Behavioral health professionals know that note-writing is an essential component of excellent patient care. Detailed notes help mental health professionals diagnose and treat patients quickly and accurately. They also help patients make informed decisions about their health.
All healthcare professionals are required to document medical information properly. In the mental health field, counselors, psychologists and other professionals rely on insightful and thorough progress notes and psychotherapy notes to devise treatment plans.
Learn More About Writing Individualized Treatment Plans
Progress notes and psychotherapy notes are equally essential but vastly different. They both must comply with privacy standards in their own way.
Below, we’ll explore the differences between psychotherapy and progress notes, what they include and why they are both necessary components of patient care. We’ll also discuss the Health Insurance Portability and Accountability Act (HIPAA) and its relation to progress notes and psychotherapy notes.
What Are Psychotherapy Notes?
A mental health professional takes psychotherapy notes, also called private or process notes, during a patient session. Psychotherapy notes are optional and are meant to help the therapist do their job the best way they can.
These notes are kept separate from medical records and billing information, and providers are not permitted to share psychotherapy notes without a patient’s authorization. The patient does not have the right to access these notes, even with changes to the 21st Century Cures Act.
What Do Psychotherapy Notes Include?
Psychotherapy notes are not a required part of a counselor’s job. They’re meant to help a counselor treat a patient, so there’s no standard or necessary format a psychologist must follow when taking these notes. Therapists can create their psychotherapy notes however they wish. For example, the notes can be written in shorthand and be illegible to others without consequence.
Psychotherapy notes often contain the counselor’s or psychologist’s observations, their hypothesis regarding diagnosis and what they think or feel about the patient’s situation. After learning more about the patient, the counselor can refer to their notes when determining an effective treatment plan.
In general, psychotherapy notes might include:
- Questions to ask supervisors
- Any thoughts or feelings relating to the therapy session
Unlike progress notes, psychotherapy notes are private and do not include:
- Medication details or records
- Test results
- Summary of diagnosis or treatment plan
- Summary of symptoms and prognosis
- Summary of progress
What Are Progress Notes?
Progress notes are legal documents that demonstrate a client’s status and progress. Healthcare providers are required to keep accurate progress notes to legally protect their clients and provide care for patients they see daily. Organizations such as the American Psychological Association (APA) provide ethical guidelines for writing and maintaining progress notes, while state and federal laws also have rules for medical record keeping.
These notes are vital to effective treatment. Without accurate and up-to-date progress notes, healthcare professionals would need to start from the beginning each time they met with a patient. They would waste time and increase the risk of making a medical mistake.
Counselors can also use progress notes to prove the medical necessity of treatment. These notes are also typically required for reimbursement. Even if you don’t accept insurance, progress notes are still essential billing documents because they describe the services provided and the date. You do not have to rely on your memory to recall crucial details.
Progress notes are meant to be shared with other healthcare professionals assisting with a client’s treatment plan, unlike psychotherapy notes. A court of law may also subpoena them.
Lastly, clients have a right to read their progress notes. With changes to the 21st Century Cures Act, healthcare providers, including therapists, are required to grant clients virtual access to their progress notes, with a few exceptions.
What Do Progress Notes Include?
Progress notes communicate treatment plans, medical history and other vital information, informing staff about patient care. In the mental health field, progress notes typically include:
- What the client and counselor discussed during the session
- How the discussion related to the client’s treatment plan
- How the client is or isn’t meeting treatment goals and objectives
- The counseling techniques and interventions used to help the client meet goals
- The effectiveness of the interventions
- The counselor’s clinical observations
- The client’s symptoms relating to their diagnosis
- Whether the client completed homework assignments
- The client’s strengths
- Areas the client needs to improve on
Progress Note Formats
It’s best for progress notes to follow an organized, standard format. A structured layout helps prevent confusion between healthcare providers, enables staff members to quickly get up-to-date on a client’s condition and provides direction for note-writing. Although no law says you must choose a particular format or style of writing progress notes, some note-writing methods are more widely used than others.
Common progress note formats include BIRP (Behavior, Intervention, Response and Plan) notes and SOAP (Subjective, Objective, Assessment and Plan) notes. SOAP notes, in particular, are a popular documentation style in behavioral health and other healthcare fields. SOAP notes include the following four components:
- Subjective: In the Subjective section, describe the client’s chief complaint, typically in direct quotes. For example, the client might say, “I’m depressed.” This section also includes a history of the client’s symptoms in their own words.
- Objective: The Objective section includes factual information such as test results, findings from a physical examination or detailed observations.
- Assessment: The Assessment portionincludes a summary of the patient’s diagnosis.
- Plan: The Plan section describes what you will do to treat the client. It also includes follow-up information, referrals, lab orders and a review of all the medications a patient is taking.
Regardless of the format you choose, progress notes should be easy to access, clearly written and consistent in style to minimize mistakes or misunderstandings.
HIPAA’s Role in Documentation
In 1996, Congress passed the Health Insurance Portability and Accountability Act (HIPAA) to protect health information privacy and safety. The Standards for Privacy of Individually Identifiable Health Information, or the Privacy Rule, was issued to implement HIPAA. The Security Standards for the Protection of Electronic Protected Health Information, or the Security Rule, establishes national standards for protecting patient health information stored or transferred electronically.
Covered entities, or providers who conduct healthcare transactions electronically, must comply with HIPAA and safeguard protected health information (PHI). PHI may be in oral, electronic or paper form.
Covered healthcare providers must also train all employees, volunteers and trainees to comply with privacy policies and procedures, and they must discipline those who violate HIPAA regulations. It is every clinician’s responsibility, whether they are considered a covered entity or not, to ensure all data, like progress notes, is secure at all times. Ensuring security may involve shredding paper documents or making sure electronic passcodes are set.
Note that HIPAA is not the only law with privacy standards. Your state may have privacy laws that offer even greater protection for clients than HIPAA.
Protections for Psychotherapy Notes
HIPAA describes psychotherapy notes as notes recorded in any medium by a mental health professional documenting a conversation during a group, family or private counseling session and kept separately from medical records. Psychotherapy notes receive special protection under the Privacy Rule because they contain sensitive information and are a therapist’s personal notes. They do not contain information related to a patient’s medical records, treatment or healthcare operations, such as:
- Medications prescribed
- Session start and stop times
- A treatment plan, interventions used and client’s progress
- Test results
- Symptoms and diagnosis
As long as psychotherapy notes do not include any of the above information, they are not considered part of a client’s records, and therefore do not need to be shared with patients or staff. As stated by the Office for Civil Rights (OCR), clients do not have a right to access a counselor’s psychotherapy notes. However, counselors have the discretion to share their psychotherapy notes with clients.
Even though psychotherapy notes are not part of a client’s medical records, it is still the counselor’s responsibility to ensure others do not read the notes without a patient’s authorization. Counselors must keep the notes secure and confidential at all times. To avoid a HIPAA violation, a mental health professional does not want to keep a notepad filled with private information out in the open, for example.
Psychotherapy notes were not always protected. In the past, healthcare insurers made decisions based on patient information, including psychotherapy notes. Now, under the Privacy Rule, patients can, in some cases, refuse to have that type of information released. Psychotherapy notes are not required for insurance purposes.
When to Disclose Psychotherapy Notes
If a counselor sees a reason to share a client’s psychotherapy notes, they must first obtain authorization from the client to release the notes. However, the following circumstances do not require approval and, in some cases, disclosure of psychotherapy notes is required:
- To use the notes for treatment
- To defend yourself in court
- During a Department of Health and Human Services (HHS) investigation
- By law
- To prevent a serious threat to public health or safety
- For the lawful activities of a medical examiner or coroner
The Privacy Rule and Progress Notes
Although progress notes are read by trained staff regularly, they are still protected under the HIPAA Privacy Rule. The Privacy Rule’s primary goal is to keep patients’ health information protected while enabling the use of health information to promote high-quality care and protect the public’s well-being. In general, the following information is protected under HIPAA:
- Any individually identifiable health information relating to the individual’s past, present or future physical or mental health
- The type of health care provided to the individual and the reasons for the care
- Information regarding the past, present or future payment for the care and treatment given to the individual
Individual identifiers include information such as name, address, birthdate or social security number.
When to Disclose Progress Notes
As with most rules, there are a few exceptions. A healthcare provider may disclose or use a patient’s medical information or progress notes when:
- The Privacy Rule permits
- The patient authorizes use or disclosure in writing
In some cases, a healthcare provider is required to disclose patient information, which occurs when:
- The individual requests their information
- The HHS is conducting an investigation and requests the information
Sometimes a healthcare provider can disclose patient information to protect a patient or the public from harm. The following circumstances do not require a patient’s authorization for disclosure:
- For treatment, payment or healthcare operations
- For public interest and benefits as required by law to prevent or control a disease
- For government authorities in cases of abuse, neglect or domestic violence
- For health oversight agencies during audits or investigations
- For judicial or administrative proceedings
- For law enforcement purposes
- For funeral directors, medical examiners or coroners as needed
- For research purposes
- When there are threats to public health or safety
- For essential government functions
- In regards to workers’ compensation law
When an individual is incapacitated, in an emergency situation or not available, a healthcare professional may use their best judgment in deciding to disclose patient information to family members or personal representatives. In such a case, they could use informal authorization from the patient if possible.
The Security Rule and Documentation
Covered healthcare providers must safeguard all PHI according to the Privacy Rule, whether the information is stored electronically or on paper. The Security Rule, on the other hand, applies only to electronic protected health information (ePHI) and does not apply to information stored on paper or given orally.
Under the Security Rule, covered healthcare providers must:
- Ensure the confidentiality of ePHI
- Make sure ePHI is available and accessible to authorized individuals
- Identify and protect against security threats and unauthorized disclosures
- Ensure workplace compliance
Covered entities must implement the following safeguards to comply with the Security Rule and protect electronic information:
- Administrative safeguards use administrative functions to ensure security, such as security training.
- Physical safeguards protect data storage sources from environmental hazards and intruders by restricting access and having backup computers.
- Technical safeguards use automated processes to protect information and control who can access data.
Best Practices for Security Rule Compliance
To reduce the risk of a Security Rule violation, healthcare providers need to:
- Assess potential risks: Assess and identify any possible threats to the confidentiality of ePHI and implement plans to reduce risks. Security management needs to make sure files are protected by passwords, for instance. Likewise, computer workstations should be located in rooms with locks on the doors.
- Develop a sanctions policy: Make sure policies are in place and employees are aware of the policies to implement sanctions on those who violate security standards. Each employee must be trained in security standards. Employees should know not to share passwords or write down passwords and leave them in the open.
- Develop a data backup plan: Make sure to have a backup plan in case of an emergency like a fire or natural disaster to keep information protected and secure. Plan to have exact copies of retrievable information in a crisis.
- Practice business safety: Make sure there are contracts with outside entities to ensure security and HIPAA compliance.
- Consider the environment: All data equipment should be kept in a secure environment, free of theft or unauthorized access. Ensure doors are kept locked or surveillance cameras are in place to provide protection.
- Dispose of information properly: Ensure employees know how to securely dispose of data when no longer in use, like using hardware erasure software.
- Control access: Each database user must have a unique identifier and password. It is also best to utilize automatic logoff capabilities and make sure data is encrypted.
- Review security measures periodically: Review and modify security measures as needed to ensure you continue to protect ePHI.
Best Practices for Privacy Rule Compliance
Here are a few general tips to help you comply with HIPAA’s Privacy Rule:
- Train employees: Ensure all staff members understand what information they may or may not share under HIPAA. Make sure staff members know when they need to obtain written permission from clients to release their information.
- Keep paper copies safe: Store paper copies of client records in a locked cabinet to protect the files from theft or unauthorized use.
- Store records electronically: Because HIPAA requires highly secure record-keeping, it’s best for healthcare practices to take proper precautions and store records electronically. When progress notes are stored electronically, they can be protected with passwords. By contrast, paper documents can be easily damaged, lost, misread or accessed by the wrong people and offer little protection for the patient.
Common HIPAA Violations
Since 2003, the OCR has received over 257,000 complaints and has made over 1,000 compliance reviews, with those numbers changing almost daily. A HIPAA violation can be detrimental to a practice’s reputation and a patient’s trust. Failure to comply can cost a healthcare practice thousands of dollars or more in fines and cause them to lose clients.
For example, Fresenius Medical Care North America, a provider of products and services for people with chronic kidney failure, agreed to pay the HHS $3.5 million to settle possible HIPAA violations. Patients can also file lawsuits against healthcare providers. Common violations include:
- Releasing patient information without authorization
- Not disposing of patient records properly
- Not giving patients access to their records
- Disclosing information to third parties after authorization expiry dates
- Not having any administrative or technological safeguards for ePHI
Most commonly investigated organizations include:
- Private practices
- Outpatient facilities
- Insurance companies
Consequences of Noncompliance
Failure to comply with HIPAA can result in:
- A fine of $100 to $50,000 or more for each violation
- A calendar year cap of up to $1.5 million
- Up to 10 years imprisonment
Penalties depend on the following factors:
- Date of the violation
- Whether or not the healthcare provider or entity knew or should have known of the failure to comply
- Whether or not a failure to comply was due to willful neglect
To protect your practice, employees, clients and yourself from HIPAA violations, make sure patient data is kept secure at all times — it’s an element of health care not to be overlooked.
How Electronic Health Record Software Simplifies HIPAA Compliance
HIPAA regulations do not need to cause daily stress in the workplace. Fortunately, there is software available to make security an effortless matter. Electronic health record (EHR) software keeps medical information and billing secure and makes sure HIPAA standards are followed without interrupting workflow.
EHR software protects critical, confidential health information with a high security and efficiency level, keeping progress notes, past medical history and demographics safe from unauthorized users. EHR software also makes data easily accessible for those with permission to use and record information. In general, EHR software helps healthcare professionals provide better patient care by:
- Boosting accuracy and reducing medical error
- Improving communication
- Reducing billing issues
- Consolidating information
- Reducing delays in care
- Helping patients make better decisions
- Improving the quality of care
Try ICANotes HIPAA-Compliant EHR Software
ICANotes is behavioral health EHR software that ensures your electronic health records are HIPAA-compliant. With ICANotes, you can rest assured knowing your data is secure, and you can enjoy more time with patients and less time with paperwork. Our intuitive software helps healthcare staff keep an accurate record of patient information while meeting all HIPAA standards. ICANotes features:
- Full encryption of transmitted data
- Password and username protection
- Private separation of psychotherapy notes
- Integration options
- Intuitive note templates for progress notes, therapy notes, treatment plans and more
- Billing solutions
- Organized scheduling solutions
- HIPAA-compliant video conferencing capabilities
ICANotes helps behavioral health professionals enjoy:
- Better workflow
- More time with patients
- Accessible documentation
- Greater documentation accuracy
- Secure and HIPAA-compliant data storage
- Comprehensive and customizable note-writing templates
With ICANotes, you can spend more time doing what you love to do — caring for your patients. Put the focus back on patient care and enjoy your career with ICANotes. For more information, request a free trial, watch a live demo or contact us today.
Last updated March 31, 2021