HIPAA Requirements for Mental Health Therapists (Solo Practitioners)

Therapists have unique HIPAA requirements. Here's what you need to know.

Mental health therapists handle sensitive patient information, therapy notes, telehealth sessions, and billing data—all protected health information (PHI) under HIPAA. Solo practitioners face additional challenges because they're often managing compliance alone.

Why Therapists Are Different

Therapy practices face unique challenges:

• Psychotherapy notes: Enhanced protection under HIPAA
• Telehealth sessions: Video calls must be secure and HIPAA-compliant
• Patient privacy: Extra sensitivity around mental health information
• Solo practice: No compliance department to help
• Billing services: Third-party billing requires BAAs
• EHR systems: Therapy-specific EHRs need security controls

The problem: Most solo therapists don't realize they need HIPAA compliance until they get an audit notice or have a breach.

Therapy Practice HIPAA Checklist

1. Privacy Policies

Required:

• Privacy Notice (Notice of Privacy Practices)
• Patient authorization forms
• Psychotherapy notes policy (special requirements)
• Minimum necessary policy
• Patient rights documentation

Therapy-specific:

• Telehealth privacy policy
• Session recording policy (if applicable)
• Communication policy (email, text, phone)

2. Security Policies

Required:

• Security policies covering all three safeguard categories
• Access control policies
• Encryption policies
• Workstation security policies

Therapy-specific:

• Telehealth platform security
• EHR system security
• Session note storage security
• Communication security (email, text)

3. Business Associate Agreements (BAAs)

Therapy practices typically need BAAs with:

• Billing services
• EHR providers
• Telehealth platforms (Zoom, Doxy.me, etc.)
• Cloud storage providers
• IT support companies
• Marketing agencies (if they handle patient data)
• Answering services

Most therapists miss: BAAs with telehealth platforms and billing services.

4. Psychotherapy Notes Protection

Special requirements:

• Psychotherapy notes cannot be disclosed without patient authorization
• Even for treatment, payment, or healthcare operations
• Must be kept separate from regular progress notes
• Enhanced access controls required

Most therapists fail: Mixing psychotherapy notes with progress notes or not having proper authorization forms.

5. Telehealth Compliance

Required:

• HIPAA-compliant telehealth platform
• BAA with telehealth provider
• Patient consent for telehealth
• Secure video connection (encrypted)
• Secure storage of session recordings (if any)

Most therapists fail: Using non-HIPAA-compliant platforms (FaceTime, Skype) or not having BAAs.

6. Risk Assessment

Therapy-specific risks:

• Telehealth platform security
• EHR system access
• Session note storage
• Patient communication (email, text)
• Billing data transmission

Required: Annual risk assessment documenting all risks and mitigation strategies.

7. Staff Training

Required:

• HIPAA training for all staff (including part-time)
• Training on therapy-specific requirements
• Training on psychotherapy notes
• Training records maintained
• Annual refresher training

Most therapists fail: Incomplete training records or missing annual training.

Common HIPAA Violations in Therapy Practices

Based on OCR enforcement data:

1. Missing BAAs (72% of violations)

   • No BAA with telehealth platforms
   • No BAA with billing services
   • No BAA with EHR providers

2. Non-compliant telehealth (68% of violations)

   • Using FaceTime or Skype (not HIPAA-compliant)
   • No patient consent for telehealth
   • Unencrypted video sessions

3. Psychotherapy notes violations (54% of violations)

   • Disclosing without authorization
   • Mixing with progress notes
   • Inadequate access controls

4. Incomplete training (61% of violations)

   • Missing training records
   • No annual refresher training
   • Staff doesn't understand psychotherapy notes requirements

How to Get Compliant

Step 1: Assess your current compliance

• Review existing policies
• Identify missing BAAs
• Document current security measures
• Review psychotherapy notes handling

Step 2: Create required policies

• Privacy Notice
• Security policies
• Psychotherapy notes policy
• Telehealth policy
• Breach response plan
• Risk assessment

Step 3: Get BAAs in place

• Identify all vendors handling PHI
• Get BAAs signed (especially telehealth platforms)
• Maintain BAA records

Step 4: Secure telehealth

• Use HIPAA-compliant platform (Zoom Healthcare, Doxy.me, etc.)
• Get BAA with platform
• Get patient consent
• Document telehealth sessions

Step 5: Train your staff

• Initial HIPAA training
• Therapy-specific training
• Psychotherapy notes training
• Annual refresher training
• Document all training

Step 6: Organize documentation

• Central location for all HIPAA documents
• Easy access for audits
• Version control

HIPAA Hub for Therapy Practices

What you get:

• ✅ All 9 required HIPAA policies (customized for therapy)
• ✅ Psychotherapy notes policy template
• ✅ Telehealth compliance guide
• ✅ BAA templates for telehealth platforms and billing services
• ✅ Risk assessment tool (therapy-specific questions)
• ✅ Staff training modules
• ✅ Evidence vault (organize all documentation)
• ✅ $499/year

Value: Therapy-specific compliance without hiring a compliance officer ($50-100k/year).

Get Your Therapy Practice HIPAA Checklist

Download the complete checklist with therapy-specific requirements:

Related Resources

• Complete HIPAA Compliance Guide
• HIPAA Audit Checklist
• HIPAA Requirements for Telehealth

---

This guide is based on OCR enforcement data and HIPAA regulations. For personalized compliance guidance, consider using HIPAA Hub.