Skip to main content

Guide

What happens if your therapy notes are audited (and how to be ready)

A practical guide for UK therapists on what a therapy notes audit involves, who can request your records, and how to keep your documentation audit-ready.

A therapy notes audit in the UK typically means someone with a legitimate interest — an insurer, a court, the ICO, your professional body, or a client exercising subject access rights — formally requests your clinical records. It is not a routine inspection that arrives unannounced; it comes with a specific trigger and a defined scope. Being ready means your notes are contemporaneous, legible, proportionate, and stored in a way that meets UK GDPR requirements.

Who can audit your therapy notes, and why

Several parties can request your records, each under a different legal or contractual basis.

Clients have the right to request their own records under UK GDPR Article 15 (a Subject Access Request). You generally have one calendar month to respond. The ICO publishes guidance on what you can and cannot withhold — for example, information that would identify a third party — so check current ICO guidance rather than relying on a fixed rule.

Courts can issue an order requiring disclosure, which overrides your usual confidentiality obligations. If you receive one, contact your professional indemnity insurer and your professional body before responding. This is not a situation to navigate alone.

Insurers — particularly EAP panels or private medical insurers — may audit records to verify that sessions billed match the presenting problem and treatment approach documented. Their contracts usually specify what they can request and in what format.

Your professional body (BACP, UKCP, HCPC, NCS, BABCP) can investigate a complaint and request records as part of that process. Record-keeping standards differ between bodies, so confirm current requirements with your own.

The ICO can investigate a data breach or a complaint about your data practices. They are less likely to review clinical content and more likely to examine how you store, protect, and dispose of records.

What auditors actually look for

Regardless of who is asking, the same qualities tend to matter.

Contemporaneous and dated entries. Notes written promptly after a session carry more weight than retrospective summaries. If you routinely write up hours or days later, that pattern can be questioned.

Clinical rationale, not just content summaries. A note recording only "client discussed relationship difficulties" tells an auditor very little. One that links the presenting material to your formulation, any risk considerations, and your clinical reasoning is far more defensible.

Consistent format. You don't need a formal structure like SOAP or DAP, but consistency signals professional discipline. Switching formats arbitrarily across a client's record looks careless.

Risk documentation. Any session where risk was assessed — suicidality, self-harm, safeguarding — should have an explicit note of what was discussed, your assessment, and any action taken. Gaps here are the most serious finding in any audit.

Accurate retention and deletion. UK GDPR requires you to keep records only as long as necessary. Many practitioners follow a seven-year post-ending guideline for adult records (longer for children's), but this isn't a statutory fixed period — it depends on your professional body's guidance, your insurance requirements, and the nature of the work. Confirm the current expectation with your body and insurer.

Common documentation weaknesses that create audit risk

  • Notes written in a rush that omit any clinical reasoning
  • No record of informed consent, including what the client was told about confidentiality limits
  • Safeguarding concerns discussed verbally but never written down (see Sorca's safeguarding concern log for how a typed, timestamped log helps here)
  • Inconsistent or missing session dates
  • Records stored in a personal email account or an unencrypted folder rather than a GDPR-compliant system
  • No documented process for what happens to records if you become incapacitated

Practical steps to make your records audit-ready

Write up the same day. A brief structured note written within a few hours is more defensible than a detailed reconstruction written the following week.

Use a consistent structure. Pick a format that suits your modality and stick to it. If you use an AI clinical scribe, make sure the draft reflects your actual clinical thinking before you save it — the note is yours, not the tool's.

Document consent explicitly. Keep a record of when and how you obtained consent, what you told the client about data use, and any updates to that consent.

Keep a safeguarding log. Every concern, however minor, should be recorded with a date, risk level, and what action you took — or decided not to take, and why.

Know your retention schedule. Write it down. If the ICO ever investigates, producing a clear retention and deletion policy is evidence of good faith.

Store records securely. UK GDPR requires appropriate technical and organisational measures. A password-protected spreadsheet isn't sufficient. Use a platform that is ICO-registered, holds data in the UK or EU, and can produce an audit trail.

Test your Subject Access Request process. Could you locate, compile, and redact a client's full record within a month? If the answer is uncertain, address it now rather than under pressure.

One honest limitation to acknowledge

No documentation system eliminates audit risk entirely. If a client makes a serious complaint or a court requires disclosure, the quality of your notes matters — but so does the nature of the allegation. Good records are your best protection, not a guarantee of any particular outcome. This guide explains general good practice; it is not legal advice. For a complaint or court order, your professional indemnity insurer and your professional body's advice line are your first calls.

Where Sorca fits

Sorca helps with the day-to-day discipline that makes audit-readiness possible: session notes drafted in your modality via the AI clinical scribe, a timestamped safeguarding concern log, outcomes tracking with exportable data, and a full audit trail of what was saved and when — all stored on EU servers with ICO registration and zero data retention on the AI side. It doesn't replace your clinical judgement about what to write, and it doesn't provide legal or regulatory advice. If documentation is where your admin time goes, the 3-day free trial (no card required) is a straightforward way to see whether it helps.

Frequently asked questions

How long should I keep therapy notes in the UK?

There's no single statutory retention period for private therapists. Many practitioners follow a seven-year post-ending guideline for adult records and longer for children's records, but the right period depends on your professional body's current guidance, your insurer's requirements, and the nature of the work. Confirm the expectation with your body and insurer rather than relying on a fixed rule.

Can a client see everything in their therapy notes?

Under UK GDPR, clients have the right to request a copy of their personal data, including therapy notes, via a Subject Access Request. You can withhold information that would identify a third party or where disclosure would cause serious harm, but the bar for withholding is high. The ICO publishes current guidance on exemptions — read it before responding to any SAR.

What should I do if I receive a court order for my therapy records?

Contact your professional indemnity insurer and your professional body's advice line before you respond or disclose anything. A court order does override confidentiality, but the scope of what must be disclosed and how it should be provided requires legal guidance specific to your situation. Don't handle it alone.

Do I need to use a specific note format to pass an audit?

No single format is mandated for private therapists in the UK. What matters is that your notes are consistent, dated, clinically reasoned, and include documentation of risk and consent. Structured formats like SOAP, DAP, or BIRP can help with consistency, but the content and discipline of your record-keeping matter more than the template you choose.

Take the admin off your week

Sorca drafts the note while you stay present — audio never stored, nothing saved without your say-so. Three-day free trial, no card needed.

Start free — no card needed