Skip to main content
Headway

Compliance and documentation

What is protected health information, or PHI?

With our guide, discover essential HIPAA guidelines, best practices, and tools for a compliant practice.

November 7, 2025

7 min read

Working as a therapist comes with significant responsibility. Beyond supporting clients on their mental health journeys, you’re also responsible for confidentiality in your practice — which includes maintaining accurate, compliant documentation. If you bill insurance, the administrative demands of HIPAA compliance can feel even more cumbersome.

At Headway, we understand the importance of confidentiality, compliance, and accurate documentation. Below, learn more about protected health information as a therapist, how to keep your practice compliant with HIPAA, and how Headway can support you in the process.

Key takeaways

  • Protected health information (PHI) is any individually identifiable health information — whether spoken, written, or electronic — that relates to a person’s physical or mental health (past, present or future), the provision of healthcare, or payment for healthcare. Under HIPAA, PHI includes details like names, addresses, dates of birth, medical record numbers, and any other data that can identify a patient.
  • Key compliance considerations for therapists include restricting PHI access to authorized staff, securing ePHI through encryption and HIPAA-compliant tools, maintaining safe documentation practices, and providing ongoing staff training on security, privacy, and breach response.

Understanding protected health information in therapy contexts

According to the HIPAA Journal, protected health information (PHI) is “an individual’s health, treatment, or payment for treatment information — and any information maintained in the same data set that could identify the individual — when the information is maintained or transmitted by an organization covered by HIPAA.”

In the context of therapy compliance, PHI is any personally identifiable information a therapist or practice collects, stores, or transmits in connection with a client’s mental health diagnosis, treatment, or payment for services. This includes everything from session notes and diagnoses to insurance claims and telehealth communications. Even seemingly small details like an email address linked to a therapy appointment or notes saved on a personal device can qualify as PHI if they can identify the client.

Because therapy often involves highly sensitive information, maintaining HIPAA compliance means ensuring this data is securely stored, shared only with proper consent or under an appropriate legal exemption from requiring consent, and protected against unauthorized access or disclosure.

The 18 identifiers for PHI under HIPAA 

The general formula for PHI is “identifier plus health information,” says Bianca Sellinger, Headway's director of privacy compliance. Under the HIPAA Privacy Rule — which establishes national standards for protecting individuals’ medical records and other personal health information — there are 18 identifiers that make health information individually identifiable. When these are removed, the data is considered de-identified and no longer subject to HIPAA.

The 18 HIPAA identifiers include: 

  1. Name
  2. All geographic subdivisions smaller than a state, including street address, city, county, precinct, and ZIP code (except the initial three digits of a ZIP code if the population in that area is >20,000)
  3. All elements of dates (except year) related to an individual — e.g., birth date, admission date, discharge date, death date — and all ages over 89
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. Internet Protocol (IP) addresses
  16. Biometric identifiers, including finger and voice prints
  17. Full-face photographs and any comparable images
  18. Any other unique identifying number, characteristic, or code that could identify the individual

What counts as PHI

CategoryExample
Personal identifiersClient name, date of birth, address, phone number, email
Clinical informationTherapy notes, treatment plans, mental health diagnoses, progress reports, intake forms
Billing and insuranceHealth plan ID, claim forms, session billing records, payment receipts, EOBs
Digital identifiersIP address from telehealth sessions, client login credentials for a client portal, Zoom meeting links with identifying information
Images or recordingsFull-face video recordings from telehealth, voice memos tied to client files, photos uploaded for clinical use

Practice in-network with confidence

Simplify insurance and save time on your entire workflow — from compliance and billing to credentialing and admin.

Talk to a practice consultant

What’s not PHI 

CategoryExample
De-identified data“60% of therapy clients report reduced anxiety after 8 sessions,” anonymous outcome tracking
Business operations dataScheduling statistics, website traffic analytics, or marketing metrics not linked to client records
Education or training recordsCase examples used in supervision or training after removing all identifiers

“In limited circumstances, an identifier alone would constitute PHI when it serves both as an identifier for a unique individual while also indicating past, present, or future healthcare services or payment for healthcare services, such as a patient ID,” says Sellinger.

What is ePHI? 

ePHI, or electronic protected health information, can present unique challenges for therapy practices. Therapists have a responsibility to ensure all client data — stored, transmitted, or discussed electronically — remains secure and compliant with HIPAA. This includes maintaining privacy across telehealth sessions, protecting digital records, and using secure messaging for client communication. 

Without the right systems in place, even well-meaning providers can face risks like data breaches or noncompliance. Headway’s EHR for therapists simplifies this complexity by combining security and ease of use. From encrypted telehealth sessions to automated documentation storage and secure client communication, every feature is designed to protect ePHI while supporting your workflow. 

Headway therapists benefit from built-in privacy safeguards, streamlined billing and claims processing, and reliable technical infrastructure that ensures compliance without added stress — so you can focus on client care, not data management. 

Documentation best practices that ensure therapy compliance

Proper documentation practices support HIPAA compliance while also meeting clinical and billing requirements for therapy services. Key considerations for HIPAA compliance as a therapist include: 

  • Access control: Limit PHI access to only authorized team members. Use role-based permissions and multi-factor authentication to prevent unauthorized entry into client records.
  • Data security: Protect electronic PHI (ePHI) through encryption, strong passwords, secure Wi-Fi networks, and updated firewalls or antivirus software.
  • Confidential communication: Use HIPAA-compliant platforms for telehealth sessions, email, client portals, and messaging. Avoid texting or using personal devices for client communication.
  • Documentation practices: Store, share, and dispose of PHI using secure, encrypted systems. Back up files regularly and use version control to prevent unauthorized edits or data loss.
  • Training and awareness: Provide ongoing HIPAA training and establish clear policies for handling breaches, data sharing, and client consent.
  • Compliant clinical notes: Use structured, privacy-conscious formats such as SOAP (Subjective, Objective, Assessment, Plan), DAP (Data, Assessment, Plan), or BIRP (Behavior, Intervention, Response, Plan) to balance detailed clinical documentation with confidentiality and compliance.

Implementing secure record retention and disposal procedures 

Therapy record retention requirements vary by state and payer, but in general, adult client records should be kept for at least seven years after the last date of service, while minor client records should be retained until the client reaches the age of maturity in their jurisdiction, plus several additional years.

Always confirm state-specific laws before disposing of records. When records are no longer required, secure destruction and disposal is essential — paper files should be shredded or incinerated and disposed of properly (e.g., not in a regular recycling bin), and electronic files permanently deleted using data-wiping software. Following these practices helps protect client privacy and ensures ongoing HIPAA compliance.

Common compliance pitfalls for mental health providers 

Being aware of potential PHI pitfalls can help you prevent unnecessary roadblocks in your practice. One common pitfall occurs when therapists think the progress notes and records they store on Headway are considered psychotherapy notes. “These notes are exempt from the HIPAA right of access, or the right for patients to request to inspect or ask for copies of the data,” says Sellinger. “But what providers generate for billable insurance-compliance notes are not psychotherapy notes.”

Another common pitfall is the belief that providers have the carte blanche ability to withhold records from patients when they request to access them because they worry about the potential for emotional or psychological harm that may result. “I would caution that the HIPAA standard for withholding access to records is quite strict and is applicable only when the concern is about endangerment to life or physical safety of the patient or another person,” says Sellinger.

Some state laws permit providers to withhold access for emotional or psychological harm, but they vary state to state, so Sellinger recommends providers familiarize themselves with the restrictions applicable to their license and state where they practice when it comes to withholding access to records.

Steps for responding to PHI breaches in therapy settings

Even well-meaning, experienced therapists can experience an unintended breach of PHI. The important thing is to know what steps to take in response to stay compliant with HIPAA and protect client privacy. 

1. Contain the breach ASAP

Disconnect affected systems, revoke unauthorized access, and secure any compromised accounts or devices to prevent further data exposure.

2. Assess the scope and risk

Determine what information was involved, how many individuals were affected, and whether the data was actually viewed, copied, or shared. Document all findings.

3. Notify your compliance lead

If you work within a group practice or platform (like Headway), report the breach internally right away for investigation and documentation.

Your compliance team or lawyers will begin a necessary investigation and breach analysis to evaluate the probability of data compromise. In cases where it is deemed there is no to very low risk of client harm, it would not be a reportable breach incident. 

“Having robust controls in place can protect providers from having to notify patients, regulators, and sometimes even the media about a PHI disclosure that could result in loss of trust with patients, financial harm, and regulatory scrutiny,” says Sellinger.

4. Follow applicable breach notification rules

Notify affected clients without unreasonable delay (no later than 60 days under HIPAA, but some state breach notification rules may be stricter). For larger breaches under HIPAA, report to HHS and, in some cases, the media. Familiarize yourself with the applicable breach notification laws for your state which may have additional requirements beyond HIPAA.

5. Mitigate harm

Offer steps clients can take to protect themselves (e.g., password updates or credit monitoring) and strengthen your security measures to prevent recurrence. Some states may require additional measures be offered to impacted clients depending on the type of data involved in the breach.

6. Review and update policies

After containment and reporting, make sure to review internal policies, retrain staff, and document corrective actions to demonstrate ongoing compliance. Additionally, storing notes on Headway’s platform makes breach investigations simple — as well as any breach reporting and notification to affected clients.

Headway supports your compliant therapy practice

Headway helps therapists build thriving, compliant practices — without the administrative burden. From automated claim submission to transparent payout tracking, every feature is designed to simplify your workflow so you can focus on what matters most: your clients. Headway partners with top insurance payers, ensuring your documentation and billing meet compliance standards while supporting ethical, high-quality care. You’ll gain access to an intuitive EHR, built-in reporting, and expert credentialing support, all in one secure platform.

Talk to a practice consultant

This content is for general informational and educational purposes only and does not constitute clinical, legal, financial, or professional advice. All decisions should be made at the discretion of the individual or organization, in consultation with qualified clinical, legal, or other appropriate professionals.

© 2025 Therapymatch, Inc. dba Headway. All rights reserved. No part of this publication may be reproduced without permission.

Compliance and documentation

How to write progress notes

Progress notes are the core piece of documentation a provider should write after each client session, but it’s more than just a record of what happened.

How to have a successful client discharge (with discharge summary template)

Every discharge situation is different, but a few best practices can help ensure the discharge note documentation process is successful.

How to write a mental health treatment plan

Whenever you want to change the goal of your therapy care, or the path you want to take with the client to reach that goal, you’ll want to document a treatment plan.