Are Progress Notes Protected by HIPAA? What’s Covered, Access Rights, and Compliance Tips

HIPAA Protection of Progress Notes

Yes. When progress notes identify a patient—or can reasonably be used to identify one—they are Protected Health Information and therefore subject to HIPAA. Because they form part of the designated record set, these notes must be safeguarded, limited to appropriate uses and disclosures, and available to the patient under the Right of Access rules.

As Medical Record Documentation, progress notes capture your clinical observations, decisions, and plan of care. HIPAA permits using and disclosing them for treatment, payment, and health care operations without Patient Authorization. Most other purposes—such as marketing or certain third‑party disclosures—require a valid authorization that specifies scope, purpose, and expiration.

What progress notes typically include

• Presenting concerns, relevant history, assessment, and clinical impressions.
• Vitals, medications prescribed or adjusted, and key test or imaging results summaries.
• Diagnosis, functional status, risks, and the treatment plan with goals and follow‑up.
• Encounter details such as start/stop time, modality, and patient response to interventions.

Apply the minimum necessary standard to all uses and disclosures other than treatment: disclose only the information needed to accomplish the intended purpose.

Differences Between Progress Notes and Psychotherapy Notes

Progress notes are part of the medical record. Psychotherapy notes are different: they are the mental health professional’s personal notes analyzing the content of counseling conversations and are maintained separately from the medical record. This additional protection—often called the Psychotherapy Notes Exception—places stricter limits on use and disclosure.

What counts as psychotherapy notes

• Process observations, hypotheses, and impressions about a therapy session’s dialogue.
• Verbatim conversation fragments or highly sensitive reflections kept for the clinician’s own use.
• Material stored separately from the general record and not needed by others for clinical care.

What does not count as psychotherapy notes

• Session start/stop time, treatment modality and frequency, medications and monitoring.
• Results of clinical tests, diagnosis, functional status, symptoms, prognosis, and treatment plan.
• Any information filed in the standard chart or EHR as Medical Record Documentation.

Consequences of the distinction: using or disclosing psychotherapy notes generally requires Patient Authorization (with narrow exceptions, such as use by the originator for treatment or to defend a legal action). Progress notes, by contrast, may be used or disclosed for treatment, payment, and operations without authorization.

Patient Access Rights to Progress Notes

Patients have the right to inspect and obtain a copy of their progress notes because they are part of the designated record set. The Psychotherapy Notes Exception means psychotherapy notes are excluded from this right if they are kept separate as defined above.

Timelines and format

• Respond to requests within 30 calendar days; a single 30‑day extension is allowed with written notice stating the reason and new date.
• Provide the notes in the requested form and format if readily producible (including electronic copies for ePHI). If not, offer a reasonable alternative that the patient can use.

Fees and denials

• Fees must be reasonable and cost‑based, limited to labor for copying, supplies, and postage when applicable—not for searching, retrieval, or maintaining systems.
• Access may be denied only on limited grounds, such as when a licensed professional determines release would likely endanger life or physical safety, or where another person’s confidentiality would be compromised. Some denials are reviewable; document and communicate the process.

Clarity helps: tell patients where progress notes live in your record system and how to request them efficiently, including any identity verification steps.

Requirements for HIPAA-Compliant Storage

Administrative safeguards

• Perform and update an enterprise‑wide risk analysis; implement a risk management plan with assigned owners and timelines.
• Adopt written policies covering Access Controls, workforce training, sanctions, contingency planning, incident response, retention, and secure destruction.
• Execute Business Associate Agreements with vendors that create, receive, maintain, or transmit ePHI; verify their security posture and Audit Logging capabilities.
• Define a data lifecycle for progress notes: creation, access, archival, and disposal aligned with state retention rules and payer requirements.

Physical safeguards

• Limit facility access; secure paper charts in locked areas with visitor logs and clean‑desk practices.
• Protect devices: asset inventory, secure storage, and approved removal processes for media containing PHI.
• For mobile use, require encryption, remote wipe, and screen‑lock timeouts; avoid storing PHI locally when feasible.

Technical safeguards

• Use Encryption at Rest by default for servers, databases, endpoints, and backups; encrypt in transit with modern TLS.
• Implement strong Access Controls: unique user IDs, least‑privilege roles, timely provisioning and deprovisioning, and multi‑factor authentication where feasible.
• Enable Audit Logging that records access, creation, modification, and export of progress notes; protect logs from tampering and review them routinely.
• Maintain integrity controls (e.g., checksums, versioning), automatic logoff, network segmentation, and up‑to‑date patching.
• Back up data regularly, test restores, and document recovery time and recovery point objectives.

Remember: HIPAA’s Security Rule includes “addressable” specifications. If you choose an alternative (for example, an equivalent control rather than a specific encryption method), document your rationale and how the alternative effectively mitigates risk.

Best Practices for Maintaining Compliance

• Chart with the patient in mind. Write progress notes clearly and respectfully, anticipating that the patient may read them.
• Standardize Medical Record Documentation with evidence‑based templates and required fields to reduce omissions and variability.
• Operationalize Patient Authorization workflows: capture scope, expiration, revocation, and accounting of disclosures.
• Review access quarterly. Validate role‑based permissions, remove dormant accounts, and reconcile access after job changes.
• Monitor with intent: set alerts on anomalous access, routinely sample Audit Logging reports, and investigate promptly.
• Harden endpoints: prohibit PHI in unencrypted email or consumer texting; use secure messaging, portals, or SFTP for exchanges.
• Train annually and at onboarding; reinforce the minimum necessary standard, secure note‑taking habits, and breach reporting.
• Plan for incidents: practice tabletop exercises, document containment steps, and maintain current contact trees for breach notification.
• Align retention and destruction with state law and payer contracts; ensure destruction is complete and documented.

Legal Implications of Non-Compliance

HIPAA is enforced primarily by the Office for Civil Rights. Civil monetary penalties are tiered by culpability (from reasonable cause to willful neglect) and assessed per violation, with annual caps that are periodically adjusted for inflation. Investigations often result in corrective action plans, monitoring, and extensive policy remediation.

Criminal liability can arise for knowingly obtaining or disclosing PHI without authorization, with higher penalties for offenses committed under false pretenses or for personal gain or malicious harm. Beyond HIPAA, you may face state privacy statutes, licensure board actions, malpractice exposure, and contractual penalties under payer or Business Associate agreements.

Conclusion

Progress notes are Protected Health Information and part of the core medical record. Treat them as you would any sensitive clinical data: distinguish them from psychotherapy notes, honor timely patient access, and secure them with Encryption at Rest, strong Access Controls, and robust Audit Logging. Consistent policies, training, and monitoring keep your organization compliant and your patients’ trust intact.

FAQs.

Are progress notes considered protected health information under HIPAA?

Yes. Progress notes that identify a patient are Protected Health Information. They sit within the designated record set, which means HIPAA’s privacy and security requirements apply to their creation, use, disclosure, and safeguarding.

What distinguishes progress notes from psychotherapy notes?

Progress notes belong in the medical record and include elements such as diagnosis, medications, test results, treatment plan, and session timing. Psychotherapy notes are the therapist’s separate, personal analysis of counseling conversations. Under the Psychotherapy Notes Exception, those separate notes receive heightened protection and usually require Patient Authorization for use or disclosure.

Do patients have the right to access their progress notes?

Yes. Patients generally have the right to inspect and receive copies of their progress notes within 30 days (with one permitted 30‑day extension if needed). Psychotherapy notes are excluded from this right if kept separately as defined by HIPAA.

How should progress notes be stored to ensure HIPAA compliance?

Store progress notes in systems that implement Encryption at Rest, strong Access Controls, and comprehensive Audit Logging. Support these technical safeguards with written policies, workforce training, Business Associate Agreements for vendors, secure backups and tested recovery, and retention and destruction practices aligned with legal and contractual requirements.