Confidentiality in psychology is the ethical and legal obligation therapists have to protect the private information you share during treatment. It means that what you say in a therapy session stays between you and your psychologist, with a few important exceptions. This principle is one of the foundations that makes therapy work, because honest conversation depends on trust that your words won’t be shared without your permission.
The Ethical Obligation
The American Psychological Association’s Ethics Code spells out confidentiality as a primary obligation. Psychologists must take “reasonable precautions to protect confidential information obtained through or stored in any medium.” That covers everything from handwritten session notes to digital records to what a therapist remembers from your conversation. The obligation applies regardless of where the information lives or how it was collected.
This duty flows from a broader ethical principle called beneficence and nonmaleficence, which essentially means psychologists must act in your best interest and avoid causing harm. Sharing your private disclosures without good reason would cause harm, so protecting that information is treated as a core professional responsibility rather than a courtesy.
Before therapy begins, psychologists are required to have a direct conversation with you about the limits of confidentiality and how the information you share will be used. This isn’t optional. It’s built into the informed consent process so you know the rules before you start talking.
Federal Legal Protections
Beyond ethics codes, federal law reinforces confidentiality through HIPAA, the Health Insurance Portability and Accountability Act. The HIPAA Privacy Rule gives you specific rights over your health information and restricts how therapists, clinics, and insurance companies can use or share it.
Psychotherapy notes receive especially strong protection under HIPAA. With very few exceptions, a provider must get your written authorization before disclosing your therapy notes to anyone, including other healthcare providers. This is a higher bar than what applies to general medical records. Even if you see a psychiatrist and a therapist in the same health system, your therapist typically cannot share session notes with the psychiatrist without your explicit permission.
When family members or friends are involved in your care, any information shared with them must be limited to what’s directly relevant to their involvement. A therapist can’t give your spouse a full account of your sessions just because your spouse drives you to appointments.
When Confidentiality Can Be Broken
Confidentiality is not absolute. There are situations where a psychologist is legally required or ethically permitted to disclose information without your consent. Understanding these exceptions matters because they define the actual boundaries of privacy in therapy.
- Danger to yourself or others. If a therapist believes you pose a serious and imminent threat to yourself or someone else, they can share information with people in a position to help, including family members or law enforcement. The landmark 1976 case Tarasoff v. Regents of California established that clinicians have a duty to protect identifiable potential victims when a patient makes credible threats. That duty can be fulfilled by warning the person at risk, notifying police, or arranging hospitalization.
- Suspected abuse or neglect. Every U.S. state has mandatory reporting laws that require psychologists to report suspected child abuse, elder abuse, or abuse of other vulnerable individuals. These laws override confidentiality. A psychologist who suspects abuse is legally obligated to report it to the appropriate authorities, even without your consent.
- Court orders. A psychologist cannot ignore a subpoena, but a subpoena alone doesn’t automatically mean your records will be handed over. In most states, a therapist can only release records without your consent if the subpoena is an actual court order signed by a judge, which is relatively rare. If it’s a standard subpoena issued by an attorney, the psychologist must still respond but should seek your written consent or work with a lawyer to challenge the request before releasing anything.
How these exceptions play out varies significantly by state. In some states, therapists have a clear legal duty to protect third parties from a dangerous patient. In others, like Florida, the law is permissive: a therapist may breach confidentiality in those circumstances but isn’t required to. A few states actually prohibit therapists from breaking confidentiality even when a patient threatens someone. This patchwork of state laws means the specific protections you have depend on where you live.
Confidentiality With Minors
When a child or teenager is in therapy, confidentiality gets more complicated. Parents are generally considered the personal representatives of their minor children under HIPAA, which means they can access their child’s mental health information in the medical record, including diagnosis, symptoms, and treatment plans.
However, psychotherapy notes are treated differently. The Privacy Rule does not give parents a right to receive copies of a therapist’s private session notes about their child’s treatment. These notes, which document what was actually said in a counseling session, are kept separate from the medical record and are primarily for the therapist’s personal use. A provider has discretion to share them but is not required to, and state law may add further restrictions.
In practice, many child and adolescent therapists set expectations early with both the parent and the young person. They’ll typically share general updates about progress with parents while keeping the specific content of sessions private, unless safety concerns arise. This balance helps the young person feel safe enough to be honest while keeping parents informed enough to support treatment.
Group and Couples Therapy
Confidentiality works differently when more than one client is in the room. In group or couples therapy, everything said during a session is generally available to everyone present. Any individual in the group can request copies of the session records or authorize their release to an outside party.
This creates a practical problem: a therapist can encourage other group members to keep things confidential, but they can’t legally enforce it the way they can with their own staff. Other participants in your group therapy session are not bound by HIPAA or professional ethics codes.
When someone in group or couples therapy is also seen individually, those one-on-one sessions are treated as standard private sessions with full confidentiality protections, unless there’s a prior agreement that the content will be shared with the group. Therapists are expected to explain all of this clearly before group or couples work begins and to document that they’ve done so.
Digital Privacy in Modern Practice
The shift to teletherapy and electronic records has added new layers to confidentiality. Psychologists are expected to use HIPAA-compliant, encrypted software for video sessions and to protect against malware and unauthorized access to their systems.
Best practices for teletherapy include starting each session by verbally confirming where you are, whether anyone else is nearby, and whether you can be overheard. This is the digital equivalent of closing an office door. If your therapist communicates with you by text or email, those messages should ideally use end-to-end encryption. Notification settings should be adjusted so that message previews don’t appear on a locked phone screen.
Devices used for psychological assessments, like tablets, should ideally be dedicated solely to that purpose to reduce the risk of data leaking through other apps. Autofill features on shared devices should be disabled so your information doesn’t accidentally appear when someone else uses the device. Some experts even recommend using numerical passwords rather than fingerprint or face unlock on professional devices, because U.S. case law has generally protected people from being forced to reveal number passwords to law enforcement, while biometric data doesn’t have the same legal protection.
Electronic records themselves follow a principle of minimum necessary disclosure: when information must be shared, the least identifiable, least sensitive version should go to the fewest number of people needed to accomplish the goal. Your therapist shouldn’t send your full case file when a brief treatment summary would suffice.
Why It Matters for Treatment
Confidentiality isn’t just a legal formality. It directly affects whether therapy works. People who don’t trust that their information is protected tend to hold back on the very topics they most need to discuss. Shame, fear of judgment, and worry about social consequences can all keep someone from being fully honest if they’re unsure who might learn what they’ve said. The guarantee of confidentiality lowers that barrier and gives the therapeutic relationship room to function.
If you’re starting therapy and want to understand exactly what’s protected and what isn’t, ask your therapist directly during your first session. They’re required to explain it, and a good therapist will welcome the question.