Therapy patients share things they have never told anyone. Fears, trauma, relationship dynamics, intrusive thoughts. It is the most intimate information that exists about a person.
But most patients do not know who actually owns it.
The Short Answer: Probably Not the Patient
In most U.S. states, the therapist or their practice owns the medical records. Not the patient.
Patients have a right to access their records under HIPAA. They can request copies. But ownership — who controls the original records, how long they are kept, where they are stored, and what happens to them if the practice closes — belongs to the provider.
This matters more than most people realize.
What Happens to Records When...
The Therapist Retires or Closes Their Practice
State laws require providers to retain records for a minimum period (typically 7 years for adults, longer for minors). After that, records can be destroyed. When therapists retire, they are supposed to notify patients and arrange for records to be transferred or stored. In practice, it is often messy.
Records end up in storage units, on old hard drives, or simply lost. If a patient needs them five years later — for a new provider, an insurance dispute, or a legal matter — retrieval can be impossible.
The Practice Switches EHR Systems
When a practice migrates from one electronic health record system to another, patient data may not transfer cleanly. Fields get dropped, notes get reformatted, and the nuance of years of clinical documentation can be compressed into a generic summary.
A Patient Uses a Mental Health App
This is where it gets concerning. Many mental health apps — mood trackers, journaling tools, chatbot therapy — are not covered by HIPAA. If the app is not provided by a covered entity (a healthcare provider or health plan), HIPAA does not apply.
That means:
- Data can be sold to advertisers or data brokers
- An anxiety diagnosis could theoretically affect insurance rates
- The app company can change their privacy policy at any time
- If the company goes under, patient data goes with it or gets sold as an asset
The FTC has taken action against several mental health apps for sharing sensitive health data without adequate consent. BetterHelp paid $7.8 million in 2023 for sharing patient data with advertisers including Facebook and Snapchat.
Patient Rights Under HIPAA
HIPAA gives patients specific rights regarding protected health information (PHI):
- Right to access — Patients can request a copy of their records. Providers must respond within 30 days.
- Right to amend — Patients who believe something in their record is incorrect can request a correction.
- Right to an accounting of disclosures — Patients can ask who their data has been shared with.
- Right to restrict — Patients can ask providers to limit how their data is used or disclosed (though providers do not always have to comply).
- Right to confidential communication — Patients can request that providers communicate in a specific way.
What HIPAA does not give patients: ownership, portability (like a bank account), or the ability to delete records.
Why This Matters Now
Mental health data is uniquely sensitive. It is not like a blood pressure reading or a cholesterol level. It includes:
- Trauma history
- Relationship and family dynamics
- Substance use history
- Suicidal ideation history
- Sexual history
- Fears, vulnerabilities, and coping mechanisms
As more of this data becomes digital — and as AI tools enter behavioral health — the question of who controls it becomes urgent. This is especially true for patients pursuing specialized treatments like ketamine-assisted therapy, where session content can be particularly sensitive and the need for continuity across providers is critical.
What Patients Should Do
1. Ask the Therapist Three Questions
- "Where are my records stored?" (EHR system? Paper? What happens if you close your practice?)
- "Who else has access to my records?" (Billing companies? Supervisors? Other providers?)
- "What happens to my data if I stop treatment?"
2. Request Records Now
Do not wait until they are needed. Request a copy while the provider is active and accessible. Patients have the right to receive records in the format they are maintained (usually PDF or printout).
3. Check Mental Health Apps
For any mental health app in use — mood tracking, journaling, meditation, therapy chatbots — verify:
- Is it HIPAA compliant? (Look for a BAA, not just a privacy policy)
- Does it sell or share data with third parties?
- Can data be exported and deleted?
4. Build a Personal Source of Truth
The safest version of mental health data is the one the patient controls. Consider keeping private records — session summaries, progress notes, medication changes, and how things are actually going over time.
Patient-focused tools are emerging that provide private, encrypted AI session summaries that patients own and control. No one reads them. No one sells them. Patients can share them with providers or keep them entirely private.
The Future: Patient-Owned Mental Health Data
The healthcare industry is slowly moving toward patient data ownership. The 21st Century Cures Act and information blocking rules are pushing providers to share data more freely. FHIR standards are making health data more portable.
But behavioral health is behind. Most therapy practices still operate on systems where patient data is locked inside the provider's EHR, inaccessible in any meaningful way.
Organizations like Isha Health — which combines physician-led care with rigorous clinical outcomes tracking — represent the direction the field needs to move: transparent, patient-centered, and data-forward. The practices and platforms that put patient data ownership first — that give patients not just access but control — are the ones worth choosing.
Mental health data is the most sensitive information that exists about a person. It is time to start treating it that way.
A version of this article first appeared on Isha Health, a physician-led telehealth platform offering ketamine-assisted therapy across 9 U.S. states.
