The Association for Behavioral and Cognitive Therapies describes psychedelic-assisted therapy (P-AT) as “a novel form of mental health treatment that involves a combination of psychotherapy and psychedelic experiences.”
Although this therapy has been around since the 1950s, “there has been a recent resurgence in clinical research and increased openness by funders, regulatory bodies, and the public to explore its potential applications.”
This is evidenced by a publication in the Journal of Psychedelic Studies on Altered stakes: Identifying gaps in the informed consent process for psychedelic-assisted therapy trials, which states that “Psychedelic-assisted therapy (P-AT) has been shown to reduce post-traumatic stress disorder (PTSD), depression, and anxiety symptoms, and is likely to be approved in the United States (US) in the coming years.”
So, as researchers prepare for potential FDA approval of psychedelics like MDMA- and psilocybin-based therapies, we have to ask how patient data will be protected under HIPAA, and what ethical safeguards are still missing?
The Health Insurance Portability and Accountability Act (HIPAA) applies whenever a covered entity or its business associate creates, stores, or transmits protected health information (PHI).
Therefore, HIPAA governs psychedelic therapy when:
In contrast, HIPAA does not apply to unregulated wellness retreats or non-medical psychedelic coaching programs.
The latter study found that in psychedelic clinical trials, though technically compliant, psychedelic clinical trials are not yet ethically complete. More specifically, the researcher writes that the “primary finding… revealed that studies were in compliance with federal regulation. However, there were missing elements related to the vulnerability experienced while under the effects of psychedelics that warrant inclusion in future [informed consent forms].”
Participants in P-AT trials often undergo multiple six- to eight-hour dosing sessions, sometimes followed by overnight monitoring. As the study notes, these sessions involve “the lack of complete autonomy to choose when and how to leave a psychedelic dosing session.” While the study’s structure keeps participants safe, it also limits their ability to withdraw consent mid-session, creating what the author calls “feelings of being trapped or disempowered.”
From a HIPAA perspective, that same vulnerability extends to data and communication. Patients under altered states may lack the capacity to consent to data collection, recording, or sharing, although most informed consent forms still authorize extensive data storage.
For example, if a patient is under the influence of psychedelics, they may not fully understand the implications of their data being shared with third parties or used for research purposes. Their lack of understanding can therefore raise ethical considerations regarding privacy and autonomy in psychedelic therapy settings.
Furthermore, one reviewed form explicitly mentioned the “storage of HIPAA-protected data” and “video and/or audio footage of P-AT trial participants.” These materials, if handled insecurely, would constitute HIPAA violations in a clinical setting.
Moreover, clinical researchers must use a HIPAA compliant consent form that states that patient data will be collected, stored, and shared securely. Additionally, researchers and staff involved in the study must be trained on HIPAA regulations to prevent any potential breaches of patient privacy.
Learn more: Informed consent and protecting patient autonomy
The latter study examined 19 consent forms from trials involving MDMA, ketamine, psilocybin, and LSD. While all met federal criteria under The Code of Federal Regulations’ Protection of Human Subjects (21 CFR 50), many didn’t address psychedelic-specific vulnerabilities like touch, power imbalance, or culturally responsive care.
Participants’ data and recordings were often shared with third parties under “legally binding, signed agreement[s] to make sure that collaborators use appropriate procedures to protect your privacy.” Some studies even transferred audio files for transcription via “a HIPAA compliant, secure service.”
This shows that researchers are beginning to integrate HIPAA-grade safeguards even before federal mandates require them. However, the broader ethical issues of abuse of power, informed consent during altered states, and participant safety remain unresolved.
For example, researchers must also consider the potential for re-identification of participants through audio recordings, as well as the long-term implications of storing and sharing such sensitive information.
One consent form told participants that recordings might be shared externally, but added that “your data, including audiovisual recordings, will never be accessible to the general public.” While this meets minimal privacy expectations, it doesn’t meet the HIPAA demands regarding who has access, for how long, and for what purpose.
For example, suppose a researcher shares the recordings with another institution for collaborative analysis. In that case, participants should be informed and given explicit consent for this specific use of their data. However, if the recordings were shared with a sponsor for marketing purposes, this would likely not meet the transparency HIPAA demands.
Moreover, the study shows how participants’ vulnerability magnifies the moral duty to safeguard their data, especially since, under psychedelics, users experience what the paper calls “enhanced suggestibility and openness.” That same openness could lead to unguarded disclosure of personal histories, including trauma, sexuality, or racial identity.
Therefore, researchers must develop and implement additional ethical guidelines and protocols that protect participants' privacy and well-being. They must establish clear procedures for data storage, access control, and informed consent processes specific to psychedelic research.
Furthermore, researchers should also think of the potential long-term effects of participants' data being compromised, as this could have serious implications for their mental health and overall well-being.
Read also: Why ethical principles are the backbone of HIPAA compliance
The abovementioned study on the informed consent process explains that the “altered state of consciousness experienced in P-AT trials may amplify risk by putting patients in a vulnerable situation.” Their vulnerability also intersects with documentation like clinical notes, videos, and transcripts, which could be harmful if mishandled.
According to the researchers, only one example addressed consent documents stating, “In the case of injury resulting from this study, you do not lose any of your legal rights to seek payment by signing this form.” Yet, there was no mention of patients’ rights to restrict data use or revoke authorization, as explicitly required under HIPAA’s Privacy Rule.
Using a HIPAA compliant solution, like Paubox, can help researchers avoid such ambiguities. More specifically, it automatically encrypts emails, so data is securely transmitted and protected in accordance with HIPAA regulations. For example, researchers can securely share session scheduling, lab results, or integration notes with authorized individuals.
Additionally, Paubox forms can help researchers manage their patients’ consent preferences and revoke authorization if needed, promoting transparency and compliance with privacy laws.
Psychedelic research often relies on video to monitor participant behavior or the therapist's conduct. According to the Journal of Psychedelic Studies research, several studies stated, “We will be audio and video recording you during this study… to make sure our study staff meet quality requirements.”
While such monitoring may protect participants from misconduct, it also generates high-risk data under HIPAA. Recordings include identifiable information, like the participant’s voice, face, and emotional state, and must be encrypted, access-controlled, and stored on secure servers.
HIPAA’s Security Rule requires covered entities to maintain audit trails and limit access to those with a “need to know.”
A secure communication platform allows clinicians to share clips internally for supervision or research while upholding HIPAA, since transmission and storage remain encrypted and logged.
While HIPAA protects PHI, it doesn’t govern therapist behavior, boundary violations, or informed consent quality. The Journal of Psychedelic Studies’ analysis exposes how “the consent process should provide participants with a better understanding of this form of risk,” including long-term personality changes and potential emotional harm.
A patient who can’t fully understand their treatment context also can’t consent to data recording or sharing. As the journal states, “the protection of participants will require more than reading and agreeing to risks outlined in an [informed consent form]… developing a culture of consent and accountability in P-AT research will require moving beyond a system that emphasizes checkboxes of consent rather than truly informed understanding.”
Consequently, HIPAA compliance offers the legal baseline, but researchers and healthcare providers must create a culture of ethical consent.
As psychedelic therapies move toward FDA approval and clinical rollout, healthcare organizations must operationalize HIPAA compliance. This includes:
These steps will align with the study’s call for a “more robust informed consent process” that integrates data ethics, transparency, and participant protection.
The credibility of psychedelic therapy will depend on how well it integrates privacy and consent safeguards from the outset. Moreover, given “the unique risks posed by the forced vulnerability associated with P-AT, a more robust informed consent process should be considered a primary focus of future research.”
Psychedelic therapy will test the healthcare system’s ability to integrate privacy, consent, and cultural accountability. Therefore, therapists and researchers must combine HIPAA compliant communication with ethically informed consent practices,
Ultimately, developing a culture of consent and accountability… will require moving beyond a system that emphasizes checkboxes of consent rather than truly informed understanding.”
Yes, if the therapy is provided by a licensed healthcare professional or within a medical clinic that bills insurance or keeps health records. However, HIPAA doesn’t apply to unregulated retreats, coaching programs, or spiritual ceremonies where no medical professional or health record is involved.
Protected health information (PHI) is any detail that links a person to their health data. It includes names, medical conditions, contact details, treatment notes, or anything that can identify a patient.
Go deeper: When does medical data qualify as PHI under HIPAA?
Yes, but only after removing personal identifiers or through agreements that meet HIPAA’s security standards.