Therapy notes are among the most intimate records in existence. Here's why your cloud-based note app might not be protecting them the way you assume.
The intimacy of clinical notes
Therapy notes are unlike any other professional documentation. They capture the most vulnerable moments of human experience — trauma, addiction, relationship breakdown, mental health crises. The therapeutic relationship depends entirely on the client's trust that these words will remain confidential.
That trust is increasingly undermined by the tools therapists use to document their work.
The cloud convenience trap
Modern note-taking apps make compelling promises: access anywhere, automatic backup, seamless sync. For grocery lists and meeting notes, these features are harmless. For clinical documentation, they create invisible risks.
When your session notes live on a cloud service:
- The provider's servers store your clinical observations
- Automated systems may process content for indexing or AI training
- Your client's most vulnerable disclosures exist on infrastructure you don't control
- Breach exposure extends to every client simultaneously
What ethical codes actually require
Professional ethics codes for therapists, counselors, and social workers typically require:
- Reasonable measures to protect client confidentiality
- Informed consent about how information is stored and who may access it
- Minimum necessary disclosure — sharing only what's needed, with only those who need it
- Secure storage appropriate to the sensitivity of the information
Consumer cloud apps rarely meet these standards. They're designed for productivity, not for professional confidentiality.
The AI training concern
Here's a scenario most therapists haven't considered: many cloud services now use stored content to train AI models. Their terms of service may allow this through broad language about "improving services."
Your clinical observations — a client's description of childhood abuse, a couple's most intimate conflicts, a teenager's suicidal ideation — could become training data for an AI. No amount of anonymization makes this acceptable.
The local encryption alternative
Local encryption transforms the security model entirely:
- Your device, your data: Session notes never leave your computer
- Per-client encryption: Each client's notes can have a unique password
- Zero processing: No AI, no indexing, no content analysis
- Complete deletion: When notes should be destroyed, they can be destroyed
This isn't about distrust of technology. It's about matching the security of your tools to the sensitivity of your work.
Practical recommendations
- Separate clinical from administrative: Use your practice management system for billing and scheduling. Use encrypted local storage for clinical thinking.
- Encrypt active clients: Keep current session notes in encrypted vaults
- Audit your current tools: Read the terms of service for every app that touches client data
- Consider supervision notes: Your reflections about clinical work are just as sensitive as session notes
Conclusion
The therapeutic relationship is a container for human vulnerability. The tools that document that relationship should honor the same standard of protection. Cloud convenience is not worth the risk to the trust your clients place in you.
Writtt is a free, open-source text editor with AES-256 encryption and zero cloud dependency. Download it here or explore it on GitHub.