Art Therapy HIPAA Compliance: A Practical Guide for Therapists

Product Pricing
Ready to get started? Book a demo with our team
Talk to an expert

Art Therapy HIPAA Compliance: A Practical Guide for Therapists

Kevin Henry

HIPAA

March 21, 2026

9 minutes read
Share this article
Art Therapy HIPAA Compliance: A Practical Guide for Therapists

As an art therapist, you handle sensitive stories expressed through words, images, and objects. This practical guide shows you how to protect Protected Health Information (PHI) and stay aligned with HIPAA while preserving therapeutic freedom. It offers general information, not legal advice.

Understanding HIPAA Requirements

What HIPAA covers

HIPAA centers on three pillars you must understand and implement: the Privacy Rule, the Security Rule, and the Breach Notification Rule. Together, they govern how you collect, use, disclose, store, and transmit PHI, including electronic PHI (ePHI).

  • Privacy Rule: Limits uses and disclosures of PHI and grants client rights such as access and amendments.
  • Security Rule: Requires Security Safeguards for ePHI across administrative, technical, and physical domains.
  • Breach Notification Rule: Dictates who you must notify, and when, after a breach of unsecured PHI.

Protected Health Information in art therapy

PHI includes any information that can identify a client and relates to their health or care. In art therapy, identifiers often appear in unexpected places: signatures on artwork, self-portraits, unique features, a name on a sketchbook, or metadata in digital photos. When using images for documentation, research, supervision, or teaching, treat them as PHI unless fully de-identified.

Minimum necessary and covered status

Apply the “minimum necessary” standard—share only what is essential for a given purpose. If you transmit standard transactions electronically (for example, claims or eligibility checks), you are likely a covered entity under HIPAA; your vendors that touch PHI act as business associates and require written Business Associate Agreements (BAAs).

Notice, rights, and psychotherapy notes

Provide a Notice of Privacy Practices that explains how you use PHI and client rights. Keep psychotherapy notes separate from the medical record; they receive heightened protection and usually require Patient Authorization for disclosure.

Implementing Security Safeguards

A practical rollout plan

  • Map your PHI: list where PHI lives—EHR, paper files, photos of artwork, emails, texts, voicemails, billing, backups, and art storage.
  • Complete a risk analysis: identify threats (loss, theft, snooping, ransomware) and vulnerabilities (unlocked cabinets, personal phones, open Wi‑Fi).
  • Prioritize risk management: choose reasonable controls that reduce high risks first and document why.
  • Assign roles: name a Privacy Officer and Security Officer (often you in solo practice) with clear responsibilities.
  • Write policies and procedures: access, passwords, mobile devices, telehealth, photography of art, release of images, and breach response.
  • Train and test: provide initial and periodic training; run tabletop drills for incident response.
  • Vet vendors: execute BAAs and verify their Administrative Safeguards, Technical Safeguards, and Physical Safeguards.
  • Harden daily workflows: use secure messaging, encrypt devices, lock storage, and verify identities before disclosures.
  • Document everything: maintain policies, risk analyses, training logs, and incident records for at least six years.
  • Re-evaluate annually and after major changes, such as adopting a new EHR or adding telehealth features.

Managing Patient Authorizations

When you need a Patient Authorization

Beyond treatment, payment, and health care operations, most uses and disclosures require a written Patient Authorization. Common art therapy scenarios include sharing artwork or session photos outside treatment, using images in publications or presentations, releasing records to schools or camps, and most marketing uses.

What a valid authorization includes

  • Specific description of the information (for example, “progress notes and photos of artwork dated January–March”).
  • Who may disclose and who may receive the information.
  • The purpose of the disclosure and an expiration date or event.
  • Client’s signature and date, plus a statement on the right to revoke in writing.
  • Notice that information disclosed may be redisclosed by the recipient and may no longer be protected.

Artwork, photography, and displays

  • Document why images are clinically necessary before photographing artwork; store images within your EHR or a secured repository.
  • For exhibits or educational uses, obtain a specific Patient Authorization; de-identify thoroughly if possible.
  • Avoid storing PHI on personal devices; if temporarily needed, enable encryption and remote wipe, upload securely, then delete local copies.

Minors and sensitive cases

For minors or clients with guardians, confirm who has the right to authorize disclosures. Consider safety and therapeutic impact when deciding what to disclose, and follow the minimum necessary standard.

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Ensuring Session Confidentiality

In-person privacy

  • Control access: use private rooms, door signage, and sound masking for sensitive discussions.
  • Protect materials: store works-in-progress in locked cabinets labeled with client codes, not names.
  • Desk discipline: keep notes out of sight; never leave files or images open on unattended screens.

Group and family sessions

  • Set expectations: review confidentiality limits and ask participants to sign a group confidentiality agreement.
  • Manage identifiers: use first names or initials on shared materials; collect and secure art after sessions.

Telehealth considerations

  • Use a HIPAA-aligned platform with a BAA; disable cloud recordings unless clinically required and authorized.
  • Verify client identity and location at each session and have an emergency plan.
  • Encourage clients to join from private spaces and use headphones to reduce exposure of PHI.

Documentation hygiene

  • Keep psychotherapy notes separate from the designated record set; restrict access to need-to-know.
  • When emailing or texting logistics, avoid PHI when possible or use secure messaging with client consent.

Handling Breach Notifications

First response and assessment

  • Contain and preserve: stop the incident, secure systems, and preserve logs and evidence.
  • Perform a four-factor risk assessment: the nature of PHI exposed, who received it, whether it was actually viewed or acquired, and the extent of mitigation (for example, prompt deletion confirmations).
  • If PHI was encrypted and keys were not compromised, the incident may not be a reportable breach; document your analysis.

Notifications and timelines

  • Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
  • If 500 or more residents of a state or jurisdiction are affected, notify HHS and prominent media within 60 days; for fewer than 500, log and report to HHS within 60 days after the end of the calendar year.
  • Business associates must alert you of breaches they discover; your BAA should set prompt timelines and required details.

Content of notices

  • What happened and when, the types of information involved, steps you are taking, guidance for clients (for example, monitoring), and how to contact you.
  • Record every step; integrate lessons learned into your Security Safeguards and staff training.

Applying Administrative Safeguards

Policies, people, and processes

  • Security management process: maintain a current risk analysis and risk mitigation plan.
  • Assigned security responsibility: identify who makes security decisions and signs off on controls.
  • Workforce security: authorize access based on role; use clearance and termination procedures.
  • Information access management: apply the minimum necessary standard and role-based permissions.
  • Security awareness and training: cover phishing, device handling, photography of artwork, and breach reporting.
  • Security incident procedures: define how to detect, report, and respond to incidents.
  • Contingency planning: maintain data backups, disaster recovery steps, and an emergency mode operation plan; test them.
  • Periodic evaluation: review safeguards, BAAs, and workflows at set intervals.
  • Vendor and BAA management: verify claims about encryption, logging, and storage locations before signing.
  • Sanction policy: apply consistent consequences for violations to reinforce culture and compliance.

Utilizing Technical and Physical Protections

Technical Safeguards you can implement now

  • Unique user IDs, strong passwords, and multi-factor authentication for all PHI systems.
  • Automatic logoff and screen locking on computers, tablets, and phones.
  • Encryption for devices, backups, and data in transit; avoid unencrypted email for PHI.
  • Audit controls: enable access logs and review them periodically; investigate anomalies.
  • Integrity controls: protect against unauthorized alteration of images and notes; use checksums or versioning when feasible.
  • Secure messaging and patient portals for sharing documents or images, with Patient Authorization when required.
  • Mobile device management: remote wipe, no local camera roll storage of PHI, and blocked auto-uploads to personal clouds.
  • Network hygiene: separate guest Wi‑Fi from practice systems; update firmware and patch regularly.

Physical Safeguards for studios and offices

  • Facility access controls: locked doors, key management, and visitor sign-in with the minimum necessary identifiers.
  • Workstation security: privacy screens, device cable locks, and a clean-desk policy.
  • Device and media controls: inventory devices, track custody, and securely dispose of drives and memory cards.
  • Secure storage for artwork: locked, climate-appropriate cabinets; label with coded IDs rather than names.
  • Transport protocols: opaque containers for artwork, no PHI visible in transit, and secure return procedures.

Bringing these Administrative Safeguards, Technical Safeguards, and Physical Safeguards together creates a defensible, client-centered privacy program that fits art therapy practice and meets HIPAA expectations.

FAQs.

What are the key HIPAA requirements for art therapists?

You must protect PHI under the Privacy Rule, implement Security Safeguards for ePHI under the Security Rule, and follow the Breach Notification Rule after incidents involving unsecured PHI. Apply the minimum necessary standard, keep psychotherapy notes separate, provide a Notice of Privacy Practices, maintain BAAs with vendors, train your workforce, and document your compliance activities.

How should art therapists secure electronic health records?

Use an EHR that supports role-based access, audit logs, and encryption; enable multi-factor authentication and automatic logoff; encrypt devices and backups; store images of artwork inside the EHR or a secured repository; avoid personal cloud storage; and review access logs regularly. Build these controls into written policies and train staff on daily use.

What steps must be taken in case of a data breach?

Contain the incident, preserve evidence, and conduct a risk assessment. If a breach of unsecured PHI is confirmed and not low risk, notify affected individuals without unreasonable delay and no later than 60 days, and notify HHS (and, for large breaches, prominent media). Document decisions, mitigation, and corrective actions, and update your safeguards and training.

How do therapists manage patient authorization for PHI sharing?

Obtain a written Patient Authorization when disclosures fall outside treatment, payment, or operations—common for sharing artwork or session photos. The authorization must describe the information, name the sender and recipient, state the purpose and expiration, explain revocation rights, and be signed and dated. De-identify whenever possible and store signed authorizations with the record.

Share this article

Ready to simplify HIPAA compliance?

Join thousands of organizations that trust Accountable to manage their compliance needs.

Related Articles