Modoware

← All posts

"The Mental Healthcare Act 2017: what every Indian therapist must know about record-keeping"

· The Modoware team

There’s a curious gap in how Indian therapists discuss the Mental Healthcare Act 2017. Everyone knows it exists; few know what it actually requires of their day-to-day practice.

The Act is wide. Most of it concerns institutional care, Mental Health Review Boards, and the rights of persons with mental illness. But three threads run through it that any private practitioner — counsellor, psychologist, psychotherapist — needs to understand for their own records and communications.

This isn’t legal advice. This is a working summary. For anything that touches a real case, talk to your RCI supervisor or a lawyer who knows the Act.

What the Act broadly covers

The Mental Healthcare Act, 2017 (in force from 29 May 2018) replaced the Mental Health Act, 1987. The 2017 Act reframes care around the rights of the person seeking treatment rather than the discretion of the institution. Key shifts:

  • Decriminalises attempted suicide
  • Recognises an “advance directive” — a written instruction from a person about how they want to be treated if they later become unable to make decisions
  • Creates Mental Health Review Boards at the state level
  • Establishes the right to confidentiality (broadly)
  • Restricts disclosure of mental-health information

The third and fourth points are the ones that touch private practitioners hardest. The rest applies mostly to institutional contexts.

The right to confidentiality

The Act includes a right to confidentiality of mental-health information. In plain language, the people you see in your practice have the right to keep their treatment private. That right is theirs to release. You cannot release information without their consent, with a narrow set of exceptions.

The exceptions that matter to private practice:

  • Risk of harm to self or others (the standard duty-to-warn framing)
  • Court orders
  • Public-interest disclosures under specific provisions

You’ll notice “insurance audit” and “supervisor review” don’t appear in that list. Both can happen — but only with your client’s informed consent. Build the consent process into your intake.

What this means for your records

A few practical implications.

Your records belong to the client, not to you. The client has the right to access their basic records. Your tool should make export possible. (Question 1 of our 14-point buying checklist.)

Storage matters. Records that aren’t securely stored are records that can be disclosed without consent — which the Act doesn’t allow. Encryption at rest, access control, no shared accounts. The bar isn’t “very secure”; the bar is “your client can trust that this is private.”

Backups need the same treatment. A cloud backup of your therapy notes that lives in your personal Google Drive shared with your accountant fails the test.

Quotes and identifying details about third parties are higher-stakes than they look. When your note mentions the client’s spouse by name, your record now contains identifiable information about someone who never gave you consent. The Act doesn’t fully address third-party privacy, but your professional ethics probably should.

Advance directives

A specific feature of the 2017 Act. A person can write an advance directive specifying:

  • How they want to be cared for in the event of mental illness
  • Whom they nominate to take decisions on their behalf
  • Specific treatments they refuse

In private therapy, you’ll mostly encounter this in two ways: clients who arrive with one, and clients who want help writing one. The Act lays out a registration process for these directives through Mental Health Review Boards in each state. The mechanics are still uneven across states as of 2026 — some boards are operational, some less so. If your client wants to register one, check the current process in your state board.

Disclosure: when and how

If you need to disclose mental-health information (rare but real cases — court order, transfer of care, life-safety), the safe path is:

  1. Get informed consent in writing if at all possible.
  2. Disclose only the minimum needed.
  3. Log the disclosure in your records (date, recipient, what was shared, basis for disclosure).
  4. Keep the log as long as the original record.

Most practice-management tools don’t have a “disclosure log” feature explicitly. A notes section attached to the client record is fine. The discipline matters more than the place.

What changes if you supervise other clinicians

A new layer. If you supervise a junior counsellor and review their notes, the supervisee’s client information is in your hands. The client probably consented to therapy with the junior — did they consent to supervisor review? The right answer is to make supervisor review part of the informed-consent process at intake, so when it happens, no surprises.

Practice-management tools handle this poorly today. Most don’t distinguish “shared with my supervisor” from “fully mine.” If your practice involves supervision, ask your vendor specifically how they handle multi-clinician access. Watch for the answer “we don’t, you just create another account” — that’s not the same thing.

Audit trail in practice

The Act doesn’t mandate a specific audit trail format. Common sense and the principle of confidentiality do. For each piece of client data that leaves your system, you want a record of: when, to whom, what, and why. For each access of sensitive data, ideally a record of: who, when.

Solo practitioners can get away with informal logs — a notebook, a section in each client’s record. Group practices need this in software. If your tool has an audit log, learn how to read it. If it doesn’t, ask the vendor when it’s coming.

What still isn’t clear

Three areas where the law lags practice:

Cloud storage in another country. If your practice-management software stores data in Singapore or the US, is that compatible with the Act’s confidentiality provisions? In strict reading, the provisions apply to the information regardless of where it sits. In practice, no Indian regulator has stress-tested this. The DPDP Act 2023 will sharpen this question over the next few years.

Cross-border telehealth. If your client is in Bangalore and you’re in Mumbai, no problem. If your client is in Bangalore and you’re in London, layered ambiguities — your registration, jurisdiction, the data location. Not addressed cleanly by the MHCA.

AI-assisted transcription. A growing question. If you record sessions and feed them to a transcription service that processes the audio off-shore, you’re disclosing mental-health information to a third party. The legality depends on consent and the specific arrangement. Best practice in 2026 is: don’t do it without explicit client consent and a written data-processing agreement with the vendor.

A practical checklist

If you want a one-page version to act on this week:

  1. Verify your practice-management tool encrypts data at rest and in transit.
  2. Add a confidentiality and disclosure paragraph to your intake form (if it isn’t there).
  3. Document your consent process in the client’s record.
  4. Plan how you’d export everything if asked — actually run the export once.
  5. Keep a simple disclosure log for the rare case it’s needed.
  6. If you supervise others, get explicit consent at intake for that.
  7. Know which state your Mental Health Review Board operates in.

The Act is more about the spirit than the technicalities for private practitioners. Treat client information as theirs, document what you do, and the rest tends to follow.

This isn’t legal advice. The Act has subtleties I haven’t covered. For anything that touches a real case, consult a supervisor or lawyer.

A practice-management tool that takes confidentiality seriously makes a lot of this easier. Ours is at mindmaster.modoware.com — and the 14-point buying checklist helps you evaluate it (or any other) against the standard the Act implies.