HIPAA and Group Therapy: Privacy Considerations for Group Sessions

Q: What do I need for virtual group therapy to be HIPAA compliant?

Use a HIPAA-compliant video platform under a signed Business Associate Agreement, control access to the session, avoid recording without authorization, and limit what other participants can see, such as full names, where the platform allows.

Group therapy creates a HIPAA problem that individual sessions never do: the patients themselves are in the room. When six people sit in a circle and one discloses a relapse, the others hear it. That shared exposure — and the documentation it generates — makes HIPAA compliance for group therapy a distinct discipline, not a copy of your one-on-one privacy practices.

What makes HIPAA distinct for group sessions

The first nuance is that disclosures between group members are not something HIPAA can control. HIPAA binds the covered entity and its workforce, not the patients. What participants reveal to each other, and whether they keep it private afterward, falls outside the rule. Best practice — and good clinical practice — is to have members sign a group confidentiality agreement, but providers should understand that this is an ethical safeguard, not a HIPAA requirement, and that a member who gossips is not creating a HIPAA breach for the practice.

The second nuance is documentation. A single shared “group note” that names other participants can turn one patient’s record into a disclosure of everyone else’s attendance and participation. The cleaner approach is an individual note in each patient’s record that documents that patient’s own participation and progress, applying the minimum necessary standard so that one chart does not expose another patient’s PHI.

The third nuance is psychotherapy notes. A clinician’s separately-kept process notes from group sessions receive heightened protection under HIPAA and generally require specific patient authorization to release — a stronger standard than ordinary treatment records. Keeping these notes physically and logically separate from the designated record set is essential.

Virtual group therapy raises the bar

Telehealth group sessions add exposure that in-person rooms do not. Participants’ full names, faces, and sometimes home environments are visible to everyone on the call. Using a HIPAA-compliant platform under a signed Business Associate Agreement (BAA), disabling features that display full names where possible, controlling the waiting room, and never recording without explicit authorization are all part of running virtual groups safely.

The Security Risk Analysis is non-negotiable

Whatever your modality, the HIPAA Security Rule requires a Security Risk Analysis (SRA) under 45 CFR § 164.308(a)(1)(ii)(A): an accurate and thorough assessment of risks to the confidentiality, integrity, and availability of all electronic PHI. For group practices that includes the video platform, the EMR where individual group notes live, and the separate store for psychotherapy notes. The SRA must be documented, acted on through a risk-management plan, and revisited when systems change. A missing or outdated SRA remains the most frequently cited issue in OCR enforcement.

The proposed 2026 Security Rule update

Behavioral health practices should track the proposed HIPAA Security Rule update. OCR published a Notice of Proposed Rulemaking (NPRM) in December 2024 that would make many “addressable” safeguards mandatory — including encryption of ePHI, multi-factor authentication, and maintained technology asset inventories. The rule is not final; if finalized, it is expected to carry a 240-day compliance window from publication of the final rule. Encryption and MFA on the systems that hold sensitive mental-health records are sensible to adopt ahead of any deadline.

How Medcurity helps

Medcurity walks group and behavioral-health practices through the Security Risk Analysis, BAA management, and policies — including documentation and minimum-necessary standards tailored to multi-patient sessions. Pricing is $499/year (about $42/month) for a single practice; larger organizations can request a quote. See our broader HIPAA compliance guide for behavioral health and our HIPAA training requirements for 2026 to keep clinicians current.

Frequently Asked Questions

Is it a HIPAA breach if a group member repeats what another member said?

No. HIPAA governs the practice and its workforce, not patients. A member sharing what they heard is not a HIPAA violation by the provider, though a signed group confidentiality agreement is strongly recommended as an ethical safeguard.

Should I write one group note or individual notes?

Use individual notes in each patient’s record documenting that patient’s participation. A shared note that names other attendees can improperly disclose their PHI and undermines the minimum necessary standard.

Do psychotherapy notes from group sessions get extra protection?

Yes. Psychotherapy notes kept separately from the medical record receive heightened protection under HIPAA and generally require specific patient authorization to disclose, beyond standard treatment-record rules.

What do I need for virtual group therapy to be HIPAA compliant?

Use a HIPAA-compliant video platform under a signed BAA, control access to the session, avoid recording without authorization, and limit what other participants can see, such as full names, where the platform allows.