Skip to content
← Back to Resources
Smartphone with privacy shield protecting client data

HIPAA and Therapy Worksheets: How to Send Client Tools Without Storing Worksheet Responses

From the ClientWorksheets editorial team||10 min read

You want to send your client a thought record they can fill out on their phone. Simple enough. But the moment your client types “I've been having panic attacks at work,” that text may become Protected Health Information when it is linked to the client and their care. Where that text is stored matters.

Most of us understand HIPAA when it comes to our EHR, our telehealth platform, and our email. But worksheets and therapy tools sit in a gray area that many of us haven't fully thought through -- and it's a gray area that carries real risk.

What Actually Counts as PHI

Protected Health Information is any health-related information that can be traced back to a specific person. If a piece of information can be linked to someone by name, email, phone number, or any other identifier -- and it relates to their health, their treatment, or their payment for care -- it's PHI.

When it comes to therapy worksheets, PHI includes:

  • Anything the client types into a digital worksheet (thoughts, feelings, symptoms, descriptions of events)
  • The fact that a specific person was assigned a specific clinical tool (because that links their identity to their treatment)
  • Records of when someone opened or completed a worksheet, if those records are tied to a real person
  • Any information that connects a person's identity to their use of a health-related tool

What is not PHI: the worksheet itself, before anyone fills it in. A blank CBT thought record is a clinical tool, not health information. Think of it like a blank intake form sitting in a stack on your front desk -- it's just paper. The PHI gets created when a specific person picks it up and writes their specific thoughts on it.

The Problem With Most Digital Worksheet Platforms

Most platforms that offer digital therapy worksheets work the same way your EHR does: your client fills something out, and that information gets sent over the internet to the company's computers, where it's saved in their system. That's how your banking app works too, and your social media.

For an EHR, that makes perfect sense -- you need to pull up client records from different devices over months and years. But for a therapy worksheet, that setup creates obligations that many therapists don't realize they're signing up for:

  • Business Associate Agreement obligations. A company that holds, handles, or passes along PHI on your behalf may be a “Business Associate” under HIPAA. Confirm BAA requirements before clients use the tool.
  • You share the blame in a data breach. If the platform gets hacked and client information is exposed, you share the responsibility. Your name could end up on the notification letters that go out to affected clients.
  • Someone has to track who saw what. HIPAA requires you to keep records of who looked at client information, when they looked at it, and what they did with it. If a platform is holding your clients' worksheet answers, all of that tracking has to happen.
  • Clients can ask for their data to be deleted. And you need a way to make that happen. If their worksheet responses are sitting on some company's computers, you need to be able to get them removed.
  • You need to know what happens to the data. How long does the company keep it? Where is it stored? Is it protected? Who at the company can see it? These are questions you're supposed to have answers to.

None of this is impossible to manage. Your EHR handles all of it every day. But here's the real question: does a therapy worksheet need to create all of these obligations? If the goal is simply to put an interactive tool in your client's hands, does the platform need to keep a copy of everything they write?

A Different Approach: Keep Client Data Off Company Computers Entirely

There's another way to build digital therapy tools: design the tool so worksheet responses stay on the client's own device instead of being submitted to the platform.

Think of it like handing a client a paper worksheet -- except it's on their phone. When your client opens the worksheet link you send them, the blank tool loads on their device just like any webpage. But when they start typing their responses, everything they write stays saved only on their phone, like a note they wrote to themselves. Their answers never get sent to the company's computers. There's no copy floating around on someone else's system. It lives on their device and nowhere else.

From a privacy and compliance-planning perspective, this changes the risk profile:

  • BAA exposure may be reduced. If a platform only serves blank tools and does not receive worksheet responses or client identifiers, that is a materially different posture than a platform storing client submissions. Confirm BAA requirements with your own compliance counsel.
  • Platform-side breach exposure is lower. A system cannot expose worksheet responses it never received. The client still needs to protect their own device, browser, and sharing choices.
  • Platform access tracking is simpler. If the platform does not receive client worksheet responses, there is no response database for platform staff to access.
  • The client controls their own data. Your client can review what they've written, clear it, or delete it right from their own device. No email to a company. No support ticket. No waiting.

How to Verify Where Worksheet Responses Go

Any platform can claim it keeps worksheet responses private. Here's how to check:

  1. Open the tool and fill in sample data. Type something you'd recognize -- like “HIPAA test 12345” -- into every field.
  2. Close the tool, clear your browsing history, and reopen it. If your responses vanish after clearing your phone's browsing data, that's a good sign -- the data was only living on your device.
  3. Try it from a different device. Open the same link on a different phone or computer. If your responses don't show up there, it confirms nothing was saved on the company's end. (If they do appear, that means they're being stored somewhere other than your device.)
  4. Ask the company directly: “When my client fills out a worksheet, where does what they type go? Is it sent to your computers? Can you show me that it isn't?” Vague or evasive answers are a red flag.

A Practical HIPAA Checklist for Any Digital Therapy Tool

Before sending any digital tool to a client, ask these questions:

  • 1.Does the tool require client login or account creation? If yes, the platform is collecting identifiable information. Ask whether a BAA is required.
  • 2.Does what the client types get sent to the company's computers? If yes, PHI may be leaving your client's device. Ask whether a BAA is required.
  • 3.Does the company keep a copy of client responses? If yes, PHI may be stored. Ask about BAA requirements, retention, deletion, and breach notification responsibilities.
  • 4.Does the platform track which clients use which tools? If yes, that usage information tied to a real person may be PHI. Ask whether a BAA is required.
  • 5.Does the platform offer a signed BAA? If the platform holds client information but won't sign a BAA, walk away. Do not use it for anything client-facing.
  • 6.Can clients delete their own data without contacting anyone? This isn't technically a HIPAA requirement, but it tells you a lot about whether a company actually takes privacy seriously or just talks about it.

What This Means for Your Practice

The simplest way to reduce HIPAA headaches with therapy worksheets is to use tools designed not to receive client worksheet responses in the first place. This isn't a loophole or a shortcut -- it's a completely different approach that removes the risk at the source, the same way using a paper worksheet avoids the problem of digital storage.

ClientWorksheets.com was built on this principle from day one. No client accounts. No client logins. Worksheet responses are designed to stay in the client's browser storage on their own device. We deliver the blank tool; the client's device holds what they type.

This doesn't mean HIPAA compliance is optional for your practice -- you still have obligations around how you communicate with clients, how you document treatment, and how you protect your own records. But it does mean that your therapy worksheets don't need to be yet another thing keeping you up at night.

Disclaimer: This article provides general information about HIPAA as it relates to digital therapy tools. It is not legal advice. Consult with a HIPAA compliance professional for guidance specific to your practice.

Try ClientWorksheets.com free

Over one thousand interactive tools for your practice. Worksheet responses stay device-local by design. No credit card required.

Start for Free

From the ClientWorksheets editorial team

ClientWorksheets, LLC publishes clinician-informed interactive worksheets and keeps them under ongoing QA review.