Three years ago, RCI registration was a checkbox question. It still is, in theory. But the practical implications for the tools you use have changed — partly because more therapists are now RCI-registered, partly because DPDP and MHCA enforcement is sharpening.
This post is a checklist for what your software stack should support if you’re RCI-registered or working under RCI-registered supervision. The Council itself doesn’t certify software. What I’m describing is what aligns with the Council’s professional-conduct framework, not a rubber stamp.
Two preliminaries:
- RCI (Rehabilitation Council of India) registers rehabilitation professionals including clinical psychologists, hearing & speech professionals, special educators, and a handful of allied roles.
- Counselling psychologists are partly RCI-recognised (the M.Phil/MA Clinical Psychology register is the most recognised cadre).
If you’re RCI-registered, this affects how you present yourself to clients, what records you must keep, and indirectly how you choose your tools. If you’re an unregistered counsellor or coach, much of this is still good practice but not a regulatory requirement.
The professional-conduct angle
The RCI’s professional-conduct framework asks members to:
- Maintain confidentiality of client information
- Keep accurate records
- Practise within their scope of training
- Avoid dual relationships
- Practise with informed consent
Three of these have software implications: confidentiality, records, and informed consent. The other two are about you, not your tools.
Confidentiality: the software requirements
If you’re RCI-registered and using software to store client information, the basics:
Encryption at rest. AES-256 is the modern standard. Your vendor should be able to state this in one sentence.
Encryption in transit. TLS 1.2 or higher. Effectively any modern tool.
Access control. No shared logins. Each practitioner has their own account. Two-factor authentication enabled.
Audit trail. A record of who accessed what data when. Easier in larger tools, often absent in smaller ones.
Backup security. The same protections on backups as on the live system. This is where most practices fail without realising it — the backup is the soft underbelly.
You don’t need a specific certification (HIPAA, SOC 2, ISO 27001) for India today. You do need to be able to explain to a curious supervisor or board how you’d handle a confidentiality complaint. If the answer involves “I’m not really sure where the data is” or “everything is in my Gmail,” there’s work to do.
Records: what and how long
The RCI doesn’t specify exact retention periods in the way some American boards do. The professional norm — and what supervisors will recommend — is:
- Active client records: kept current, accessible
- After case closure: 5 to 10 years, depending on practice
- Some practitioners keep indefinitely (especially for cases involving minors, where retention may extend until the minor reaches a certain age plus statutory period)
Software-wise this means:
- The tool must support archiving (so closed cases don’t clutter your active view but remain available)
- Search across archived records must work
- Export must work for the entire archive, not just active records
Most modern practice-management tools handle this. Some older or thinner ones archive into a write-only state where the records are technically present but practically unreachable. Test the archive flow during your trial.
Informed consent: build it into intake
The cleanest practice is to have a written consent process at intake that covers:
- The nature and limits of the service you offer
- Confidentiality and its exceptions (risk to self/others, court orders, etc.)
- How records are stored and who can access them
- Supervision arrangements (if applicable)
- Fees, cancellation policy, payment methods
- The client’s right to terminate at any time
Most practice-management tools let you build an intake form. Some include a templated consent paragraph; most don’t. You’ll write yours once and reuse it.
A specific RCI-aware addition: if you’re working under supervision and your supervisor reviews your notes, the consent must say so explicitly. “Your therapist may discuss your case in supervision” is a baseline; “your therapist’s supervisor may read these notes” is more honest and what your record actually supports.
Scope of practice and tool choice
The Council asks members to practise within their scope. Your software shouldn’t push you outside it.
Two real examples:
Diagnostic codes. Some practice-management tools default-prompt for a diagnostic code on every session note. If you’re not licensed to diagnose at that level (some counselling cadres aren’t), don’t enter codes you’re not authorised to assign. Better tools let you skip; worse tools demand a code as a required field. Watch for this in trials.
Prescription fields. A handful of tools include a prescription field aimed at psychiatrists. If you’re not a psychiatrist, this field is irrelevant to you. It should be hideable.
Assessment templates. Some tools include scoring for clinical assessments (PHQ-9, GAD-7, etc.). Useful if you’re trained to use them; risky if you’re not. Use what you’re trained to use; ignore the rest.
A specific RCI-friendly checklist
If you’re RCI-registered or working under RCI supervision, here’s what to confirm of your software setup:
- Encryption at rest and in transit, articulated by the vendor.
- Per-practitioner accounts with two-factor authentication.
- Audit log or equivalent of who-did-what.
- Backup with the same protections as live data.
- Archive function for closed cases, with search.
- Full export available — not just summary.
- Intake form supports informed-consent paragraphs.
- Supervision-aware access if you’re under supervision.
- Vendor has a Data Processing Agreement (or equivalent) available.
- Vendor will tell you within 72 hours of any security incident.
That’s the bar. Most well-built tools meet it. Some older ones don’t.
What MindMaster does and doesn’t have
In the interest of disclosure (we make it):
- Encryption at rest and in transit: yes.
- Per-practitioner accounts with 2FA: yes.
- Audit log: present in DB, full admin-UI surfacing on roadmap.
- Backup with equivalent protections: yes (encrypted daily snapshots).
- Archive with search: yes.
- Full export: yes (CSV + JSON, full client + session + note history).
- Intake form with consent paragraph: basic; you can paste your own.
- Supervision-aware access: limited (multi-practitioner workspaces but not separate “supervisor view” yet).
- DPA: available on request.
- Incident notification: 48-hour standard.
You can audit us against the checklist directly. We’d rather you do that than take our word for it.
Where the regulations are heading
Three trends to watch:
DPDP enforcement. The Digital Personal Data Protection Act 2023 will increasingly bite. Practice-management tools that store data in India, with clear data-processing agreements, will become the default. Vendors that hand-wave on this will lose ground.
Cross-state telehealth licensing. Currently a counsellor in Kerala can see a client in Delhi without much regulatory friction. Expect more clarity here over the next 2-3 years.
AI-assisted note tools. A growing category. Council guidance is silent today but won’t be in two years. If you’re using AI for notes, document the consent and the workflow now so you’re not caught out when guidance lands.
A pragmatic close
Most RCI-registered practitioners run perfectly compliant practices using off-the-shelf tools. The checklist above isn’t a high bar; it’s a base. Reading the Council’s published professional-conduct material (available on the RCI website) once a year is also worth it. The framework has nuance the bullet points miss.
If you’d like to test a tool against the checklist, our trial is at mindmaster.modoware.com. Free for 30 days, no card. The audit-log surfacing is on our roadmap; the rest is in place.