may have only a low probability of compromising ePHI. A Breach Risk Assessment can determine whether a ransomware attack resulted only in a low probability of compromise to ePHI and provide Covered Entities and Business Associates with Documentation to overcome the presumption that the ransomware attack was a Breach.. Who Will Benefit Health Care Covered Entities HIPAA Compliance Officials – Privacy and Security Officers Chief Compliance Officer Practice Managers Health Information Technology Supervisors Risk Managers Group Health Plan Administrators Third Party Group Health Plan Administrators Covered Entity Senior Management and Owners Health Care Providers practicing as individuals or in small groups Attorneys for Covered Entities – In-house and Outside Counsel Business Associates HIPAA Compliance Officials – Privacy and Security Officers Chief Compliance Officer Business Associate Senior Management and Owners Risk Managers Attorneys for Business Associates – In-house and Outside Counsel

01/21/2026
Enroll/Buy Now
HIPAA in 2026: What Changed, What’s Coming, and What It Means for Your Organization
Compliance Webinars
Live Webinar

HIPAA in 2026: What Changed, What’s Coming, and What It Means for Your Organization

Over the last few years, the U.S. Department of Health and Human Services, Office for Civil Rights has made modifications to patient privacy requirements. The agency is on track for enhancing care coordination, empowering patients, and reducing administrative burden. In addition, on the Security Rule side, the agency released a proposed rule to overhaul significant requirements and make cybersecurity safeguards a priority. Knowing what an organization must do to meet these new regulatory requirements can be challenging. The webinar will address what has already changed in privacy, cover proposed Privacy Rule modifications, and cover the Security Rule overhaul proposals. Timeline and compliance implications will be covered. After completing this webinar, a Covered Entity or Business Associate will have a clear understanding of what has changed and what will change. Objectives Who Must Comply with HIPAA Requirements? What are the HIPAA Security and Privacy Rules? What Has Already Changed in Privacy? What are the Proposed Privacy Rule Modifications? What are the proposed Security Rule modifications? What is the Timeline & Compliance Implications? What recommendations should be followed now? Q&A Webinar Highlights Learn from an expert on the implementation of the HIPAA rules Understand what the HIPAA management process currently requires Learn how to implement these changes for your organization Who Should Attend Compliance Officer HIPAA Privacy Officer HIPAA Security Officer Medical/Dental Office Managers Practice Managers Information Systems Manager Chief Information Officer General Counsel/lawyer Practice Management Consultants Any Business Associates that access protected health information

01/26/2026
Enroll/Buy Now
Pros & Cons of Outsourcing Revenue Cycle Functions: What You Need to Consider
Compliance Webinars
Live Webinar

Pros & Cons of Outsourcing Revenue Cycle Functions: What You Need to Consider

Many providers have considered outsourcing functions in the revenue cycle. Like all businesses, some third-party companies do excellent work for providers, but there may be others that look for ways to take advantage of their provider. Outsourcing has its own pros & cons that must be carefully considered. We will review major common areas that providers must weigh strategically before making a decision whether to outsource and selecting the best partner for your needs. It is vital providers know exactly who is handling their claims and what they are doing with their information. Definitions of third-party vendors Legal responsibilities of the provider Common industry trends Important questions to ask vendors & contractors Who Will Benefit Physicians Practice managers Medical assistants Nurses Compliance staff Billers Coders Revenue Cycle Risk Management Mid level providers  

01/26/2026
Enroll/Buy Now

© 2026 Medical Webinar. All rights reserved