Last updated:

How to Encrypt Files as a Counselor: A Private Practice Guide to Digital Confidentiality

Trust is the currency of therapy. You spend years cultivating a safe environment where clients can share their deepest vulnerabilities. You protect their emotional space within the four walls of your office—but is the digital space on your laptop just as secure?

While most modern private practices use cloud-based Electronic Health Records (EHRs) for official files, a dangerous gap remains. It’s the “in-between” data: the downloaded intake forms, the draft letters to courts, the raw session recordings, and specifically, the psychotherapy notes saved locally on your desktop.

If you are wondering how to encrypt files as a counselor, you aren’t just looking for tech support; you are looking for peace of mind.

The stakes have never been higher. According to the 2024 CNA/HPSO Counselor Professional Liability Report, the average professional liability claim against a counselor has reached $157,492—a staggering 40% increase since 2019. For a solo practitioner, a single lost laptop or a hacked desktop containing unencrypted client data can be a practice-ending event.

The good news? You don’t need to be an IT expert to secure your practice. Protecting your local files is straightforward once you have the right tools. This guide will walk you through exactly how to encrypt files easily, satisfying HIPAA requirements and your ethical codes without requiring complex software.

Why Counselors Need Local File Encryption (Beyond Just “HIPAA”)

When we talk about encryption, the conversation often stops at “it’s the law.” While HIPAA compliance is mandatory, the real drivers for encryption in 2024 are specific professional risks that have evolved rapidly over the last few years.

The Rising Cost of Liability

The landscape of private practice liability is shifting. Private practice-related claims have more than doubled, rising from 10.1% of all claims in 2019 to 21.9% in 2024 (CNA/HPSO, 2024). This shifts the risk burden directly onto individual practitioners rather than large agencies.

Furthermore, if you offer remote sessions, the risks multiply. Claims involving telebehavioral health services now cost an average of $317,516 to resolve—more than double the average claim cost. This often stems from data breaches or privacy violations inherent in digital communication.

Ethical Obligations

Beyond the financial risk, there is the ethical imperative. The ACA Code of Ethics (Standard H.2.d) explicitly states that counselors must use “current encryption standards within their websites and/or technology-based communications.”

Similarly, the NBCC Policy requires encryption for all digital technology communications of a therapeutic type. Failing to encrypt isn’t just a technical oversight; it is increasingly viewed as an ethical violation.

The “Data at Rest” Gap

This is the concept most guides miss. You might use secure email services (like Hushmail) or a secure EHR (like SimplePractice). These tools protect Data in Transit (moving across the internet) or data stored on their servers.

However, they do not protect Data at Rest—the files sitting on your actual computer.

If you download a PDF from your EHR to print it, that file is now “at rest” on your hard drive. If you type out process notes in Microsoft Word before copying them to your EHR, that document is “at rest.” If your laptop is stolen or infected with malware, secure email won’t help you. The only thing standing between a thief and your client’s secrets is local file encryption.

Learn more about the difference between Data at Rest vs. Data in Transit here

The “Psychotherapy Notes” Dilemma: A Critical Security Gap

One of the most common reasons counselors store files locally involves the distinction between the official medical record and psychotherapy notes.

The Distinction

HIPAA affords special protection to psychotherapy notes—your personal insights, hypothesis testing, and process notes—provided they are kept separate from the client’s medical record. To maintain this separation, many therapists choose not to upload these notes to their cloud-based EHR, fearing that insurance companies or subpoenas might gain easier access to them if they are commingled with progress notes.

The Common Habit

Consequently, many therapists keep these sensitive notes as simple Word documents or text files in a folder on their desktop labeled “Process Notes” or “Private.” It feels safer because it’s “offline” and in your possession.

The Risk

This logic has a fatal flaw: without encryption, these are just open text files. If you leave your laptop in a coffee shop, or if a background ransomware program scans your documents, the most sensitive details of your client’s life are readable by anyone.

The APA Record Keeping Guidelines urge psychologists to carefully consider the “medium on which records are stored.” Storing the most sensitive category of mental health data—process notes—in the least secure format (unencrypted text) is a dangerous contradiction.

Read our guide on how to password protect a folder here

Real-World Scenarios: Where Standard Security Fails

General cybersecurity advice often assumes you are a corporate employee with an IT department. In private practice, you are the IT department. Here is how standard security measures fail in real counseling scenarios.

Scenario 1: The Shared Office Breach (Theft)

Sarah, an LPC, rents a shared office space for her growing practice. She is diligent about backups and keeps an external hard drive in her locked desk drawer. The drive contains backups of intake forms, insurance claims, and old client letters.

One evening, a cleaning crew member forces the drawer open and swipes the drive. Sarah assumes she is safe because her computer has a password. However, a Windows login password does not encrypt external drives. The thief plugs the drive into their own computer and instantly accesses 500+ client files.

The Lesson: Physical locks are not enough. Because the drive wasn’t encrypted, Sarah faces a mandatory HIPAA breach notification to all clients and the Department of Health and Human Services.

Scenario 2: The Subpoena Panic (Sharing)

Mark receives a subpoena for a client’s records regarding a contentious custody battle. 66% of all liability claims paid out on behalf of counselors are for “subpoena assistance” (CNA/HPSO, 2024). Mark needs to send specific records to his attorney for review before complying.

He stores his psychotherapy notes as password-protected Word documents. When he attempts to email them, he realizes the password protection is weak and easily bypassed. He tries to zip them, but isn’t sure if he did it right. If he sends unencrypted files to his lawyer, he breaks the chain of secure custody.

The Lesson: You need a way to encrypt individual files so they can travel safely through email to legal counsel.

Scenario 3: The Telehealth Transfer (Ransomware)

Dr. Elena records Zoom sessions for supervision purposes (with consent). These video files are large, so she saves them to her desktop temporarily before uploading them to a secure cloud storage service.

During that window of time—perhaps only a few hours—her laptop is infected with ransomware via a phishing email. The attackers lock her computer and threaten to publish the unencrypted video files unless she pays $50,000.

The Lesson: Data is vulnerable the moment it is created. If the video files had been encrypted immediately upon saving, the stolen data would be useless to the attackers, and there would be no leverage for extortion.

How to Encrypt Client Files: A Step-by-Step Guide

Securing your files doesn’t require learning code or buying enterprise servers. Here are three methods to handle encryption, ranging from basic to robust.

Method 1: Full Disk Encryption (BitLocker/FileVault)

Both Windows (BitLocker) and Mac (FileVault) come with built-in full disk encryption. You should absolutely turn this on.

  • Pros: If your laptop is stolen while it is powered off, the thief cannot access the hard drive.
  • Cons: It only protects the computer as a whole. It does not help you when you need to email a specific file to a lawyer or client. It also doesn’t protect you from malware that runs while you are logged in and working.

Method 2: Built-in Document Protection (Microsoft Office)

You might ask, “Is password protecting a Word doc enough?”

  • Verdict: Generally, no.
  • Why: The encryption used in older versions of Office is trivial to crack. While newer versions are better, they don’t meet the “robust” standards recommended for HIPAA compliance. Furthermore, this only protects Word/Excel files—it won’t protect PDFs, images, or video recordings.

Method 3: Specialized File Encryption (The Sekura Method)

For counselors who need to secure specific folders (like “Psychotherapy Notes”) or send files safely, third-party encryption is the standard. sekura.app was designed to bridge the gap for non-technical professionals.

Here is how to encrypt your client files with sekura.app:

  1. Select your files: Simply drag your client folder (e.g., “Client_Doe_Notes”) or individual document into the app window.
  2. Set your credentials: Choose a strong password. The app will give you real-time feedback on password strength.
  3. Encrypt: Click the button. Your files are instantly converted into locked .skra files using AES-256 encryption (the banking standard).
  4. Store or Send: You can now safely leave this file on your desktop, move it to an external USB drive, or attach it to an email. Without the password, it is mathematically impossible to open.

This method solves the “Data at Rest” problem completely. Even if a hacker gains access to your computer, they cannot read the contents of your encrypted files.

See how to send secure files using Sekura

Best Practices for Digital Confidentiality in Private Practice

Encryption is a tool, but security is a habit. Implement this checklist to harden your solo practice against digital threats.

1. Encrypt Your Backups

Never store client data on an external hard drive or USB stick unless that drive is encrypted. These devices are small and easily lost. If you use Sekura, you can encrypt the files before moving them to the drive. Alternatively, use hardware-encrypted drives.

2. Secure Your Transfers

Never email a file containing PHI (Protected Health Information) without encrypting it first. Even if you are emailing it to yourself. Email accounts get hacked frequently; if the attachment is encrypted, the data remains safe even if the inbox is compromised.

3. Manage Passwords Intentionally

The NBCC Policy specifically cautions against using “auto-remember” usernames and passwords for professional accounts. Use a password manager to generate unique, complex passwords for every service you use.

4. Practice Digital Shredding

When you delete a file on your computer, it isn’t really gone—the space is just marked as “available.” Forensic tools can recover deleted client files years later. When retiring a computer, ensure the hard drive is wiped or physically destroyed.

FAQ: Common Encryption Questions for Therapists

Q: Do I need to encrypt my psychotherapy notes if they are on an external hard drive? A: Yes. External drives are the most easily lost or stolen items in a practice. If a drive containing unencrypted notes is lost, you have likely committed a HIPAA breach requiring notification.

Q: Does using ProtonMail mean I don’t need to encrypt files on my computer? A: No. ProtonMail protects the email in transit. It does not protect the file sitting on your desktop before you attach it, nor does it protect the file after you download it. You need local encryption to cover these gaps.

Q: How do I send a client file securely without them needing to install software? A: You should use a tool that allows for decryption via a web link or a portable decryptor. This ensures that the client or lawyer receiving the file doesn’t need to purchase or install complex software just to read a document.

Q: Is 7-Zip secure enough for client records? A: It can be, provided you specifically select AES-256 encryption in the settings. However, it is often user-unfriendly and easy to configure incorrectly. If you forget to check the right box, your files may be zipped but not securely encrypted.

Conclusion

As a counselor, you are the guardian of your client’s secrets. In 2024, that guardianship extends beyond the soundproof door of your office and onto your hard drive. The rise in liability claims and the sophistication of cyber threats mean that “hoping for the best” is no longer a viable strategy.

Don’t let a technical oversight lead to a licensing board complaint or a devastating financial claim. Securing your practice doesn’t have to be complicated.

Secure your psychotherapy notes and client letters today with sekura.app. It provides simple, drag-and-drop encryption designed for professionals who value privacy—no IT degree required.

Protect your files with sekura.app

AES-256 encryption for your sensitive files. Simple drag-and-drop interface, works on Mac and Windows.

Download Sekura Free

Sekura is listed on

AlternativeToCapterraG2Product HuntStackSharePrivacyTools.io