Understanding insurance, privacy, and confidentiality in therapy

This article talks about depression, self-harm, or suicide. If you are experiencing a mental health crisis or are thinking about harming yourself or others, contact the 988 Suicide & Crisis Lifeline (call, text, or chat) for 24/7 confidential support, call 911, or go to the nearest emergency department. If you are LGBTQ+ and experiencing suicidal thoughts, you can reach the Trevor Project at www.thetrevorproject.org/get-help/

Starting therapy is a deeply personal decision. For many people, concerns about privacy in therapy are just as important as finding the right therapist or managing costs. These concerns often arise when using insurance, especially for individuals on a family plan or those sharing coverage with a partner. Questions like who can access therapy-related information, what information is included on insurance paperwork, and whether sensitive topics remain private are common — and valid.

Seeing through the fog to understand how insurance interacts with therapy can help you feel more confident and in control. While therapists are bound by strict confidentiality rules, insurance billing introduces a separate system with its own disclosures and limitations. Knowing what information may be shared, what protections exist, and what options you have can make it easier to choose care that aligns with both your mental health needs and your privacy boundaries.

This guide breaks down how insurance affects privacy in therapy, what explanation of benefits forms reveal, and what steps you can take to better protect your confidentiality while still accessing support.

Key takeaways

  • Using insurance for therapy requires sharing some information for billing and coverage, which can affect how certain communications and records are handled.
  • The Health Insurance Portability and Accountability Act (HIPAA) protects your health information and limits what your insurance company and health care providers can share without your permission.
  • Explanation of benefits (EOBs) may be sent to the primary policyholder, not the person receiving therapy.
  • Teens, young adults, and anyone on a shared health plan may have specific questions regarding privacy.
  • Federal and state laws offer some protections, but they do not cover every situation.
  • Knowing your rights helps you make informed decisions about your care and coverage.

How does using insurance affect privacy in therapy?

Confidentiality is the mortar that keeps the foundation of the therapeutic relationship intact. What you share with your therapist during sessions is protected by professional ethics and privacy laws, so that you can speak openly about your thoughts, experiences, and emotions. In most cases, therapists cannot disclose what you discuss without your written consent.

However, when insurance is used to pay for therapy, a separate layer of information sharing is introduced. Insurance companies require certain details to process claims, such as the type of service provided, the date of the session, and sometimes a diagnostic code. While session notes are not routinely shared with insurers, insurers may request limited documentation to confirm that the services provided meet criteria for coverage, not to examine the content of sessions.

Privacy complications are especially common for dependents on family plans. Teens and young adults may assume their therapy is completely private, only to discover that insurance communications are sent to a parent or guardian. Similarly, adults sharing coverage with a spouse or partner may worry about unintended disclosures through routine paperwork. These situations can make people hesitant to seek care or fully engage in therapy, even when support is needed.

What does the explanation of benefits (EOBs) show, and who can see it?

An explanation of benefits, often called an EOB, is a document your insurance company sends after a claim is processed. It is not a bill, but rather a summary explaining what services were covered, what the insurer paid, and what portion, if any, you may owe. While the concept of an EOB is straightforward, the privacy implications can be more complex.

EOBs typically include the provider’s name, the date of service, the type of service (such as outpatient mental health care), and basic billing codes. While they do not include therapy notes or detailed descriptions of what was discussed in sessions, they can still signal that therapy is taking place.

One aspect to consider is who receives these documents. In many insurance plans, the EOB is automatically sent to the primary policyholder (the person who holds the insurance), such as a parent or spouse. This means the individual receiving therapy may never see the EOB themselves, while someone else does. For teens, young adults on family plans, or anyone relying on shared coverage, this can sometimes come as a surprise, since insurance communications may reflect that therapy is being received.

Insurance notifications about plan usage can feel unsettling or unexpected, especially when therapy is intended to be private. Understanding how EOBs are distributed and who receives them can help set clearer expectations and help you make more informed decisions about available privacy options.

Did you know?

Under HIPAA, therapy session notes are classified separately from general medical records and receive a higher level of legal protection. Unlike standard medical information, psychotherapy notes cannot be shared with insurers for claims processing — only a brief billing code and date of service are typically required.

Privacy rights with insurance and how to protect them

Many people assume that all therapy-related information is fully protected once insurance is involved. While there are important legal safeguards in place, health insurance privacy rights have limits that are worth understanding, especially when navigating mental health care.

The Health Insurance Portability and Accountability Act, often referred to as HIPAA, sets national standards for protecting medical information. HIPAA mental health privacy rules require therapists and insurers to safeguard your personal health information and restrict how it can be shared. Therapy notes, for example, are considered highly sensitive and are not routinely shared with insurance companies. However, HIPAA does allow insurers to access certain billing-related details needed to process claims, which is why information can still appear on explanation of benefits forms.

One option many people are unaware of is the ability to request confidential communications from their insurer. In some states (including Oregon, California, and Massachusetts), you can ask your insurance company to send EOBs and other communications directly to you instead of the primary policyholder. This can be especially important for anyone concerned about who can see the explanation of benefits information. Requirements vary by state, and approval is not guaranteed, but it is often worth asking, particularly if privacy concerns are preventing you from seeking care.

Some states, such as California, Colorado, and Connecticut. have additional protections that allow individuals to suppress or redirect EOBs when disclosure could pose a safety risk. Insurance customer service representatives can usually explain what options are available under your plan, so do not hesitate to call your insurance provider and ask. While these steps may feel administrative or uncomfortable, they can significantly reduce unintended disclosures and help you feel safer using insurance for therapy.

Understanding your rights does not mean navigating the system alone. Therapists and billing teams are often familiar with these concerns and can help you explore ways to protect your confidentiality while accessing care.

Protected health information and permitted uses

HIPAA also covers protected health information (PHI), which includes any individually identifiable health information: your diagnosis, dates of service, treatment details, and the name of your provider. This information can only be used or disclosed in specific circumstances without your written authorization.

Permitted uses include treatment, payment, and health care operations. In practice, this means your insurance company can access the information it needs to process a claim, such as your diagnosis code, the type of service you received, and your provider’s credentials. Generally, it doesn’t have the right to read your therapy notes or learn the details of what you discuss in sessions. One exception to this is if the insurance company is conducting an audit — during which, the auditor will review notes to determine whether there was a medical reason for a session. However, they are also bound by confidentiality rules.

Psychotherapy notes occupy a particularly protected category. According to the US Department of Health and Human Services (HHS), psychotherapy notes are defined as notes recorded by a mental health professional that document or analyze the contents of a therapy session. The privacy of these notes are held to a stricter standard than the rest of your medical record and generally cannot be disclosed without your explicit written authorization, even to your own insurance company for claims processing purposes. These are distinct from progress notes, which typically provide a record of details like treatment and medical plans, diagnoses, and test results. 

To ease your worry, Grow-affiliated provider Rugiatu Bahr, PMHNP-BC, shares, 

“[My] notes are stored in a secure, HIPAA-compliant electronic health record (EHR) system that is encrypted and protected. I am very mindful that notes represent a patient’s story, and I treat them with the same level of care and confidentiality as I would want for myself or my family.”

Notice and transparency requirements

Under HIPAA, covered entities including insurance companies are required to provide you with a Notice of Privacy Practices. This document explains how your health information may be used and disclosed, what your rights are, and how to exercise them. You should receive this notice when you first enroll in a plan and whenever the privacy practices change in a meaningful way.

Reading even the condensed version of your privacy notice is one of the most practical things you can do to understand what your insurer can and can’t do with your information. If you can’t locate yours, you have the right to request a copy directly from your insurance company.

For example, Grow has its own Notice of Privacy Practices, which outlines how we use, process, and share health information.

Opt-out and consent options

For certain types of data sharing, you have the right to opt out. Marketing communications and the sharing of your information with non-affiliated third parties for non-treatment purposes are two areas where federal and state laws give consumers meaningful choices.

For sensitive categories of health information, including mental health records and substance use disorder treatment information, the bar for consent is generally higher. Insurers and health care providers typically cannot share this information for purposes beyond treatment, payment, and health care operations without your explicit written authorization.

It’s also worth noting that 42 CFR Part 2, a federal regulation separate from HIPAA, provides particularly strong protections for records related to substance use disorder treatment at federally assisted programs. These records cannot be shared without your written consent except in very limited circumstances, and the standard is stricter than HIPAA’s general framework.

Grow-affiliated provider Rugiatu Bahr, PMHNP-BC has some excellent advice. She shares,

“Patients deserve to understand how their information is handled. It is their care, and they have the right to know. I always encourage patients to ask:

‘Who has access to my information?’

‘What gets shared with insurance?’

‘How are my notes stored and protected?’

‘What happens if I want a copy of my records?’

I welcomed these questions, as transparency builds trust, and trust is the foundation of healing.”

Limits on marketing and data sharing

Your health information generally cannot be used for marketing purposes without your authorization. If an insurer or health care provider wants to use your PHI to market products or services to you, they typically need your written permission first.

State laws in many parts of the country go further, creating additional restrictions on how health and mental health information can be used commercially. If you live in a state with stronger privacy protections, those state laws apply in addition to federal requirements.

How do different types of insurance handle privacy issues?

The type of insurance plan you have plays a bigger role in your privacy protections than you might expect. Here’s how the most common plan types stack up.

Employer-sponsored plans and human resources access limits

If you get health insurance through your employer, you might wonder whether your HR department or your manager could ever find out you’re in therapy. In most cases, the answer is no.

Employers who sponsor health insurance plans are generally prohibited from accessing individual employees’ health records. What they typically receive is aggregated, de-identified data. This is information about overall plan usage across the workforce, not about any specific person’s care. Your individual diagnosis, therapy visits, and treatment details remain confidential.

That said, there are some nuances. If you request a medical leave of absence under the Family and Medical Leave Act (FMLA), your employer may receive limited information, such as confirmation that you have a serious health condition (or a loved one has one that requires you to be a caretaker) that qualifies you for leave, but not the specifics of your diagnosis or treatment. Similarly, if your employer offers a wellness program that involves voluntary health screenings or questionnaires, participating might mean sharing certain information you wouldn’t otherwise disclose. Participation in these programs should always be genuinely voluntary.

Workplace wellness programs and their data practices vary widely. If your employer offers one, reviewing its privacy policy before participating is a good idea.

Individual and marketplace plans

If you purchase insurance through the Affordable Care Act (ACA) marketplace or directly from an insurance company, your health information is still protected by HIPAA. The same rules around minimum necessary disclosure, protected health information, and psychotherapy notes apply regardless of where you get your coverage. Grow Therapy’s guide to understanding health insurance is a helpful resource for comparing your options.

Medicaid, Medicare, and government programs

Medicaid and Medicare are both subject to HIPAA, which means the same federal protections apply. However, because these are government-administered programs, there are some additional layers to be aware of.

Medicaid may involve state agencies accessing certain health information for program oversight and fraud-prevention purposes. These uses are permitted under HIPAA, but are subject to strict limitations. Mental health information shared within Medicaid programs is still treated as confidential and cannot be disclosed outside of permitted uses without your authorization.

Medicare operates similarly. Your health information is protected, but the program does use claims data for quality measurement, fraud detection, and research purposes, all within the bounds of federal privacy law.

Student health plans and campus counseling services

Students navigating therapy for the first time often have a unique set of privacy questions, particularly around whether their parents or guardians can access their mental health records.

Under HIPAA, once a student is 18 or older, their health information is their own, so parents generally cannot access it without the student’s written authorization, even if the student is covered under a family insurance plan. Campus counseling services are typically also bound by HIPAA and, in many cases, by additional state laws that protect the confidentiality of mental health treatment.

One important distinction: Notes and records from campus counseling centers are generally separate from a student’s academic record and are not accessible to faculty, academic advisors, or university administration. The Family Educational Rights and Privacy Act (FERPA), which governs student academic records, does not apply to treatment records maintained by a school’s health or counseling services.

Short-term plans, discount plans, and weaker privacy protections

Not all insurance-adjacent products carry the same privacy protections. Short-term health plans and health discount programs are sometimes marketed as lower-cost alternatives to traditional insurance and may not be subject to the same HIPAA requirements as comprehensive health plans.

If you’re considering one of these options, it’s worth reading the fine print carefully. Some short-term plans exclude mental health coverage altogether, and their data practices may differ significantly from those of ACA-compliant plans. When in doubt, asking directly about privacy protections and data-sharing practices before enrolling is always a reasonable step.

How therapy can help manage privacy concerns

Concerns about insurance privacy do not just affect logistics – they can also impact your emotional well-being. Worrying about being “found out,” judged, or misunderstood through insurance paperwork can add stress to an already vulnerable process. Therapy itself can be a valuable space to explore these fears and decide how to move forward.

Therapists regularly support clients in navigating questions about billing, insurance use, and confidentiality. They can help you understand what information is typically shared, talk through potential risks, and explore alternatives if using insurance does not feel safe. In some cases, this may include discussing self-pay or sliding scale options, which can offer more control over privacy for those addressing especially sensitive topics.

Therapy can also help you process the emotional impact of privacy concerns. For people seeking care related to trauma, identity, or sexuality, the fear of disclosure can feel overwhelming. Having a neutral, supportive space to talk through these worries can reduce anxiety and help you make decisions that align with your values and comfort level.

Data collection, use, and sharing in insurance

Understanding what information insurance companies collect, and what they do with it, is an important part of knowing your rights.

Sources of data used by insurers

Insurance companies gather information from several sources. When you apply for coverage, you typically provide personal and medical history through your application. If a medical exam is required, that data becomes part of your file as well. Once you’re enrolled and using your plan, your claims history, including diagnosis codes, dates of service, provider information, and treatment types, is collected and stored.

Beyond what you directly provide, insurers may also access information through third-party data brokers, credit bureaus, and public records. This can include prescription drug history, prior claims with other insurers, and in some cases, consumer data like purchasing habits or financial records. While HIPAA governs how health information is handled, not all of the data insurers collect falls neatly under its protections, which is part of why understanding the full picture matters.

Purposes for which insurers use personal data

Insurers use the data they collect for several purposes. Underwriting, or the process of assessing risk and determining premiums, is one of the primary ones. However, the ACA has placed significant limits on how health insurers can use health information in this context for individual and small group plans.

Insurance companies also use personal data for fraud detection, claims processing, and predictive analytics. Predictive models may be used to anticipate future health needs, manage costs, or identify patterns across a population. These uses are generally permitted under existing law, though they raise ongoing questions about fairness and transparency that consumer advocates and regulators continue to examine.

Data sharing with third parties

Your insurance company doesn’t operate in isolation. It works with a range of third parties including vendors, cloud service providers, and business associates. All of these may handle your health information as part of delivering services. Under HIPAA, these business associates are required to sign agreements committing them to the same privacy and security standards as the covered entity itself.

Insurers may also share data with reinsurance companies, affiliates, and in some cases, marketing partners. Sharing with marketing partners for purposes unrelated to your care generally requires your consent, and you typically have the right to opt out. Reviewing your insurer’s required privacy notice will tell you specifically how your information is used and shared, and what choices you have.

Final thoughts

Privacy concerns should never be a barrier to getting mental health support, but they are a real part of the decision-making process for many therapy clients. Understanding how insurance affects confidentiality, what explanation of benefits forms reveal, and what protections exist empowers you to make informed choices about your care.

Whether you decide to use insurance, request confidential communications, or explore self-pay options, the most important step is choosing care that feels safe and sustainable. Mental health support works best when you can show up fully and honestly, without fear of unintended disclosure. Remember to check your insurance plan before seeking mental health care to avoid billing surprises. Sometimes paying extra to add mental health coverage to an existing insurance plan can be more affordable, especially if you are seeing regular treatment.

If you are ready to take the next step, Grow Therapy can help you find a therapist who understands both your mental health needs and your privacy concerns. You can also continue learning by reading additional insurance guides to better navigate the systems that shape how care is accessed and protected.

Frequently asked questions

Does my therapist share what I say with my insurance company?

No, therapists do not share the content of your sessions with insurance companies. When insurance is billed, only basic administrative details are submitted: the date of service, the type of service, and a diagnostic code if applicable. Your therapist’s session notes are considered protected health information under HIPAA and are not routinely shared with insurers.

Can I use insurance for therapy without my parents finding out?

It depends on your age, your state, and your insurance plan. If you’re on a parent’s insurance plan as a dependent, explanation of benefits (EOB) forms are typically sent to the primary policyholder — which may be a parent or guardian. However, some states allow you to request that EOBs and insurance communications be sent directly to you instead. States with stronger protections include California, Oregon, Massachusetts, Colorado, and Connecticut. You can call your insurance company to ask about confidential communications options.

Are insurance companies allowed to share information?

Yes, but only under specific circumstances. Insurance companies can share your health information for treatment, payment, and health care operations purposes without your authorization. Sharing for other purposes such as marketing or with unaffiliated third parties generally requires your consent. HIPAA and applicable state laws set the rules for what’s permitted, and your insurer is required to provide you with a privacy notice explaining how your information is used.

What are the five main rules of HIPAA?

HIPAA’s framework is organized around several key rules. The Privacy Rule governs how protected health information can be used and disclosed. The Security Rule sets standards for protecting electronic health information. The Breach Notification Rule requires covered entities to notify affected individuals when a data breach occurs. The Omnibus Rule extended many HIPAA protections to business associates. And the Enforcement Rule outlines how violations are investigated and penalized. Together, these rules form the foundation of health information privacy in the United States.

Do insurance companies have a duty of confidentiality?

Yes. Insurance companies that handle protected health information are bound by HIPAA’s confidentiality requirements and, in many states, by additional state privacy laws. They are required to use the minimum information necessary to accomplish a given task, provide consumers with a notice of privacy practices, and obtain authorization before using or disclosing information in ways not otherwise permitted by law. Mental health information and psychotherapy notes receive particularly strong protections under both federal and state law.

Starting therapy is a meaningful step, and your privacy is well-protected by law. If you’re ready to find a therapist who’s right for you, Grow Therapy makes it simple to find a therapist who accepts your insurance. You can also explore different types of therapists to find the right fit, or learn more about online therapy options if you prefer to connect from home.