You were in a room full of clinicians last week and the same question kept surfacing: what do I do if a client is recording me? Someone called it a HIPAA violation. Someone else wasn't sure. That uncertainty, in a room of experienced practitioners, is the tell. The reflex is to reach for HIPAA, and HIPAA is the wrong law.

Start with what a recording does once it exists. In April, Proof News reported the case of Jennifer Kamrass, a nurse practitioner AdventHealth terminated in 2021 while she was nearly nine months pregnant. She used Talkspace, a benefit her employer paid for, to talk through the stress of losing her job with a baby weeks away. When she later sued for pregnancy discrimination, her former employer's lawyers subpoenaed her Talkspace records, and the full text of what she had typed to her therapist became evidence in the case. A federal judge ruled against her. Talkspace's chief legal officer was careful to note the company did not produce the transcripts, that at the time of the subpoena only Kamrass herself could disclose them. That distinction is the whole point. The session existed as a permanent, searchable record, and HIPAA did nothing to keep it out of a courtroom.

A therapy session used to leave almost no trace. A clinician scribbled a few lines of progress notes and the rest lived only in memory. A digital session leaves a transcript. A recorded session leaves audio. A telehealth session leaves both, on a server you do not control. And the person holding that record is very often not you, and not bound by the rules you are.

HIPAA is the wrong law to reach for

When a client records you, your instinct says HIPAA. Unlearn it. HIPAA binds covered entities and their business associates. It governs how you, the clinician, handle a patient's protected health information. It says nothing about what the patient may do with their own session, because the patient is not a covered entity and never signed up to be one. A client who records their own therapy has not committed a HIPAA breach, and neither have you. HIPAA simply does not reach the conduct everyone in that room was worried about.

What actually governs is your state's wiretap and consent law. In one-party-consent states, the client is a party to the conversation and may record it, with your knowledge or without it. In the roughly dozen all-party-consent states behind the AI-scribe warning two weeks ago, both of you have to agree before a recording is lawful. Telehealth complicates it further. A screen recording is one tap away and invisible on your end, and the session can cross state lines, pulling a second state's law into a conversation you thought was governed by your own. The gap in most small practices is not that they picked the wrong rule. It is that there is no rule at all: no recording clause, no telehealth consent language, nothing that settles what is permitted before the first session begins. The practice is leaning on a statute that does not apply to the person it is worried about.

What the consent form actually does

This is the gap the Telehealth and Digital Communication Consent module is built to close, and the reason it exists as its own document rather than a sentence buried in the intake packet.

It sets the recording rule explicitly, in both directions. It states whether the practice permits the client to record, whether the clinician may record, and that neither happens without the other's written agreement. That single clause converts a legal ambiguity into a documented consent, which is exactly what an all-party-consent state wants to see, and what a one-party state cannot quietly override once both sides have signed.

It names the platform and its settings. Telehealth consent that does not identify the video platform, its recording controls, and where the session data is stored is consent in name only. The module ties the client's agreement to the specific tool you actually use, not a generic idea of video.

It draws the channel lines. It specifies which conversations happen where: what belongs in a session, what can travel over secure messaging, what should never go by ordinary text or email. The Talkspace case is the cautionary version of this. Every casual message, in the end, was a discoverable document, because nobody had drawn a line between a therapeutic exchange and a permanent record.

And it documents acknowledgment. It records that the client understood how sessions are conducted, how communications are stored and for how long, and what their options are. That is the difference between a consent process a licensing board or a court will credit and one it will wave away as boilerplate nobody read.

None of this stops a client from doing something you never authorized. What it does is establish, in writing and in advance, what was authorized. After the fact, that document is the only ground you get to stand on.

Four moves this week

One. Decide your stance. Do you permit clients to record sessions, and do you ever record them? There is no universally correct answer. There is a wrong one, which is not having decided before a client asks or a phone appears.

Two. Learn your state's rule. Confirm whether you practice in a one-party or all-party-consent state, and remember that telehealth can bring a second state's law into the room whenever the client is sitting somewhere else.

Three. Put it in writing before your next new client. Add explicit recording language and telehealth terms to your consent paperwork. If the words 'record,' 'telehealth platform,' and 'secure message' do not appear anywhere in it, that is your gap, in plain sight.

Four. Rehearse the moment. Decide, and tell your staff, what you actually say when you notice a client recording: how you name it, how you note it in the chart, and how you decide whether to continue the session. The clinicians who handle this well are not the ones with the strongest opinion about recording. They are the ones who settled the question on paper before a phone was ever pointed at them.

The peer-group anxiety is real, but it is aimed at the wrong target. The fear is the client with the phone. The exposure is the practice with no policy. HIPAA was never going to answer the question, because the question was never about you handling their information. It was about them holding a record of you, and what you agreed to before the recording light came on.

The recording rule your consent form probably doesn't state.
The Vault includes the Telehealth and Digital Communication Consent as a fill-and-sign module, calibrated for independent practice. It sets who may record, on which platform, over which channels, and documents the client's agreement in writing. National edition $299. New York edition $349 (adds SHIELD Act and state-specific addenda).
Get the Vault →
With security,
Brad
Brad Lieberman, JD (retired), MSN, PMHNP-BC
Founder, The Encrypted Chart
www.encryptedchart.com · Vault: store.encryptedchart.com/l/binder
Brad@encryptedchart.com
Footnotes
  1. Annie Gilbertson, ‘Woman’s Talkspace Therapy App Sessions Exposed in Court,’ Proof News, April 28, 2026.
  2. U.S. Department of Health and Human Services, ‘Does HIPAA provide extra protections for mental health information compared with other health information?’ (psychotherapy notes and patient authorization).
  3. U.S. Department of Health and Human Services, ‘Covered Entities and Business Associates’ (who HIPAA binds).
  4. Reporters Committee for Freedom of the Press, ‘Reporter’s Recording Guide’ (state-by-state one-party and all-party consent recording laws).