Encrypted Session Notes for Therapists - Why It Matters

Your session notes are some of the most sensitive documents in existence. They contain disclosures about trauma, mental health conditions, relationships, and deeply personal experiences. If those notes were exposed, the impact on your clients would be devastating. Here's why encryption isn't optional and what to look for.

What encryption actually means

Encryption scrambles data so that it can only be read with the right key. Without the key, the data looks like random characters. AES-256 is the encryption standard used by banks and governments. When your notes are encrypted with AES-256, even if someone gained access to the database, they'd see gibberish, not your clients' records.

"Secure" is not the same as "encrypted"

Many practice management tools describe themselves as "secure" or "GDPR compliant." That usually means they use HTTPS (encrypted in transit) and have password-protected accounts. But if the notes are stored as plain text in the database, anyone with database access - including the software company's employees - could theoretically read them. True encryption means even the provider can't read your notes.

What to look for

Encryption at rest (data is encrypted when stored, not just when transmitted). AES-256 or equivalent standard. Ideally, the encryption key should be separate from the database so that a database breach alone doesn't expose the data.

Which tools encrypt notes?

Most therapy software does not encrypt session notes beyond standard database security. Bloom uses AES-256 encryption on all session notes. Konfidens encrypts data under Norwegian health law standards. Most other UK tools (WriteUpp, Kiku, Cliniko, bacpac) rely on standard security measures without dedicated note encryption.

What your professional body says

BACP, UKCP, and BPS all require that client records are kept securely. While they don't specify encryption by name, the principle of "appropriate technical measures" under GDPR strongly supports it. If you were ever subject to a data breach complaint, demonstrating that notes were encrypted would significantly strengthen your position.

Your clients' notes, encrypted

Bloom encrypts every session note with AES-256. Even our team can't read your clients' records.

Get started

Related articles

GDPR for Therapists - What You Actually Need to Know

Plain-English guide to GDPR for UK therapists. What data you can collect, how to store it, your legal obligations, and how to stay compliant without the headache.

Read more

Software for Psychotherapists in the UK

The best practice management software for psychotherapists in the UK. Compare GDPR-compliant options with encrypted notes, scheduling, and client management.

Read more

Best Practice Management Software for UK Therapists

Comparing the top practice management tools for UK therapists. Honest breakdown of WriteUpp, Cliniko, Kiku, Semble, and more - features, pricing, and who each one is best for.

Read more