Not legal advice. This site is an editorial reference. Laws change — always confirm with a qualified attorney in the relevant jurisdiction before recording, and check each page’s last reviewed date.

Recording Phone Calls as a Therapist or Clinician

A clinician’s recording is a medical record. HIPAA, state mental-health confidentiality statutes, supervision requirements, and informed-consent norms all apply on top of the ordinary consent rules. The result is that recording in clinical practice is constrained even where the consent statute is permissive.

The legal overlay specific to this role

  • HIPAA. A recording of a clinical conversation is protected health information (PHI) under 45 C.F.R. Part 160 and Part 164. It must be stored, transmitted, and disposed of in accordance with the HIPAA Security Rule. Cloud storage requires a Business Associate Agreement (BAA) with the cloud provider.
  • State mental-health confidentiality statutes. Many states impose stricter confidentiality than HIPAA on mental-health records. California’s Lanterman-Petris-Short Act, Illinois’s Mental Health and Developmental Disabilities Confidentiality Act, and New York’s Mental Hygiene Law are examples.
  • Informed consent. Professional ethics codes (APA, ACA, NASW, AAMFT) require that clients be informed in writing about the use of recording for supervision, training, or any other purpose. Verbal consent is necessary but not sufficient.
  • Supervision recordings. Trainee clinicians and supervisees often record sessions with explicit client consent. Those recordings inherit the same HIPAA and state-law protections.
  • State consent rules still apply. In an all-party-consent state, you cannot record without the client’s consent regardless of the clinical purpose.

A practical workflow

  1. Build a written informed-consent form covering: purpose of the recording (clinical record, supervision, training), who will have access, retention period, storage location, the client’s right to revoke, and what happens if the client revokes.
  2. Use a HIPAA-compliant recording system with a signed Business Associate Agreement with your vendor.
  3. Restrict access. Recordings should not live on personal devices. Encrypt at rest and in transit.
  4. Set a retention period aligned with state law on mental-health records (commonly 7 years for adults, longer for minors).
  5. Document the consent and the storage location in the chart.

Consent script tailored to this role

I’d like to record our sessions for [clinical record / supervision / training]. The recording will be stored on [system], accessible only to [list]. We’ll keep it for [period]. You can revoke consent at any time; if you do, we’ll [delete / preserve under specific circumstances]. I have a consent form for you to read and sign — would you like to do that now?

See the consent scripts page for variants by purpose.

Tools and platforms suited to this role

  • HIPAA-compliant telehealth platforms (Doxy.me, SimplePractice, TheraNest) with BAA-covered recording.
  • Encrypted EHR systems for storing recordings as part of the clinical record.
  • Avoid consumer cloud storage (Dropbox, iCloud Drive personal accounts) without a BAA.

Common mistakes

  • Recording on a personal phone, then forgetting it’s there. The file is PHI; the phone is not BAA-covered.
  • Using a consumer Zoom account (not Zoom for Healthcare with a BAA).
  • Sharing a recording with a supervisor over email or a non-encrypted channel.
  • Retaining indefinitely. State law sets a retention requirement; keeping forever is not safer — it just enlarges the exposure surface.

Where to get help

  • Your state licensing board and your professional association’s ethics committee.
  • HHS Office for Civil Rights guidance on HIPAA.
  • A healthcare-privacy attorney for plan setup.

Related