Logo Therapy Dial
Book a Free Call

HIPAA Compliance Guide for Therapists

HIPAA Compliance Guide for Therapists | TherapyDial
← Practice Setup Hub
Practice Operations

HIPAA Compliance for Therapists

HIPAA compliance isn’t optional — it’s the legal foundation of your practice. This guide covers everything you need to protect patient data and avoid costly violations.

What Is HIPAA & Why Does It Matter?

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law that establishes national standards for protecting sensitive patient health information. As a mental health provider, you are a Covered Entity under HIPAA if you electronically transmit health information for billing, referrals, or clinical purposes.

HIPAA has three core rules you must comply with:

🔒

Privacy Rule

Sets standards for who can access Protected Health Information (PHI) and when.

🛡️

Security Rule

Requires administrative, physical, and technical safeguards for electronic PHI (ePHI).

🚨

Breach Notification

Mandates timely notification to affected individuals and HHS if a breach occurs.

⚠️ Common Misconception:

“I’m a solo therapist, so HIPAA doesn’t apply to me.” This is incorrect. If you submit electronic claims, use an EHR, send emails about patients, or store records digitally, you are a covered entity.

Required Safeguards

Administrative Safeguards

  • Designate a Privacy and Security Officer — In solo practice, this is you. Document it formally.
  • Conduct a Risk Assessment — Annually identify vulnerabilities in how you store, transmit, and handle PHI.
  • Develop Written Policies — Create policies for PHI access, breach response, device management, and employee training.
  • Training — Train yourself and any staff on HIPAA policies annually. Document completion.
  • Business Associate Agreements — Execute BAAs with every vendor who touches PHI.

Physical Safeguards

  • Workstation Security — Lock screens when away, use privacy screens in public spaces.
  • Device Management — Encrypt laptops, tablets, and phones. Enable remote wipe capability.
  • Facility Access — Secure file cabinets, lock offices, restrict access to areas where PHI is stored.

Technical Safeguards

  • Encryption — Encrypt all ePHI at rest and in transit (AES-256 or TLS 1.2+).
  • Access Controls — Use unique usernames/passwords for each user. Implement two-factor authentication.
  • Audit Logs — Your EHR should maintain access logs showing who viewed/modified records.
  • Automatic Logoff — Configure systems to auto-lock after inactivity.
  • Data Backup — Maintain encrypted backups of all patient records with a recovery plan.

Business Associate Agreements (BAAs)

A BAA is a legally binding contract required between you and any third party that handles PHI on your behalf. Without a BAA, sharing PHI with that vendor is a HIPAA violation — even if the vendor is “HIPAA compliant.”

Vendor Type Examples BAA Required?
EHR / Practice Management SimplePractice, TherapyNotes, Jane App ✓ Yes — always
Telehealth Platform Zoom for Healthcare, Doxy.me ✓ Yes — always
Billing Service / Clearinghouse TherapyDial RCM, Availity, Office Ally ✓ Yes — always
Cloud Storage Google Workspace, Microsoft 365, Dropbox ✓ Yes — if storing PHI
Email Service Hushmail, Paubox, Google Workspace ✓ Yes — if sending PHI
Phone / Fax RingCentral, Spruce Health ✓ Yes — if transmitting PHI
Answering Service Various third-party services ✓ Yes — if they hear/record PHI
💡 Pro Tip:

Most major EHR platforms (SimplePractice, TherapyNotes) include a BAA in their terms of service. But always verify — download and store a copy of each BAA in your compliance file.

Notice of Privacy Practices (NPP)

HIPAA requires you to provide every patient with a Notice of Privacy Practices at their first visit (or before treatment begins). The NPP must explain:

  • How you use and disclose PHI
  • Patient rights regarding their health information
  • Your legal duties to protect PHI
  • How to file a complaint with HHS or your practice
  • Your contact information as the Privacy Officer

Patients must sign an acknowledgment that they received the NPP. Keep this on file.

Psychotherapy Notes: Special Protections

HIPAA provides extra protections for psychotherapy notes — your personal notes about sessions that are kept separate from the medical record. Key rules:

  • Psychotherapy notes require separate patient authorization before disclosure (beyond the general consent for treatment).
  • Insurance companies cannot require psychotherapy notes as a condition of payment.
  • These notes must be stored separately from the rest of the medical record.
  • Progress notes, treatment plans, and diagnoses are not psychotherapy notes — they are part of the standard medical record.

Your HIPAA Compliance Checklist

📋 Complete Before Seeing Your First Patient

  • Designate yourself as Privacy and Security Officer
  • Complete an initial Security Risk Assessment
  • Write HIPAA Privacy and Security policies
  • Create a Notice of Privacy Practices (NPP)
  • Create a patient intake consent + NPP acknowledgment form
  • Execute BAAs with all vendors (EHR, telehealth, billing, email, storage)
  • Encrypt all devices (laptop, phone, tablet) that access PHI
  • Enable two-factor authentication on all systems
  • Set up encrypted email or use your EHR’s secure messaging
  • Configure automatic screen lock on all devices
  • Set up encrypted backups for patient records
  • Create a Breach Notification and Response Plan
  • Document your HIPAA training (even self-training counts)
  • Post your NPP on your website
💡 Annual Requirements:

Conduct a Security Risk Assessment, update policies, re-train staff, review BAAs, and test your breach response plan — at minimum once per year. Document everything.

← Back to Practice Setup Hub

Common Questions

Do solo therapists need to be HIPAA compliant?

Yes. Any healthcare provider who transmits health information electronically (including electronic billing, email, or using an EHR) is a HIPAA covered entity and must comply with all HIPAA rules.

What is a Business Associate Agreement (BAA)?

A BAA is a legally binding contract between a covered entity (you) and a business associate (any vendor who handles PHI on your behalf). You need BAAs with your EHR provider, telehealth platform, billing service, cloud storage, email service, and any other vendor with access to patient data.

Can I use regular email and text messaging with clients?

Standard email (Gmail, Yahoo) and SMS are not HIPAA-compliant for sharing PHI. You should use encrypted email services or your EHR’s built-in secure messaging. If a client requests unencrypted communication, document their written consent.

What are the penalties for HIPAA violations?

HIPAA penalties range from $100 to $50,000 per violation (up to $1.5 million per year for repeated violations). Criminal penalties can include fines up to $250,000 and imprisonment. Most violations for small practices result from breach notification failures and lack of a risk assessment.

Do I need a HIPAA compliance officer?

Yes. HIPAA requires every covered entity to designate a Privacy Officer and a Security Officer. In a solo practice, this is typically the therapist themselves. You must document this designation in your compliance policies.

Need Help Setting Up a Compliant Practice?

Our practice setup team will help you select HIPAA-compliant tools, create required documents, and build your compliance framework from day one.

Get Setup Assistance