HIPAA Documentation Requirements Explained

Plain-language guide to HIPAA documentation rules for clinical records. Covers the minimum necessary standard, release of information, electronic records, and more.

What HIPAA Actually Requires (and What It Does Not)

The Health Insurance Portability and Accountability Act (HIPAA) is one of the most referenced and least understood laws in professional practice. Clinicians know they need to "follow HIPAA," but many are unclear about what the law specifically requires when it comes to documentation — as opposed to what their employer's policies require, what their licensing board expects, or what they learned in a weekend ethics course.

This guide breaks down the HIPAA requirements that directly affect how you create, store, share, and destroy clinical documentation. It is written for therapists, physicians, social workers, and other covered entities who handle protected health information (PHI) as part of their daily work.

Important caveat: HIPAA sets a federal floor, not a ceiling. Many states have laws that are more restrictive than HIPAA — particularly around substance use disorder records (42 CFR Part 2), mental health records, HIV/AIDS information, and minor consent. Always check your state requirements, because when state law is more protective than HIPAA, state law controls.

Who HIPAA Applies To

HIPAA applies to covered entities and their business associates. A covered entity is:

A health care provider who transmits any health information electronically in connection with a HIPAA-covered transaction (which includes nearly all providers who bill insurance)
A health plan (insurance company, HMO, employer health plan)
A health care clearinghouse

A business associate is any person or organization that performs a function involving PHI on behalf of a covered entity — this includes EHR vendors, billing companies, transcription services, cloud storage providers, and documentation software.

If you are a licensed clinician who bills insurance electronically, you are almost certainly a covered entity. If you are a private-pay-only practitioner who never transmits electronic claims, you may not be covered by HIPAA — but you are still subject to state privacy laws and your licensing board's ethical standards, which typically impose similar obligations.

Protected Health Information: What Counts

Protected health information (PHI) is any individually identifiable health information that is created, received, maintained, or transmitted by a covered entity. This includes:

Patient names, addresses, dates of birth, Social Security numbers
Diagnoses, treatment plans, and progress notes
Appointment dates and times
Billing records
Photographs, recordings, and any biometric data
Communications (emails, texts, voicemails) that contain health information

PHI exists in three forms, and HIPAA has specific rules for each:

Paper records — physical charts, printed notes, faxes
Electronic PHI (ePHI) — anything stored or transmitted digitally
Oral PHI — spoken information (conversations, phone calls, voicemails)

The HIPAA Privacy Rule governs when and how PHI can be used and disclosed. For documentation purposes, the key principles are:

Treatment, Payment, and Health Care Operations (TPO)

You may use and disclose PHI without patient authorization for three purposes:

Treatment: Sharing records with another provider who is treating the same patient. A therapist can send a treatment summary to a psychiatrist who is managing the patient's medication without obtaining a separate authorization — as long as the disclosure is for treatment purposes.
Payment: Submitting claims to insurance, including the minimum information necessary to process the claim.
Health Care Operations: Quality assurance, training, audits, and compliance activities within your practice.

The Minimum Necessary Standard

This is one of HIPAA's most practically important — and most commonly violated — rules. When using or disclosing PHI, you must make reasonable efforts to limit the information to the minimum necessary to accomplish the purpose.

What this means for documentation:

When sending records to an insurance company for a utilization review, you do not need to send the entire chart. Send the specific notes and treatment plan relevant to the review period.
When consulting with a colleague about a case, share only the information needed for the consultation. You do not need to read them the entire psychosocial history.
When responding to a subpoena, provide only what the subpoena specifically requests — and consult with an attorney before producing records, since many subpoenas can and should be challenged.

Exception: The minimum necessary standard does not apply to disclosures for treatment purposes. When you send a referral summary to another treating provider, you may include the full clinical picture.

Psychotherapy Notes: The Special Category

HIPAA carves out a separate, higher level of protection for psychotherapy notes — but this term has a specific legal definition that is narrower than most clinicians realize.

Psychotherapy notes under HIPAA are notes recorded by a mental health professional that document or analyze the contents of a counseling session, and that are separated from the rest of the medical record. They are the clinician's private working notes.

Psychotherapy notes do NOT include:

Medication prescription and monitoring
Counseling session start and stop times
Modalities and frequencies of treatment
Results of clinical tests
Diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date

This means your standard progress notes — even detailed ones — are not psychotherapy notes under HIPAA. They are part of the regular medical record and are subject to the normal rules for access and disclosure.

If you do keep separate psychotherapy notes, they receive additional protection: they generally cannot be disclosed without patient authorization, even for treatment or payment purposes, with limited exceptions (such as legal proceedings or oversight activities).

Patient Right of Access

Under HIPAA, patients have the right to access and obtain copies of their PHI in a designated record set. This includes:

Medical records and billing records
Enrollment, payment, claims, and case management records
Any records used to make decisions about the individual

You must provide access within 30 days of a request (with one 30-day extension if needed). You may charge a reasonable, cost-based fee for copies. You may not deny access because the patient has an unpaid balance.

You may deny access in limited circumstances:

Psychotherapy notes (as defined above)
Information compiled for legal proceedings
Certain research records, if the patient agreed to restricted access when consenting to the study
When a licensed health care professional determines that access is reasonably likely to endanger the life or physical safety of the individual or another person

A denial must be in writing and must inform the patient of their right to have the denial reviewed.

The Security Rule: Protecting Electronic Documentation

The HIPAA Security Rule applies specifically to ePHI and requires covered entities to implement three categories of safeguards:

Administrative Safeguards

Risk analysis: Conduct a thorough assessment of potential risks to the confidentiality, integrity, and availability of ePHI. This must be documented and updated regularly.
Workforce training: All employees who handle ePHI must receive HIPAA training.
Access management: Implement policies for granting, modifying, and revoking access to ePHI based on job function.
Incident response: Have a documented plan for identifying and responding to security incidents.

Physical Safeguards

Facility access controls: Limit physical access to areas where ePHI is stored or accessed.
Workstation security: Ensure that computers and devices used to access ePHI are physically secured.
Device and media controls: Have policies for the disposal and re-use of electronic media containing ePHI.

Technical Safeguards

Access controls: Implement unique user identification, emergency access procedures, automatic logoff, and encryption.
Audit controls: Record and examine activity in systems that contain or use ePHI.
Integrity controls: Protect ePHI from improper alteration or destruction.
Transmission security: Encrypt ePHI when transmitting it over electronic networks.

Practical translation for clinicians:

Use an EHR or documentation system that encrypts data at rest and in transit
Set strong, unique passwords and enable two-factor authentication
Do not access patient records on shared or public computers without proper security
Do not send PHI via unencrypted email or text message
Log out of systems when stepping away from your workstation
Use a HIPAA-compliant business associate for any cloud storage or documentation software

Release of Information: Getting It Right

One of the most common documentation-related HIPAA tasks is processing a release of information (ROI) — also called an authorization for disclosure.

What a Valid HIPAA Authorization Must Contain

A valid authorization must include all of the following:

A specific description of the information to be disclosed
The name of the person or entity authorized to make the disclosure
The name of the person or entity to whom the disclosure will be made
A description of the purpose of the disclosure
An expiration date or event
The individual's signature and date
A statement of the individual's right to revoke the authorization
A statement that information disclosed may be subject to re-disclosure and may no longer be protected
A statement that the individual may refuse to sign and that treatment will not be conditioned on signing (with limited exceptions)

Common mistakes:

Using an authorization form that lacks one of the required elements (most often the expiration date or the re-disclosure statement)
Accepting a photocopy or fax of an authorization without verifying it with the patient
Honoring an expired authorization
Disclosing more than what the authorization specifies

When You Do Not Need an Authorization

Remember that authorization is not required for TPO disclosures, mandatory reporting (child abuse, elder abuse, communicable diseases), law enforcement requests meeting specific criteria, or certain oversight and regulatory activities. However, even in these cases, the minimum necessary standard still applies.

Breach Notification: What Happens When Things Go Wrong

A breach is the unauthorized acquisition, access, use, or disclosure of unsecured PHI that compromises the security or privacy of the information. If a breach occurs, HIPAA requires:

Individual notification: Notify affected individuals within 60 days of discovery. The notification must describe what happened, what information was involved, what steps you are taking, and what the individual can do to protect themselves.
HHS notification: If the breach affects 500 or more individuals, notify the Department of Health and Human Services within 60 days. For breaches affecting fewer than 500 individuals, maintain a log and submit it annually.
Media notification: If the breach affects 500 or more residents of a single state or jurisdiction, notify prominent media outlets.

Documentation requirement: You must document your breach risk assessment, including your analysis of whether the breach was likely to result in harm. Keep this documentation for six years.

Record Retention Under HIPAA

HIPAA itself requires covered entities to retain documentation related to HIPAA compliance (policies, training records, authorizations, breach notifications) for six years from the date of creation or the date when the document was last in effect, whichever is later.

HIPAA does not specify a retention period for medical records themselves — that is governed by state law. Most states require retention of adult medical records for 7-10 years after the last encounter, and pediatric records for a period extending past the age of majority. Check your specific state requirements.

Best practice: Retain clinical records for the longer of your state requirement or 10 years. For minors, retain records until 3 years after the patient reaches the age of majority, or for your state's required period, whichever is longer.

HIPAA and Documentation Software

If you use any software to create, store, or transmit documentation, that software vendor is a business associate under HIPAA. You must have a Business Associate Agreement (BAA) in place with every vendor that handles PHI on your behalf.

A BAA must specify:

The permitted uses and disclosures of PHI by the business associate
The requirement that the business associate implement appropriate safeguards
The requirement to report breaches
The obligation to return or destroy PHI when the contract ends

Red flags in documentation software:

The vendor will not sign a BAA
Data is stored in a non-encrypted format
The vendor does not provide information about their security practices
There is no audit trail for access to records
The system does not support individual user accounts (shared logins)

Making HIPAA Compliance Practical

HIPAA compliance is not a one-time event. It is an ongoing practice that should be integrated into your documentation workflow.

Annual checklist:

Review and update your Notice of Privacy Practices
Conduct or update your risk analysis
Verify that all BAAs are current
Complete staff training (and document it)
Review your breach log and incident reports
Audit a sample of your authorization forms for completeness
Test your backup and disaster recovery procedures

How NotuDocs Can Help

HIPAA compliance starts with using the right tools. NotuDocs is built with HIPAA compliance at its core — offering encrypted storage, role-based access controls, audit trails, and a signed BAA. When your documentation tool is compliant by design, one of the most complex parts of HIPAA becomes automatic, letting you focus on clinical care instead of security checklists.