What to Do When a Client Requests Their Therapy Records

What to Do When a Client Requests Their Therapy Records

A practical guide for therapists on handling client records requests: HIPAA timelines, the psychotherapy notes exception, how to prepare a records release, and what to do when an attorney or court comes calling.

Why Records Requests Catch Therapists Off Guard

Most therapists learn documentation from the clinical side. You learn how to write a progress note that captures the session accurately, how to document risk assessments so they hold up under scrutiny, how to structure a treatment plan that reflects actual clinical goals. What the training rarely covers in any depth is what happens when someone asks to see those records.

Then a client emails asking for a copy of everything in their file. Or their attorney sends a letter. Or a court issues a subpoena. And suddenly you are holding a pile of notes wondering: What exactly am I required to give them? What can I legally withhold? How long do I have? What do I charge?

This guide is for that moment. It covers the federal legal framework that governs records access, the critical distinctions you need to understand before you release anything, and step-by-step guidance for the most common records request scenarios.

One important caveat up front: state law frequently adds layers to the federal baseline, and in some cases is more protective of clients and more restrictive of what you can withhold. Always verify your state's mental health records law before releasing anything. If you are ever unsure, consulting a healthcare attorney for a one-time review of your records policy is worth the cost.

The foundation for client records requests in the United States is the HIPAA Privacy Rule's Right of Access (45 CFR § 164.524). Under this rule, clients (called "individuals" in HIPAA language) have the right to inspect and receive a copy of their own protected health information (PHI) that you hold in a designated record set.

Several things in that sentence matter, so we will take them one at a time.

What Is the Designated Record Set?

The designated record set (DRS) is the collection of records you maintain about a client that is used to make decisions about their care. For a therapist in private practice, this typically includes:

  • Intake forms, consent forms, and authorizations signed by the client
  • Treatment plans (initial, revised, and updated versions)
  • Progress notes from individual sessions
  • Assessments and psychological testing reports
  • Medication records or coordination-of-care records you maintain
  • Billing records used to make treatment decisions
  • Any other documents you maintain and use to inform clinical decisions

If it is in the designated record set and a client asks for it, your default position is to provide it. The burden is on you to identify a valid legal reason to withhold, not on the client to justify their request.

What Are Psychotherapy Notes, and Why Do They Get Special Treatment?

Here is where most therapists have questions, and for good reason. HIPAA creates a specific category called psychotherapy notes that are treated differently from the rest of the record.

Under HIPAA, psychotherapy notes are notes that:

  • Record a mental health professional's analysis of the contents of a conversation with a client
  • Are kept separate from the rest of the client's medical record
  • Are not used for treatment, payment, or healthcare operations

The key phrase is "kept separate." If your notes are mixed in with the rest of the clinical record, they do not qualify as psychotherapy notes under HIPAA's definition, regardless of their content.

When notes properly qualify as psychotherapy notes, you can withhold them from a client's access request without providing an explanation. This is often called the psychotherapy notes exception. The rationale is that a therapist's private reflections, formulations, and hypotheses about a client may serve the therapy process, but giving a client unfiltered access to every interpretive thought could cause harm or disrupt treatment.

However, this is a withholding permission, not a withholding obligation. You are allowed to give clients access to your process notes if you choose to. The exception simply means you are not legally required to.

What does not qualify as a psychotherapy note under HIPAA:

  • Medication prescriptions and monitoring records
  • Counseling session start and stop times
  • The modalities and frequencies of treatment provided
  • Results of clinical tests
  • Diagnoses and treatment plans
  • Summary notes written for insurance billing or coordination purposes

If your progress notes are already structured with diagnosis, interventions, client response, and plan, they are almost certainly part of the designated record set. You cannot re-label them as psychotherapy notes after a request arrives.

Practical example: A fictional client named Daniel requests his complete therapy file after ending treatment. His therapist, Dr. Renata, maintains two separate documents for each client: a structured progress note in the EHR (diagnosis, session goals, interventions, client response, plan) and a separate process journal in a paper notebook where she records her clinical hypotheses and interpretive thoughts. The progress notes are in the designated record set. The process journal is maintained separately from the medical record and qualifies as psychotherapy notes. Dr. Renata must provide the progress notes and all other DRS materials. She may, but is not required to, provide the process journal.

Timelines You Must Meet

HIPAA is specific about timing. Once you receive a complete records request from a client, you have 30 calendar days to respond. You may extend that by one additional 30-day period if you send the client written notice of the delay and the reason before the first 30 days expire. In other words, the absolute outside limit is 60 days, and only if you follow the extension process correctly.

Some states impose shorter timelines. California, for example, requires that records be provided within 15 working days of receiving a signed authorization. New York has different timelines depending on whether the records are electronic or paper. Check your state law.

If a client requests electronic records in a specific format (PDF, CSV, whatever is technically feasible), you must provide them in that format if you can. This is part of HIPAA's strengthened access requirements under the 21st Century Cures Act provisions implemented in 2021, which tightened the access rule significantly.

Failing to respond within the required timeframe is a HIPAA violation that can result in civil monetary penalties. The Department of Health and Human Services Office for Civil Rights (OCR) has pursued enforcement actions specifically over right of access failures, including settlements with solo practitioners. This is not theoretical risk.

What You Can Charge (and What You Cannot)

You may charge a reasonable, cost-based fee for providing copies of records. Under the updated HIPAA access rule, the allowable fee calculation methods are:

  • Actual costs: only the labor for copying, the cost of supplies, and postage (if mailing)
  • Average cost: a flat fee calculated from your actual average costs, consistently applied
  • State law fees: if your state specifies a fee schedule, you may use it as long as it does not exceed HIPAA limits
  • Flat fee for electronic copies: a flat fee of no more than $6.50 per request, when you are sending records electronically

You cannot charge for the time spent retrieving the records or reviewing what to include. You cannot charge a search or handling fee. You cannot make the fee so prohibitive that it effectively denies access.

If the client requests that records be sent directly to a third party (their new therapist, their insurance company), the same fee rules apply.

How to Prepare Records for Release

Once you have confirmed the request is valid and you know what falls within the designated record set, the preparation process follows a consistent pattern.

Verify the Request Is from the Right Person

For a current or former client requesting their own records, confirm identity with a signed written authorization from the client. For requests about minor clients, the custodial parent or legal guardian typically has access rights, though state law varies significantly on when adolescents can control their own mental health records (some states grant minors as young as 12 the right to authorize their own mental health treatment and records).

For requests involving a deceased client, the personal representative of the estate has access rights under HIPAA. Get documentation of that representative status before releasing anything.

Document the Request

Note the date you received the request, what was requested, and the form it arrived in (email, letter, in-person). This creates the timestamp for your compliance clock.

Compile the Record

Pull everything that falls within the designated record set. For most outpatient therapy practices this includes: intake paperwork, signed consent and disclosure forms, treatment plans, progress notes, any coordination-of-care correspondence you generated, and billing records if they were used in treatment decisions.

Review what you are pulling. If you have a legitimate reason to withhold specific documents (psychotherapy notes exception, or a state law basis), document your reasoning in your own records before release.

Consider Whether Release Could Cause Harm

HIPAA does allow you to deny a request, or to deny access to specific parts of the record, if a licensed healthcare professional determines that providing access is likely to endanger the life or physical safety of the client or another person. This is called the access denial for endangerment exception.

This exception has a narrow scope. It requires a professional determination of actual endangerment risk, not general discomfort with the client seeing their records. If you do deny access on these grounds, the client has the right to have that denial reviewed by another licensed professional you designate. You cannot simply refuse without providing a review pathway.

A more common scenario: a client who is currently in a very fragile state, with active suicidality, requests their full records during a crisis. You have clinical concerns about releasing certain detailed crisis documentation during an acute episode. That concern is worth taking seriously, and it may support a decision to delay while you consult with a supervisor or attorney. But "I am worried this will upset the client" is not a HIPAA access denial. Document your reasoning carefully.

Fictional example: Dr. Priya receives a records request from her current client, Marcus, who is three weeks out of a psychiatric inpatient stay. The records include a detailed crisis contact note with his specific stated plan from the prior episode. Dr. Priya consults with a supervising colleague and decides the risk of providing that specific note at this moment is clinically significant. She documents her reasoning, provides all other requested records within the timeline, and explains to Marcus that one note is being temporarily withheld with review available. She schedules an earlier session to discuss the records he has received. This is a defensible, documented clinical decision, not a blanket refusal.

Handling Attorney Records Requests

Attorneys request therapy records regularly: during divorces, custody disputes, personal injury cases, disability claims, and criminal cases. How you respond depends entirely on what the attorney sends you.

Authorization vs. Subpoena: A Critical Distinction

An authorization is a signed form from your client permitting you to release their records to the attorney. If you receive a properly executed authorization that meets HIPAA's required elements, you should release the specified records. The client has consented.

A subpoena is a formal legal demand, but its legal force depends on its source. There are two kinds:

Attorney-issued subpoenas (also called subpoenas duces tecum issued by an attorney without a judge's signature) do not automatically require you to release protected records. Under HIPAA, you must either have a court order, or have satisfactory assurances that the party seeking the records has made reasonable efforts to notify the client, given the client an opportunity to object, and the time to object has passed without a qualifying protective order.

Court orders signed by a judge carry more weight, but even a court order does not necessarily require you to produce psychotherapy notes. Some states provide additional privilege protections for mental health records that supersede a court order unless a judge specifically addresses the privilege claim.

When you receive an attorney subpoena without a client authorization, do not panic and do not just mail the records. Your correct response is to:

  1. Contact the client immediately and let them know you received a subpoena. They may want to have their own attorney object to it or provide an authorization.
  2. Contact the requesting attorney's office to confirm the status and whether an authorization is forthcoming.
  3. If the subpoena has a return date, document when you received it and whether you need to file an objection or seek a protective order.
  4. If you are uncertain about your state's privilege law or the legal sufficiency of the subpoena, consult with a healthcare attorney.

Fictional example: An attorney named Maria Ochoa sends a records request for a client named Jordan, who is involved in a personal injury lawsuit. The letter includes a signed HIPAA-compliant authorization from Jordan specifying that all therapy records from the past two years may be released. This is a valid authorization. Jordan's therapist, Dr. Chen, reviews the authorization, confirms it meets HIPAA requirements (client signature, date, description of information to be disclosed, recipient identified, expiration), and prepares the records accordingly, excluding any documents Jordan specifically did not include in the scope.

Contrast that with: a defense attorney in the same case sends a separate subpoena without Jordan's authorization, seeking the same records. Dr. Chen does not release the records, notifies Jordan, documents the receipt, and consults with a healthcare attorney about whether an objection is warranted.

What Records to Release to an Attorney

Even with a valid authorization, you are only releasing what the authorization specifies. If it says "all mental health records," review carefully. You may still withhold psychotherapy notes if they qualify, and you should document that decision. If the authorization specifies only progress notes and the treatment plan, do not include intake forms or billing records.

Documenting Your Own Response

Every records request and your response to it should be documented in the client's file. This is not burdensome. A short note that covers the following is sufficient:

  • Date request received and form it arrived in (written, email, certified mail)
  • Name of requestor and their relationship to the client
  • What was requested
  • What was provided, the format, and the date of release
  • What, if anything, was withheld and the legal or clinical basis for the withholding
  • Any fees charged and when they were paid
  • Any consultation you sought before responding

This documentation protects you if a records release is ever questioned by a licensing board or in litigation.

Common Mistakes to Avoid

Waiting too long. The 30-day clock starts when the request is complete, not when you get around to reading it. A request you received and set aside for two weeks before starting to act on is a request you may already be late on.

Providing records without verifying identity. Releasing PHI to the wrong person, even with good intentions, is a HIPAA violation. Always get a signed written request for the designated record set.

Treating the psychotherapy notes exception as broader than it is. If your notes are in the EHR alongside billing codes and diagnoses, they are almost certainly in the designated record set. You cannot claim the psychotherapy notes exception for notes that were never actually kept separate.

Not separating what you are providing from what you are withholding. If you are withholding some documents, the response to the client should acknowledge that records were reviewed, what is being provided, and that some materials are not included with the legal or clinical basis. Do not just provide a subset of records with no explanation.

Releasing records in response to a verbal request. Get it in writing. A client who calls and asks you to fax their records to their new therapist may be acting in good faith, but you need a written authorization to protect yourself.

Not charging or overcharging. Charging nothing is not legally required, but inconsistency creates problems. Charging an amount that exceeds allowable HIPAA fees is a compliance issue.

Client Records Request Checklist

Use this when a client, an attorney, or a court contacts you about records.

Receiving and Verifying the Request

  • Date and form of the request documented in the client's file
  • Identity of requestor confirmed (client, legal guardian, personal representative, attorney with authorization)
  • Scope of the request identified (all records, specific date range, specific document types)
  • Signed written authorization or court order reviewed for HIPAA-required elements
  • For attorney subpoenas without authorization: client notified, legal consultation obtained if needed

Determining What to Include

  • Designated record set pulled and reviewed
  • Psychotherapy notes identified and assessed: are they properly kept separate from the DRS?
  • Harm exception considered and documented if applicable
  • State law variations reviewed for your jurisdiction
  • Scope of authorization matched to scope of what is released

Preparing the Release

  • Records compiled in appropriate format (paper copy, electronic)
  • Any withheld documents noted with documented basis for withholding
  • Fee calculated using allowable method and communicated to client
  • Release date confirmed within the 30-day window (or 60-day extended window if extension notice was sent)

After Release

  • Response documented in client's file: what was released, format, date, fee paid
  • Any withheld materials and the basis for withholding documented
  • Any consultations obtained during the process noted
  • Receipt confirmed if records were sent to a third party

Handling records requests well comes down to two things: understanding the distinction between what clients are entitled to and what you may withhold, and documenting every step of your response.

If you keep your session notes structured and consistent, the records preparation process is much more straightforward. NotuDocs is designed for therapists who use template-based notes, which means your designated record set stays clean, organized, and easy to produce when a request comes in.

For related reading, see the guides on HIPAA documentation requirements and common documentation mistakes therapists make.

Gerelateerde artikelen

NotuDocs vs Apollo Notes: Template-First Documentation vs Voice-Memo AI Notes

NotuDocs vs Apollo Notes: Template-First Documentation vs Voice-Memo AI Notes

A practical comparison of NotuDocs and Apollo Notes for therapists. Covers how each tool works, hallucination risk, workflow differences, free tier comparison, template control, pricing, and which practice type fits each approach.

NotuDocs vs AutoNotes: Template Control vs Recording-Based AI Notes

NotuDocs vs AutoNotes: Template Control vs Recording-Based AI Notes

A detailed comparison of NotuDocs and AutoNotes for therapists. Covers workflow differences, hallucination risk, privacy approach, pricing, language support, and which tool fits your practice.

NotuDocs vs Berries: Template-First Notes vs AI Scribe for Therapists

NotuDocs vs Berries: Template-First Notes vs AI Scribe for Therapists

A detailed comparison of NotuDocs and Berries for therapists. Covers workflow differences, hallucination safety, privacy, pricing ($25 vs $99/mo), language support, and which tool fits your practice.

Stop met notities schrijven vanaf nul

NotuDocs zet uw ruwe sessienotities automatisch om in gestructureerde, professionele documenten. Kies een sjabloon, neem uw sessie op en exporteer in seconden.

Probeer NotuDocs gratis

Geen creditcard vereist