How I Protect Client Information — Especially for Trans and Other Marginalized Clients

In therapy, privacy isn’t just a professional promise — it’s a legal right and a matter of safety. I take confidentiality seriously, especially for clients who are more vulnerable to harm when their information is mishandled. This includes transgender clients, BIPOC clients, survivors of abuse, disabled people, immigrants, and others navigating systems that were not built with their protection in mind.

The Laws That Guide My Privacy Practices

HIPAA (Health Insurance Portability and Accountability Act of 1996)

HIPAA is the foundation of medical and mental health privacy in the U.S. It protects Protected Health Information (PHI) and requires providers to:

  • Share only the minimum necessary data,
  • Secure all health information,
  • Give clients access to their records and allow corrections,
  • Notify clients in the event of a data breach.

HIPAA informs how I document, store, and limit access to your records.

The Privacy Act of 1974

This federal law governs how U.S. government agencies handle personal information. It ensures individuals have the right to:

  • Know what information is being collected about them,
  • Access and request corrections to that data,
  • And prevent unauthorized disclosures by federal entities.

While this law applies to federal systems (such as the military, VA, and Social Security Administration), I follow its core principles — especially for clients with histories involving government institutions or surveillance risks.

What Is PII and PHI?

  • PII (Personally Identifiable Information) includes your name, birthdate, address, phone number, workplace, or any detail that could directly identify you.
  • PHI (Protected Health Information) includes any health-related data linked to your identity — such as diagnoses, treatment plans, or billing records.

The unauthorized sharing of PII or PHI can be especially harmful to trans clients or anyone targeted by systemic bias. I take extra steps to reduce that risk.

Safe Harbor Laws

The Safe Harbor Method under HIPAA defines how to de-identify health data so it no longer links back to a specific person. This includes removing or altering 18 types of identifiers (like name, dates, zip codes, and employer).

I use Safe Harbor principles to:

  • Reduce identifiable details in clinical documentation unless absolutely necessary.
  • Remove client identifiers when consulting with colleagues,
  • Prepare educational content or clinical materials,

This approach protects your autonomy while supporting informed care.

Under the HIPAA Safe Harbor Method, 18 specific identifiers must be removed to consider health information de-identified. These identifiers relate to the individual, their relatives, employers, or household members. Once these are removed, and no actual knowledge remains that the information could identify the person, the data is considered no longer Protected Health Information (PHI).

Here are the 18 identifiers:

  1. Names
  2. All geographic subdivisions smaller than a state, including:
    • Street address
    • City
    • County
    • Precinct
    • ZIP code (only the first 3 digits can remain if the geographic area has >20,000 people)
  3. All elements of dates (except year) directly related to the individual:
    • Birth date
    • Admission date
    • Discharge date
    • Death date
    • Exact age if over 89 (these are aggregated into a category of 90+)
  4. Telephone numbers
  5. Fax numbers
  6. Email addresses
  7. Social Security numbers
  8. Medical record numbers
  9. Health plan beneficiary numbers
  10. Account numbers
  11. Certificate/license numbers
  12. Vehicle identifiers and serial numbers, including license plate numbers
  13. Device identifiers and serial numbers
  14. Web URLs
  15. IP addresses
  16. Biometric identifiers, including fingerprints and voiceprints
  17. Full-face photographs and any comparable images
  18. Any other unique identifying number, characteristic, or code (unless re-coded and kept separately)

Where You Work Is Protected

Your workplace and job details are protected information. I do not document or disclose where you work unless absolutely necessary and authorized by you in writing. This is especially important for clients in healthcare, education, government, or corporate roles where discrimination is a real concern.

Using Chosen Names and Identities

You can use any name or pronouns that reflect your identity, regardless of legal documentation.

  • In session and in my notes, I use your chosen name and pronouns, unless you say differently.
  • If you’re using insurance, I am required to use your legal name and gender marker for claims and billing — a limitation of insurance systems, not my practice.
  • If you’re paying privately, we have full flexibility to document care using any chosen name only, and I can omit unnecessary or potentially harmful diagnostic language.

Insurance vs. Private Pay

Insurance requires:

  • Legal name and date of birth,
  • Diagnosis codes and documentation of “medical necessity.”

I fulfill only what’s required and use trauma-informed, affirming language. I avoid overdisclosure and never share information with employers or unrelated third parties.

Private pay clients often choose this path for greater confidentiality:

  • No diagnosis on record unless you request it,
  • No reporting to insurance databases,
  • Full control over what’s documented and disclosed.

How I Go Further

  • I work alone, which means no one else sees or accesses your records unless legally required.
  • I avoid disclosing gender identity, trauma history, or medical care unless necessary in any consultation.
  • I flag sensitive entries and restrict access based on HIPAA’s minimum necessary standard.
  • My Electronic Health Record (EHR) system is connected to a secure network and meets HIPAA compliance standards, including:
    • Encryption of data in transit and at rest,
    • Role-based access (limited to me),
    • Audit trails and breach notification protocols.

I routinely review the tools I use — from telehealth platforms to email systems — and discontinue anything that shifts toward surveillance, discrimination, or weak privacy protections.