What makes therapy records more sensitive than general medical PDFs?

Mental-health information carries extra stigma and risk, and the law reflects that. Under HIPAA, "psychotherapy notes" — a therapist's private notes analysing a counseling session, kept separate from the rest of the record — get heightened protection: in most cases they may not be disclosed without the client's specific authorization, even for many purposes where ordinary records could be shared. Beyond HIPAA, many states add their own mental-health confidentiality protections. The practical implication for your PDFs is to treat intake forms, session notes, and anything naming a diagnosis as among the most sensitive documents you handle, and to keep private process notes separate from the shareable record.

Should clients fill out intake forms on paper or as a PDF?

A digital fillable PDF (or a portal form) is usually better for both privacy and practicality: the client types into a structured form, you receive legible answers, and you avoid a paper document sitting in a waiting room or getting scanned later. The privacy gain depends on delivery — send and receive the form through a secure channel (a client portal or an encrypted PDF), not plain email. Build the intake as a proper fillable form so fields are named and the data is usable, and include only the questions you actually need; collecting less sensitive information is itself a privacy safeguard.

How do I share an intake or consent form securely with a client?

The most secure option is a client portal that handles authentication and encryption for you. If you do not have one, a password-protected (encrypted) PDF is a reasonable alternative: send the form encrypted and share the password by a separate channel such as a phone call or text. Avoid sending an unencrypted form containing or soliciting mental-health information over plain email. For the return trip, the same rule applies — have clients submit through the portal or as an encrypted file rather than emailing a completed intake in the clear.

How should I handle a release of information (ROI) form?

A release should be specific and limited: name exactly who may receive information, what information, for what purpose, and an expiration date. Build it as a signable PDF so the client's authorization is captured and archived, and keep the signed copy in that client's file. When you then send records under the release, apply the minimum necessary — send only the documents and the portions the recipient is authorized to receive, redacting anything outside the scope. Remember that psychotherapy notes generally require their own separate, specific authorization and are not covered by a general records release.

How do I redact sensitive details when sharing a record?

Use true redaction that removes the underlying text, not a black box drawn over it that can be peeled off or copied out. Redact identifiers and any content outside the scope of what the recipient is authorized to see, then flatten the document so the redaction is permanent, and verify by trying to select or search the redacted text in the output. Also strip document metadata, which can carry the author name and edit history. Only ever distribute the flattened, verified copy, and keep the unredacted original in your secure file.

How long should I keep therapy records?

Retention is governed mainly by state law and your professional licensing board, and periods vary widely — commonly several years after the last session for adults, and longer for minors (often until some years past the age of majority). HIPAA separately requires retaining certain compliance documentation (privacy notices, authorizations, policies) for six years. Because the clinical-record period is set by your state and board rather than by HIPAA, check those specific requirements and document your retention-and-disposal policy. Dispose of electronic records so they are irretrievable, and remember that backups keep copies too.

Is it safe to use an online PDF tool for client forms?

Only if the tool processes files locally in your browser, or you have a Business Associate Agreement with the vendor. A cloud tool that uploads your intake forms and notes is acting as a business associate and would need a BAA before handling this data. ScoutMyTool runs its PDF operations client-side in your browser tab, so the client form never leaves your machine — appropriate for the especially sensitive material a therapy practice handles. Confirm any tool's data handling with your compliance resources before processing real client information.

7 min read

PDF for therapists: intake forms and privacy considerations

By ScoutMyTool Editorial Team · Last updated: 2026-05-21

A therapist friend asked me to help her move her practice off paper, and what struck me was how much higher the stakes felt than the usual small-business paperwork project. These are not invoices; they are intake forms describing someone’s worst months, consent documents, and session notes — the kind of information that does real harm if it leaks. The good news is that the document workflow is manageable with a few careful habits. This guide covers the PDFs a therapy practice runs on — intake, consent, releases, notes — and the privacy considerations specific to mental-health records, including the special status of psychotherapy notes. It is general information, not legal or compliance advice; confirm specifics with your board and compliance resources.

The forms a therapy practice runs on

A practice produces a recurring set of documents, each with a different sensitivity level and a different right way to handle it.

Form	Purpose	Sensitivity	Handling
New-client intake	History, contact, presenting concern	High — mental-health detail	Fillable, encrypted, portal preferred
Informed consent	Treatment + limits of confidentiality	Moderate	Signable, archived per client
HIPAA privacy notice	Required privacy practices notice	Low (template)	Distribute + record acknowledgement
Release of information	Authorise sharing with a third party	High — names recipients	Signable, scoped, time-limited
Telehealth consent	Consent to remote sessions	Moderate	Signable, dated
Progress / session notes	Clinical record of sessions	Very high	Restricted access; not shared casually
Superbill / invoice	Client reimbursement claim	Moderate — diagnosis codes	Redact when not needed; encrypt

Step by step — set up private client forms

Build a fillable intake form. Create a structured digital intake with the Patient Intake Formatter or a fillable form. Ask only for what you need — collecting less is itself a privacy safeguard.
Make consent and releases signable. Build informed-consent, telehealth-consent, and release-of-information forms as signable PDFs with form fields and the consent-form builder, then capture signatures with e-signature.
Deliver and collect securely. Send forms through a client portal, or as an encrypted PDF via Protect PDF with the password shared separately. Never email unencrypted mental-health forms.
Keep psychotherapy notes separate. Store private process notes apart from the shareable record, with restricted access, since they get heightened legal protection and generally require their own specific authorization to disclose.
Redact to the minimum necessary when sharing. When releasing records, use HIPAA Redact to truly remove anything outside the release’s scope, flatten, and verify; see how to redact properly.
Store, retain, and dispose by policy. Keep records encrypted at rest with access limited to those who need it, follow your state/board retention period, and dispose of electronic records so they are irretrievable. Document the policy.
Make forms accessible. Clear labels, logical tab order, and readable layout — see PDF accessibility — so every client can complete intake independently.

PDF for healthcare (HIPAA): the broader patient-form privacy guide.
Add fillable form fields: building intake and consent forms.
Fillable PDF forms: the concepts behind interactive forms.
Sign a PDF: capturing consent signatures.
How to redact a PDF: removing details the right way.
HIPAA Redact tool: permanently remove PHI in your browser.
All ScoutMyTool PDF tools: the full toolkit.

FAQ

What makes therapy records more sensitive than general medical PDFs?: Mental-health information carries extra stigma and risk, and the law reflects that. Under HIPAA, "psychotherapy notes" — a therapist's private notes analysing a counseling session, kept separate from the rest of the record — get heightened protection: in most cases they may not be disclosed without the client's specific authorization, even for many purposes where ordinary records could be shared. Beyond HIPAA, many states add their own mental-health confidentiality protections. The practical implication for your PDFs is to treat intake forms, session notes, and anything naming a diagnosis as among the most sensitive documents you handle, and to keep private process notes separate from the shareable record.
Should clients fill out intake forms on paper or as a PDF?: A digital fillable PDF (or a portal form) is usually better for both privacy and practicality: the client types into a structured form, you receive legible answers, and you avoid a paper document sitting in a waiting room or getting scanned later. The privacy gain depends on delivery — send and receive the form through a secure channel (a client portal or an encrypted PDF), not plain email. Build the intake as a proper fillable form so fields are named and the data is usable, and include only the questions you actually need; collecting less sensitive information is itself a privacy safeguard.
How do I share an intake or consent form securely with a client?: The most secure option is a client portal that handles authentication and encryption for you. If you do not have one, a password-protected (encrypted) PDF is a reasonable alternative: send the form encrypted and share the password by a separate channel such as a phone call or text. Avoid sending an unencrypted form containing or soliciting mental-health information over plain email. For the return trip, the same rule applies — have clients submit through the portal or as an encrypted file rather than emailing a completed intake in the clear.
How should I handle a release of information (ROI) form?: A release should be specific and limited: name exactly who may receive information, what information, for what purpose, and an expiration date. Build it as a signable PDF so the client's authorization is captured and archived, and keep the signed copy in that client's file. When you then send records under the release, apply the minimum necessary — send only the documents and the portions the recipient is authorized to receive, redacting anything outside the scope. Remember that psychotherapy notes generally require their own separate, specific authorization and are not covered by a general records release.
How do I redact sensitive details when sharing a record?: Use true redaction that removes the underlying text, not a black box drawn over it that can be peeled off or copied out. Redact identifiers and any content outside the scope of what the recipient is authorized to see, then flatten the document so the redaction is permanent, and verify by trying to select or search the redacted text in the output. Also strip document metadata, which can carry the author name and edit history. Only ever distribute the flattened, verified copy, and keep the unredacted original in your secure file.
How long should I keep therapy records?: Retention is governed mainly by state law and your professional licensing board, and periods vary widely — commonly several years after the last session for adults, and longer for minors (often until some years past the age of majority). HIPAA separately requires retaining certain compliance documentation (privacy notices, authorizations, policies) for six years. Because the clinical-record period is set by your state and board rather than by HIPAA, check those specific requirements and document your retention-and-disposal policy. Dispose of electronic records so they are irretrievable, and remember that backups keep copies too.
Is it safe to use an online PDF tool for client forms?: Only if the tool processes files locally in your browser, or you have a Business Associate Agreement with the vendor. A cloud tool that uploads your intake forms and notes is acting as a business associate and would need a BAA before handling this data. ScoutMyTool runs its PDF operations client-side in your browser tab, so the client form never leaves your machine — appropriate for the especially sensitive material a therapy practice handles. Confirm any tool's data handling with your compliance resources before processing real client information.

Not legal or clinical advice. This is general information about handling therapy-practice documents as PDFs. Confidentiality rules depend on HIPAA, your state law, and your licensing board. Consult your compliance resources and legal counsel before applying any of this to real client information.

Citations

NIST Special Publication 800-66 Revision 2 — “Implementing the HIPAA Security Rule.” csrc.nist.gov/pubs/sp/800/66/r2/final
CDC, Public Health Law — overview of HIPAA, including the Privacy Rule. cdc.gov — HIPAA overview
Wikipedia — “Health Insurance Portability and Accountability Act,” including the heightened protection for psychotherapy notes. en.wikipedia.org — HIPAA

Private client forms, built in your browser

ScoutMyTool’s intake, consent, redaction, and encryption tools run entirely client-side — your clients’ most sensitive forms never leave your machine.

Open the Intake Formatter →