Blog > Ethical & Legal > Utilizing Practice Management Tools to Streamline Your Mental Health Documentation Workflow
Client Confidentiality: Best Practices for Mental Health Therapists
Client confidentiality is a cornerstone of ethical and effective behavioral health care. This post outlines key principles and practical strategies every therapist should follow to protect sensitive client information, whether practicing in person, via telehealth, or using electronic records. Learn how to navigate common challenges and uphold the trust essential to therapeutic success.
Last Updated: April 30, 2025
What You'll Learn
-
Key situations when therapists are required or permitted to break client confidentiality.
-
The difference between therapist-client confidentiality and therapist-patient privilege.
-
How privacy laws like HIPAA and state-specific regulations impact confidentiality decisions.
-
Best practices for maintaining trust while fulfilling legal and ethical obligations.
Client confidentiality is required for therapy to be effective. Without it, clients might be afraid to share important details about their lives, and therapists can't address issues if they don't know they exist. Behavioral health professionals have to follow privacy laws to protect clients' rights, establish trust and help patients feel comfortable disclosing their secrets.
Despite the importance of confidentiality, sometimes therapists have to disclose information to protect themselves, their clients or others from harm. It's vital to know when it's appropriate, and in some cases, mandatory to break confidentiality. You likely do not want to risk the trust you've built with your client, but you are also obligated to comply with the law.
Whether you work in a private counseling practice or agency as a therapist, psychologist, psychiatrist or social worker, you're likely familiar with privacy laws and the importance of client confidentiality. You need to know when you should break confidentiality according to your facility's policies and your state's laws because failing to follow regulations could lead to a lawsuit, fine or someone getting hurt. In most cases, you'll need to use your judgment to determine if you need to take action. Even experienced counselors may deal with challenging confidentiality situations. In this post, we'll define confidentiality and help you recognize when you need to break it.
Therapist Confidentiality Defined
Confidentiality requires behavioral health professionals to protect their clients' privacy by not revealing what they say during sessions without their consent. Confidentiality is generally defined by ethical codes and privacy laws. The American Psychological Association (APA) provides confidentiality guidance for therapists in their Ethical Principles of Psychologists and Code of Conduct. According to the APA, psychologists have a "primary obligation" to protect a client's confidential information within the law. Confidential information includes material that has been obtained or is stored in any medium.
State and federal laws also exist to ensure counselors protect their clients' privacy, such as those found in the Health Insurance Portability and Accountability Act (HIPAA). HIPAA's Privacy Rule sets standards to protect a client's information, including therapy-related notes. All identifiable health information, whether it's in oral, electronic or paper form, is protected by the Privacy Rule when it is stored or transmitted by a "covered entity," like a therapist. Failure to comply with HIPAA's Privacy Rule can lead to a hefty fine imposed by the Office for Civil Rights.
Even though confidentiality is a legal obligation, for most therapists, it's also an ethical choice. Counselors recognize the value of keeping client information to themselves, and they take it seriously. Nevertheless, confidentiality is not always black and white, so it's critical to learn the various laws and ethical guidelines. For example, HIPAA permits healthcare providers to disclose protected health information for treatment purposes, such as coordinating care with other health professionals, without authorization from the client. Since privacy laws have some gray areas, make sure to explain your policies to your clients. Therapists often describe their confidentiality policy as part of their informed consent form.
The Therapist-Patient Privilege
The therapist-patient privilege is not the same as confidentiality. Confidentiality is guided by ethical concepts, whereas privilege is a legal term used in the law of evidence. The therapist-patient privilege is a client's right to keep the therapist from sharing confidential information with the court. The patient "owns" the therapist-patient privilege and must affirm or waive it, and the therapist must then follow their direction. Therefore, a counselor cannot use a client's confidential information to testify unless the client waives their privilege.
The details of therapist-patient privilege vary by state, but generally, privileged information only includes communications relating to a client's treatment or diagnosis. This includes:
- What the client reveals during a private therapy session: If a client comes to you for help with a mental health issue, what they say must be kept confidential with certain exceptions. One exception might be if a client confesses a homicide during therapy.
- What clients say during a group therapy session: Even though clients are around others in a group therapy setting or marriage counseling session, counselors must keep the information confidential, and each client in the group has a privilege.
- A client's notes: A client's notes, such as their progress notes and medical history, are part of the client's privilege, and must not be disclosed unless there's an exception. This also includes test results related to the client's treatment.
When Does a Therapist Have to Break Client Confidentiality?
Most laws have exceptions, and the same applies to confidentiality rules. The APA and HIPAA outline situations that may call for a breach of confidentiality. For instance, according to the APA's ethical guidelines, therapists may disclose confidential information in the following circumstances:
- They obtain the appropriate consent from the client or a legally authorized person on behalf of the client.
- To provide the necessary professional services.
- To obtain professional consultations.
- To protect the client, themself or others from harm.
- To obtain payment for their service from a client, disclosing the minimum amount of information necessary.
Under HIPAA's Privacy Rule, a counselor can disclose a client's protected health information without authorization under several circumstances, including the following:
- When it's required by law
- When public health authorities request information
- To prevent a serious imminent threat to a person or the public
As with ethical guidelines and privacy laws, there are also exceptions to a client's privilege. Here are four exceptions to the therapist-patient privilege:
1. The Client Has Waived the Therapist-Patient Privilege
A client might waive their therapist-patient privilege if they feel it will benefit them. They might agree to release their mental health information to defend themselves in court, for example. Similarly, you can break confidentiality if you have a client's consent to do so. If a client requests you to release information, it usually only applies to specific disclosure, and all other past and future records must remain confidential.
2. The Client Is Obtaining Services to Commit a Crime or Form of Fraud
In some states, clients will lose their therapist-patient privilege if they seek your services to commit a crime. For example, if a client lies to a psychiatrist to obtain controlled substances, they may not have a privilege.
This doesn't mean clients can't talk about crimes. In general, clients can discuss crimes they've committed in the past without worrying about a confidentiality breach. However, if they are still engaging in criminal activity, and if it's putting others at risk, you may have to notify the authorities.
3. The Client Is a Danger to Oneself or Others
Most states have laws regarding a "duty to warn," and therapists may be obligated to breach confidentiality if a client poses a serious threat to themselves or others. The concept of duty to warn comes from the case of Tarasoff v. Regents of the University of California that occurred during the 1970s.
Sometimes it's not easy to measure the severity of a threat, and it takes careful judgment. For example, if a client says they think about suicide sometimes but would never actually hurt themselves, there probably isn't a need to break confidentiality. On the other hand, if they share a detailed plan to attempt suicide or have a history of suicide attempts, that's a cause for concern. Therapists have the job of recognizing the difference between a client's fantasies and actual threats.
The same rule applies if a person talks about hurting someone else. If a client says they feel like killing someone, but they say they would never do it, there probably isn't a danger. If they discuss a carefully planned strategy to harm someone and have a history of violence, you might want to take action. In such a case, you might be required to notify the person your client intends to harm and the police, depending on your state.
Usually, therapists can only be held liable for not reporting a danger if the threat is serious and communicated directly to you. Overall, if a client poses a serious threat to themselves or others, you can disclose their information to place them in the hospital, under arrest or under the supervision of law enforcers. A duty to warn obligates you to disclose only the threats and not the details of a client's treatment.
4. There Is a Suspicion of Child Abuse
Under the federal Child Abuse Prevention and Treatment Act, you must report suspected cases of child neglect or abuse. Failure to report abuse may lead to a misdemeanor charge and a fine. All mental health care providers are considered "mandatory reporters" by law. Some states also implemented mandatory reporting of elder abuse or neglect.
To report child or elder abuse, a mandatory reporter will usually contact the authorities, Child Protective Services or an anonymous hotline. You do not need proof to report child abuse or neglect, and your identity is kept secure.
Regulations do not generally apply to any abuse that took place in the past. So, if a client talks about the abuse they experienced as a child, you would not report the abuser unless the person has harmed someone who is still a child. It's important to know your local laws, as there might be other situations where you would be obligated to report abuse.
Know Your Local Client Confidentiality Laws
Though client confidentiality laws share commonalities, they also vary from state to state. For example, most states have mandatory "duty to warn" or "duty to protect" laws that require counselors to disclose confidential information when a serious threat exists, while others have permissive laws. Some states might have a "duty to treat" law in addition to other regulations. For example, in Maryland, counselors have a duty to warn the police and the potential victim of an imminent threat if treatment doesn't work first.
Nevada, North Dakota, Maine and North Carolina do not have mandatory or permissive duty to warn laws. Arizona, Delaware and Illinois have various duties for different professions. You can research the duty to warn laws in your state by visiting the National Conference of State Legislatures website.
Privacy laws vary from state to state too, so it's critical to review how your state complies with HIPAA. Some states have even more stringent privacy laws than the regulations outlined in HIPAA. You'll have to check with your state legislature to determine exactly what applies to you.
Client Confidentiality Tips for Behavioral Health Professionals
Knowing when to maintain or break client confidentiality can sometimes add stress and uncertainty to the job. Adding to the confusion is the variety of legal and ethical obligations to consider. If in doubt, you might seek professional or legal advice. In most cases, it'll be up to you to use your best judgment. Here are a few tips to help you:
- Learn the laws in your jurisdiction
- Consider expanding your knowledge of risk assessments
- Make sure your clients understand the exceptions to confidentiality
According to an article published in Psychiatry MMC, you might also remember the acronym DEAL when solving a confidentiality problem, which stands for:
- Duty: Do you have a duty to maintain confidentiality?
- Exception: Does an exception to your duty of confidentiality exist?
- Ask: Ask a colleague, supervisor or lawyer for help if you're not sure what steps to take.
- Law: Know the laws in your jurisdiction, as well as your practice's privacy policy.
How ICANotes Helps Protect Client Confidentiality
Maintaining confidentiality goes beyond ethics—it's a legal and clinical imperative. ICANotes is built with behavioral health privacy in mind, offering features that help clinicians safeguard client information with confidence. From HIPAA-compliant documentation and secure telehealth sessions to robust access controls and encrypted data storage, ICANotes ensures your practice stays protected. Whether you’re solo or part of a group practice, our platform supports secure workflows so you can focus on care, not compliance risks.
Explore ICANotes to see how our behavioral health EHR can simplify documentation while strengthening your commitment to therapist confidentiality.
Get Your Free 30-Day Trial (no credit card required!)
Related Posts
Dr. October Boyles is a distinguished healthcare professional with extensive expertise in behavioral health, clinical leadership, and evidence-based care delivery. With a Doctor of Nursing Practice (DNP) from Aspen University and advanced degrees in nursing, she brings a depth of clinical knowledge and a passion for improving mental health care services.