What must a psychologist's patient record contain?

The individual patient record covers, at minimum: patient identification data (name, surname, PESEL number, address), data of the service-providing entity, dates of contacts, description of the interview and clinical observations, results of administered psychological tests with interpretation, the diagnostic formulation (ICD-11 or ICD-10 code), the psychotherapy or psychological treatment plan, recommendations, and information on disclosure of records to third parties. Every entry must be dated and identified with the data of the person making the entry. The test sheets themselves are usually stored separately in a test archive, with respect for the confidentiality of test methods.

Patient record management for psychologists in Poland – legal requirements

Q: Can psychological records be kept electronically?

Yes. The Minister of Health Regulation of 6 April 2020 on medical records allows records to be kept in electronic form as equivalent to paper. The IT system must, however, meet specific requirements: it must ensure the integrity of entries (protection against modification after signing), authenticity (unambiguous identification of the author, most often via a qualified electronic signature or Trusted Profile), availability of data throughout the retention period, the possibility of printing, and export in a format readable by other systems. Special-category data under GDPR Article 9 and Article 32 must be encrypted in transit (TLS 1.3) and at rest.

Q: What are the penalties for breaching record-keeping obligations?

A breach may result in several types of liability. Administrative under GDPR — the President of the Personal Data Protection Office (UODO) may impose a fine of up to EUR 20 million or 4% of annual worldwide turnover (GDPR Article 83); in practice lower but still significant fines are imposed. Civil — damages liability towards the patient for infringement of personal rights or breach of professional duties. Criminal — for knowing disclosure of professional secrecy (Article 266 of the Penal Code: fine, restriction of liberty or imprisonment up to 2 years). Professional — disciplinary proceedings if the psychologist belongs to a professional chamber or association.

Patryk Malejka, MSc in Psychology (clinical specialisation) · 26 May 2026 · Sources: Patients' Rights Act, MoH Regulation 06.04.2020, GDPR

A clinical psychologist running an independent practice in Poland is responsible for patient records on three levels: national (statutes and Ministry of Health regulations), EU (GDPR) and ethical (professional secrecy). This guide organises the legal basis, the required content of records, retention periods, and the rules for disclosing patient data.

Legal basis for record-keeping

Patient records kept by a psychologist are governed by four legal acts simultaneously. The Act of 6 November 2008 on Patients' Rights and the Patients' Rights Ombudsman imposes the obligation to keep, store and disclose medical records (Chapter 7, Articles 23–30). The Regulation of the Minister of Health of 6 April 2020 on the types, scope and templates of medical records and the manner of their processing specifies the form — full electronic record-keeping is now permitted. Regulation (EU) 2016/679 (GDPR) imposes obligations concerning special-category data (Article 9(1) and 9(2)(h): provision of healthcare) and security measures (Article 32). The Act of 19 August 1994 on Mental Health Protection introduces special procedures for the mental health area.

The Act of 8 June 2001 on the Profession of Psychologist retains a special status: provisions on professional self-government have not fully entered into force, but the obligations of professional secrecy and documentation of one's own activity remain binding. Additionally, a psychologist who does not provide services within a medical entity but conducts a business as a sole trader is subject to general regulations — the Central Register of Business Activity (CEIDG), tax law and GDPR — as a data controller.

What must the individual patient record contain

The individual patient record covers at minimum more than a dozen elements. The most important are:

Patient identification data: name, surname, PESEL number (or date of birth where not available), residential address, and for a child — the data of the statutory guardian.
Data of the service-providing entity: name, address, identifier (REGON, NIP), and data of the psychologist providing the service (name, surname, professional licence number where applicable).
Dates of contacts: first consultation, follow-up visits, scheduled dates, termination dates.
Description of the interview and clinical observations: presenting complaints, symptom history, triggers, prior treatment, family and social context.
Psychological test results with interpretation: names of instruments used, raw scores, reference norms, clinical interpretation. Test sheets themselves are stored separately in a test archive with respect for the confidentiality of test methods.
Diagnostic formulation: ICD-11 code (or ICD-10 for older records), rationale for the chosen entity, any comorbid diagnoses.
Treatment plan: psychotherapeutic or psychological goals, planned session frequency, modality (e.g. CBT, psychodynamic, systemic), expected length of the process.
Recommendations and disclosures: entries on information passed to other specialists, institutions or in connection with legal procedures.

Each entry must be dated and signed (electronically — with a qualified signature or Trusted Profile), and bear unambiguous identification of the author. Retrospective entries without a clear marking are not allowed.

Retention periods

Article 29(1) of the Patients' Rights Act sets retention periods for medical records, counted from the end of the calendar year in which the last entry was made:

20 years — the general rule for individual patient records.
30 years — in the event of the patient's death resulting from bodily injury or poisoning.
22 years — for records concerning children up to the age of two.
10 years — for X-ray images stored outside the patient's record.
5 years — for referrals or doctor's orders that have been carried out.
2 years — for referrals that have not been carried out.

After the retention period expires, the record is destroyed in a manner that prevents identification of the patient (physical destruction with a protocol; in electronic form — secure deletion in line with industry standards). Before destruction, the entity informs the patient of the possibility of collection, which in practice is rarely realised individually due to cost.

Security of special-category data

Data on mental health status are special-category data within the meaning of GDPR Article 9(1). This requires strengthened security measures under GDPR Article 32:

Encryption in transit: TLS 1.3 for every data transmission (forms, e-mail attachments, export).
Encryption at rest: full disk encryption (BitLocker, FileVault) for local devices and encryption of backup copies.
Access control: strong passwords (minimum 12 characters, mixed), two-factor authentication (2FA), restriction of access to persons authorised in writing.
Event log: recording of operations on records (who, when, what operation) with a retention period equal to the record itself.
Backup procedures: a minimum of three copies in two different locations, regular verification of recoverability.
Breach notification procedure: a 72-hour deadline for notifying the President of UODO (GDPR Article 33), and a procedure for notifying the patient if the breach causes high risk (GDPR Article 34).

A psychologist running an independent practice as a data controller bears personal responsibility for implementing these measures, regardless of the scale of activity.

Frequently asked questions

What are the legal requirements for patient record management for psychologists in Poland?

A clinical psychologist running an independent practice in Poland is subject to several legal acts at once: the Act of 6 November 2008 on Patients' Rights and the Patients' Rights Ombudsman (obligation to keep, store and disclose records), the Regulation of the Minister of Health of 6 April 2020 on the types, scope and templates of medical records (form and manner of processing), Regulation (EU) 2016/679 (GDPR) — especially Article 9 (special-category data) and Article 32 (security measures), the Act of 19 August 1994 on Mental Health Protection (special procedures), and the Act of 8 June 2001 on the Profession of Psychologist (professional secrecy).

How long must a psychologist keep patient records?

Under Article 29(1) of the Patients' Rights Act, retention periods are: 20 years from the end of the calendar year in which the last entry was made (the general rule); 30 years in the event of the patient's death resulting from bodily injury or poisoning; 22 years for records concerning children up to the age of two; 10 years for X-ray images stored outside the record; 5 years for referrals carried out. After this period the record is destroyed in a manner that prevents identification of the patient.

Can the records be kept electronically?

Yes. The Minister of Health Regulation of 6 April 2020 allows records to be kept in electronic form as equivalent to paper. The system must meet the requirements of integrity of entries (protection against modification after signing), authenticity (unambiguous identification of the author — most often via a qualified electronic signature or Trusted Profile), availability of data throughout the retention period, the possibility of printing, and export in a format readable by other systems. Special-category data must be encrypted in transit (TLS 1.3) and at rest in accordance with GDPR Article 32.

To whom may a psychologist disclose patient records?

Under Article 26 of the Patients' Rights Act, records are disclosed to: the patient or their statutory representative, a person authorised in writing by the patient, entities providing health services where treatment is continued, courts (based on a court order), prosecutors, pension authorities (ZUS, KRUS), the Supreme Audit Office and other authorised supervisory bodies. After the death of the patient, records are disclosed to a person authorised during the patient's lifetime and to a close person, unless the patient objected during their lifetime. Every disclosure requires a record entry stating the legal basis and the recipient.

What are the penalties for breaching record-keeping obligations?

A breach may result in several types of liability. Administrative under GDPR — the President of UODO may impose a fine of up to EUR 20 million or 4% of annual worldwide turnover (GDPR Article 83); in practice lower but still significant fines are imposed. Civil — damages liability towards the patient for infringement of personal rights. Criminal — for knowing disclosure of professional secrecy (Article 266 of the Penal Code: fine, restriction of liberty or imprisonment up to 2 years). Professional — disciplinary proceedings if the psychologist belongs to a professional chamber or association.

Disclaimer. This text is for information only and does not constitute legal advice. The legal state is current as of May 2026. In case of doubt, consult a lawyer or a Data Protection Officer. ICD Diagnostica is an independent platform supporting ICD-11 clinical diagnosis — see the medical disclaimer.