HIPAA Compliance for Therapists: The Complete 2026 Checklist

HIPAA compliance is not optional, and it is not simple. The Health Insurance Portability and Accountability Act governs how every therapist in the United States handles protected health information (PHI), and the consequences of non-compliance range from financial penalties to criminal prosecution. In 2024 alone, the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services settled or imposed penalties in 22 enforcement actions totaling over $7.5 million, with several cases involving small healthcare practices – including solo mental health providers.

Yet most therapists receive minimal HIPAA training during their graduate programs. A 2023 survey by the American Psychological Association found that only 34% of early-career psychologists rated their HIPAA training as “adequate” for independent practice. Licensing boards in every state require compliance but rarely provide operational guidance on how to achieve it. The result is a profession where most practitioners know HIPAA matters but are uncertain about what they are actually required to do.

This guide provides a complete, actionable HIPAA compliance checklist for therapists in private practice. It covers the Privacy Rule, Security Rule, Breach Notification Rule, Business Associate Agreements, telehealth-specific requirements, AI tool considerations, and the most common violations OCR investigates. Whether you are starting a new private practice or auditing an established one, this checklist will identify gaps before a regulator does.

What Is HIPAA and Why It Matters for Therapists Specifically

HIPAA was enacted in 1996, but the regulations that therapists deal with daily – the Privacy Rule, Security Rule, and Breach Notification Rule – were implemented between 2003 and 2013. The law applies to “covered entities,” which include health care providers who transmit any health information electronically in connection with a HIPAA-covered transaction. If you submit electronic claims, use an EHR, send electronic referrals, or transmit PHI in any digital format, you are a covered entity.

Many solo therapists assume HIPAA only applies to hospitals and large practices. This is incorrect. A solo therapist in private practice who submits a single electronic insurance claim is a HIPAA-covered entity, subject to the same rules as a hospital system. The size of the practice does not determine whether HIPAA applies – only whether the practice transmits health information electronically.

Why Therapists Face Unique HIPAA Challenges

Mental health records are among the most sensitive categories of health information. HIPAA recognises this by affording psychotherapy notes additional protection beyond standard medical records. But beyond this statutory distinction, several features of therapy practice create HIPAA risks that other healthcare settings do not face:

The intimate nature of therapy content. Therapy records often contain disclosures about abuse, substance use, sexual behaviour, suicidal ideation, and family conflict. A breach of therapy records can cause social, legal, and emotional harm that exceeds what a leaked lab report would cause.

Solo and small practice settings. Most therapists work alone or in small groups without dedicated IT or compliance staff. There is no privacy officer on payroll, no HIPAA compliance committee, and no legal department to draft policies. The therapist is the entire compliance infrastructure.

The therapist-client communication pattern. Therapists communicate with clients via email, text, phone, client portals, and video – often using personal devices and consumer-grade software. Each communication channel is a potential PHI exposure point.

Third-party tool proliferation. Modern therapy practice management involves EHRs, scheduling platforms, telehealth video tools, billing software, AI documentation assistants, cloud storage, and email marketing platforms. Every one of these tools that touches PHI requires a Business Associate Agreement and its own compliance evaluation.

Dual-relationship complexities. Therapists encounter clients in community settings, receive referrals from colleagues who ask for clinical updates, and sometimes treat family members. Each of these scenarios creates disclosure risks that require careful HIPAA analysis.

The HIPAA Privacy Rule: What Therapists Need to Know

The Privacy Rule (45 CFR Part 160 and Subparts A and E of Part 164) establishes national standards for protecting individually identifiable health information. For therapists, the Privacy Rule governs what PHI you can use and disclose, when you need client authorisation, and what rights clients have over their health information.

What Counts as PHI in a Therapy Context

Protected health information is any individually identifiable health information that is transmitted or maintained in any form – electronic, paper, or oral. In a therapy practice, PHI includes:

• Client names, addresses, dates of birth, Social Security numbers, and contact information
• Session dates, appointment schedules, and attendance records
• Diagnoses, treatment plans, and progress notes
• SOAP notes, DAP notes, and any clinical documentation
• Billing records, insurance information, and superbills
• Audio or video recordings of sessions
• Transcripts generated from session recordings
• Correspondence with the client (emails, texts, voicemails)
• Information exchanged with other providers during referrals or coordination of care

A common misconception is that “de-identified” information is not PHI. Under HIPAA, de-identification requires removing 18 specific identifiers (including dates, zip codes, and ages over 89) or having a qualified statistician certify that the risk of re-identification is very small. Simply removing a client’s name from a case study does not make it de-identified under HIPAA.

The Minimum Necessary Standard

The Privacy Rule requires that when you use or disclose PHI, you limit it to the minimum amount necessary to accomplish the purpose. This standard applies to:

• Disclosures to insurance companies (send only the information needed for the claim)
• Disclosures to other providers for treatment coordination (share relevant clinical information, not the entire file)
• Internal use (staff should only access PHI relevant to their role)
• Responses to subpoenas and court orders (provide only what the order specifically requires)

The minimum necessary standard does not apply to disclosures for treatment purposes between providers, disclosures to the individual client, disclosures authorised by the client, or disclosures required by law.

Client Rights Under the Privacy Rule

Your clients have specific rights under HIPAA that you must honour:

Right to access. Clients have the right to inspect and obtain copies of their PHI, with limited exceptions. You must provide the records within 30 days of a written request (one 30-day extension is permitted). You may charge a reasonable, cost-based fee for copies. You may not deny access because the client has an outstanding balance.

Right to amend. Clients can request amendments to their records. You may deny the request if you determine the record is accurate, but you must provide a written denial explaining the reason and the client’s right to submit a statement of disagreement.

Right to an accounting of disclosures. Clients can request a list of disclosures you have made of their PHI in the past six years, excluding disclosures for treatment, payment, healthcare operations, or those authorised by the client.

Right to request restrictions. Clients can request restrictions on how their PHI is used or disclosed. You are not required to agree to most restrictions, but you must agree to a request to restrict disclosure to a health plan if the client pays out of pocket in full.

Right to confidential communications. Clients can request that you communicate with them through alternative means or at alternative locations (for example, calling a specific number rather than their home phone).

Right to a Notice of Privacy Practices. You must provide a written NPP at the first service delivery that explains how you use and disclose PHI, the client’s rights, and your legal duties.

Psychotherapy Notes: The Special HIPAA Protection

HIPAA provides an additional layer of protection for psychotherapy notes that many therapists misunderstand. Under 45 CFR 164.501, psychotherapy notes are defined as notes recorded by a healthcare provider who is a mental health professional documenting or analysing the contents of a counselling session, and that are separated from the rest of the medical record.

The critical word is “separated.” Psychotherapy notes must be kept apart from the client’s general medical record (including billing records, treatment plans, diagnoses, and session summaries) to receive the special HIPAA protection.

What qualifies as psychotherapy notes:
- The therapist’s personal observations, impressions, and hypotheses about the client
- Notes documenting the content of conversations during therapy sessions
- The therapist’s analysis of the therapeutic process

What does NOT qualify as psychotherapy notes (even if generated during a session):
- Medication prescription and monitoring
- Session start and stop times
- Modalities and frequencies of treatment
- Results of clinical tests
- Diagnosis, functional status, treatment plan, symptoms, prognosis
- Progress summaries

When psychotherapy notes are properly separated, a signed authorisation from the client is required before they can be disclosed – even to insurance companies, even for treatment coordination, and even pursuant to most subpoenas. This protection is stronger than the protection afforded to the rest of the medical record.

The practical implication: If you store your personal session observations in the same record as your treatment summaries and billing information, those observations lose the special HIPAA psychotherapy notes protection. Keep them separate – physically or electronically – in a designated psychotherapy notes section that is not part of the standard medical record.

The HIPAA Security Rule: Technical, Physical, and Administrative Safeguards

The Security Rule (45 CFR Part 160 and Subparts A and C of Part 164) applies specifically to electronic protected health information (ePHI). While the Privacy Rule covers PHI in any form, the Security Rule focuses on the systems, networks, and devices where ePHI lives. For therapists in 2026, nearly all PHI is ePHI – stored in EHRs, transmitted via email, processed by AI tools, and backed up in the cloud.

The Security Rule requires three categories of safeguards: administrative, physical, and technical.

Administrative Safeguards

Administrative safeguards are the policies, procedures, and workforce management activities that protect ePHI. For a solo or small therapy practice, these include:

Security Management Process. You must implement policies and procedures to prevent, detect, contain, and correct security violations. This starts with a risk assessment (more on this below) and includes written security policies, workforce sanctions for violations, and regular review of system activity.

Assigned Security Responsibility. Someone in your practice must be designated as the security officer responsible for HIPAA security. In a solo practice, this is you. Document the assignment.

Workforce Training. Every person who accesses ePHI in your practice – including administrative assistants, billing staff, and contractors – must receive HIPAA security training. Training must occur at onboarding and be refreshed periodically. Document all training with dates and content covered.

Contingency Plan. You must have a documented plan for responding to emergencies that could damage systems containing ePHI. This includes a data backup plan, a disaster recovery plan, and an emergency mode operations plan. For a solo practice, this can be straightforward: where are your backups, how do you access them if your primary system fails, and what do you do in the interim?

Risk Assessment. This is the single most important administrative safeguard and the one most commonly missing from small therapy practices. A risk assessment identifies threats to ePHI in your practice, evaluates the likelihood and impact of each threat, and documents how you mitigate each risk. OCR’s enforcement data shows that failure to conduct a risk assessment is the most frequently cited HIPAA violation – appearing in over 70% of enforcement actions.

Physical Safeguards

Physical safeguards protect the physical systems and buildings where ePHI is stored or accessed:

Facility Access Controls. Limit physical access to your office and to devices containing ePHI. This includes locking your office when unattended, securing server rooms or equipment closets, and controlling who has keys or access codes.

Workstation Use and Security. Define how workstations that access ePHI should be used and physically protected. Your computer screen should not be visible to clients in the waiting room. Devices should lock automatically after a period of inactivity. Workstations should not be left logged in and unattended.

Device and Media Controls. Establish policies for disposing of, reusing, or moving electronic media that contain ePHI. Before disposing of a computer, hard drive, USB drive, or phone, ePHI must be securely erased. Simply deleting files is insufficient – a secure wipe or physical destruction is required.

Technical Safeguards

Technical safeguards are the technology and policies that protect ePHI and control access to it:

Access Controls. Each user must have a unique identifier (username). Implement automatic logoff after a defined period of inactivity. Encryption and decryption mechanisms must be in place for ePHI at rest.

Audit Controls. Implement hardware, software, or procedural mechanisms that record and examine activity in systems containing ePHI. Your EHR should log who accessed what record and when. If you use practice management software, verify it maintains audit logs.

Integrity Controls. Implement policies and procedures to ensure that ePHI is not improperly altered or destroyed. This includes error-checking mechanisms and backup verification.

Transmission Security. Implement technical security measures to guard against unauthorised access to ePHI transmitted over electronic networks. In practical terms: use encryption for email containing PHI, ensure your telehealth platform uses end-to-end encryption, and never transmit PHI over unsecured Wi-Fi.

The Breach Notification Rule

The Breach Notification Rule (45 CFR 164.400-414) requires covered entities to notify affected individuals, the Secretary of HHS, and in some cases the media, following a breach of unsecured PHI. Understanding this rule is essential because breaches happen to practices of all sizes, and the notification obligations have strict deadlines.

What Constitutes a Breach

A breach is the acquisition, access, use, or disclosure of PHI in a manner not permitted by the Privacy Rule that compromises the security or privacy of the PHI. HIPAA presumes that any impermissible use or disclosure of PHI is a breach unless you can demonstrate a low probability that the PHI has been compromised, based on a four-factor risk assessment:

1. The nature and extent of the PHI involved (types of identifiers and likelihood of re-identification)
2. The unauthorised person who used or received the PHI
3. Whether the PHI was actually acquired or viewed
4. The extent to which the risk to the PHI has been mitigated

Common Breach Scenarios in Therapy Practices

• Sending a clinical document to the wrong email address
• A laptop containing unencrypted client records is stolen from your car
• A staff member accesses client records they have no treatment reason to view
• A hacker gains access to your EHR through a phishing attack
• Leaving a voicemail with clinical details at the wrong number
• A ransomware attack encrypts your client database
• Improperly disposing of paper records containing PHI (throwing them in the regular trash)

Notification Requirements

Individual notification. You must notify each affected individual without unreasonable delay and no later than 60 days after discovering the breach. Notification must be in writing, sent by first-class mail (or email if the individual has agreed to electronic notice), and must describe the breach, the types of PHI involved, steps the individual should take, what you are doing to investigate and mitigate, and your contact information.

HHS notification. If the breach affects 500 or more individuals, you must notify the Secretary of HHS within 60 days. If the breach affects fewer than 500 individuals, you must log the breach and submit all logged breaches annually to HHS within 60 days after the end of the calendar year.

Media notification. If the breach affects 500 or more residents of a single state or jurisdiction, you must notify prominent media outlets serving that state or jurisdiction within 60 days.

The Importance of Encryption as a Safe Harbour

HIPAA’s breach notification requirements apply only to “unsecured” PHI. PHI that has been rendered unusable, unreadable, or indecipherable to unauthorised persons is considered “secured.” The primary method for securing ePHI is encryption consistent with NIST standards. If an encrypted laptop is stolen and the encryption key was not stored with the device, you likely do not have a reportable breach – the PHI was secured.

This is why encryption is not just a technical safeguard but a risk management strategy. Encrypting all devices and transmissions containing ePHI is one of the most effective steps a therapist can take to reduce breach notification exposure.

HIPAA and 42 CFR Part 2: Substance Abuse Records

If you treat clients with substance use disorders (SUD), you must comply with 42 CFR Part 2 in addition to HIPAA. Part 2 provides stricter protections for SUD treatment records than HIPAA does for general health information, and the two regulatory frameworks interact in ways that many therapists find confusing.

Key Differences Between HIPAA and 42 CFR Part 2

Consent for disclosure. HIPAA permits disclosure of PHI for treatment, payment, and healthcare operations without specific patient authorisation. Part 2 requires specific written consent before any disclosure of SUD records – even for treatment coordination with other providers.

Content of consent. A Part 2-compliant consent form must include the name of the patient, the name of the program making the disclosure, the name of the recipient, the purpose of the disclosure, how much and what kind of information will be disclosed, the patient’s right to revoke consent, the expiration date of the consent, and the patient’s signature and date.

Re-disclosure prohibition. Part 2 requires that any recipient of SUD information be notified that they cannot further disclose the information without the patient’s consent. This is stricter than HIPAA, which allows certain re-disclosures.

The CARES Act Alignment

The Coronavirus Aid, Relief, and Economic Security (CARES) Act of 2020 included provisions to better align 42 CFR Part 2 with HIPAA. A final rule published by SAMHSA in February 2024 implemented key changes:

• Part 2 programs may now use and disclose SUD records for treatment, payment, and healthcare operations once a single initial consent is obtained, bringing Part 2 closer to HIPAA’s framework
• Patients can now exercise their HIPAA right to an accounting of disclosures for SUD records
• Antidiscrimination protections were strengthened, prohibiting the use of SUD records in civil, criminal, administrative, or legislative proceedings against the patient

These changes simplify compliance for therapists who treat SUD alongside other conditions, but the initial consent requirement remains – you still need specific written consent before any disclosure of SUD treatment information.

The Complete HIPAA Compliance Checklist for Therapists

This is the core operational reference. Use it as an annual compliance audit or as a setup guide when launching a new practice. Each item maps to a specific HIPAA requirement.

Administrative Requirements

• Designate a Privacy Officer and Security Officer. In a solo practice, you fill both roles. Document the designation in writing with the effective date.
• Conduct a risk assessment. Identify all locations where ePHI is created, stored, transmitted, or received. Evaluate threats to each location. Document findings and remediation plans. OCR provides a free Security Risk Assessment (SRA) Tool at healthit.gov.
• Develop and document HIPAA policies and procedures. Minimum required policies: privacy practices, access control, breach notification, sanctions, workforce training, device management, data backup, emergency operations, and business associate management.
• Create a Notice of Privacy Practices (NPP). The NPP must describe how you use and disclose PHI, client rights (access, amendment, accounting of disclosures, restriction requests, confidential communications, complaint process), your legal duties, and effective date of the notice. Post the NPP prominently in your office and on your website.
• Obtain NPP acknowledgement from every client. Clients must sign that they received the NPP. If the client refuses to sign, document the refusal and the date you attempted to obtain the acknowledgement.
• Train all workforce members. Document HIPAA training for every person who accesses PHI, including administrative staff, billing personnel, and contractors with PHI access. Training must cover privacy policies, security procedures, breach identification, and individual responsibilities. Refresh training annually and document completion dates.
• Establish a sanctions policy. Document the consequences for workforce members who violate HIPAA policies, from verbal warning to termination, depending on severity and intent.
• Maintain documentation for six years. HIPAA requires that policies, procedures, training records, risk assessments, BAAs, and other compliance documents be retained for a minimum of six years from the date of creation or the date last in effect, whichever is later.
• Review and update policies annually. HIPAA compliance is not a one-time event. Conduct annual reviews of all policies, procedures, risk assessments, and BAAs. Document review dates and any changes made.
• Establish a complaint process. Clients must be able to file complaints about your privacy practices without fear of retaliation. Document the complaint process in your NPP and designate who receives and investigates complaints.

Physical Safeguard Requirements

• Secure your physical office. Lock doors to areas where PHI is stored or accessed. Control who has keys or access codes. Escort visitors in areas where PHI is visible.
• Protect workstations. Position computer screens so they are not visible to clients or visitors. Enable automatic screen lock after a maximum of 5 minutes of inactivity. Never leave devices logged in and unattended.
• Secure paper records. Store paper files containing PHI in locked cabinets. Implement a check-out/check-in system if files are removed from storage. Shred paper records containing PHI before disposal – do not put them in recycling or regular trash.
• Secure portable devices. Laptops, tablets, phones, and USB drives that contain or access ePHI must be encrypted. Enable remote wipe capability for all mobile devices.
• Implement a media disposal policy. Before disposing of any electronic media (hard drives, USB drives, CDs, phones), ensure ePHI is securely wiped using NIST-recommended methods or the media is physically destroyed.

Technical Safeguard Requirements

• Assign unique user IDs. Every person who accesses systems containing ePHI must have a unique login. Do not share accounts or passwords.
• Implement strong password requirements. Require passwords of at least 12 characters with a mix of uppercase, lowercase, numbers, and symbols. Require multi-factor authentication (MFA) for all systems containing ePHI. MFA is now considered a baseline requirement by OCR, not an optional enhancement.
• Enable encryption. Encrypt all ePHI at rest (on devices and servers) and in transit (during email, file transfer, and telehealth sessions). Use AES-256 for data at rest and TLS 1.2 or higher for data in transit.
• Configure access controls. Implement role-based access so that each workforce member can only access the ePHI necessary for their job function. Review access permissions when roles change or staff depart.
• Enable audit logging. Ensure all systems containing ePHI log access events: who accessed what record, when, and what action was taken (view, edit, download, print). Review audit logs regularly and investigate anomalies.
• Implement automatic logoff. Systems containing ePHI must automatically terminate sessions after a defined period of inactivity. A maximum of 15 minutes is a common standard.
• Install and maintain security software. Antivirus, anti-malware, and firewall protections must be active and current on all devices that access ePHI. Enable automatic updates for operating systems and applications.
• Establish a data backup and recovery plan. Back up ePHI regularly to a secure, encrypted location. Test restoration procedures at least annually. Document backup frequency, storage location, and retention period.
• Segment psychotherapy notes electronically. If you maintain psychotherapy notes as defined under HIPAA, store them in a separate electronic system or a segregated section of your EHR that requires separate access authorisation.

Business Associate Requirements

• Identify all business associates. Any person or entity that creates, receives, maintains, or transmits PHI on your behalf is a business associate. Common examples: EHR vendor, billing service, cloud storage provider, telehealth platform, email provider (if used for PHI), answering service, IT support, shredding company, and any AI tool that processes clinical content.
• Execute BAAs with all business associates. A BAA must be in place before the business associate accesses PHI. The BAA must specify the permitted and required uses and disclosures of PHI, require the business associate to implement appropriate safeguards, require reporting of breaches, and ensure the business associate’s subcontractors agree to the same restrictions.
• Maintain a current BAA inventory. Keep a list of all active BAAs with execution dates, expiration dates, and contact information. Review annually and update when vendors change.
• Verify business associate compliance. A BAA does not guarantee the vendor is actually compliant. Ask vendors for their most recent SOC 2 report, penetration test results, or third-party HIPAA compliance certification. If a vendor refuses to provide evidence of their security posture, consider it a red flag.

Breach Notification Requirements

• Develop a breach notification policy. Document the process for identifying, investigating, and reporting breaches. Include timelines, responsible parties, notification templates, and a chain of command.
• Maintain a breach log. Track all breaches, including those affecting fewer than 500 individuals. Log the date of discovery, date of the breach, nature of the PHI involved, number of individuals affected, and remediation steps taken.
• Know your notification deadlines. Individual notification: within 60 days of discovery. HHS notification for breaches affecting 500+: within 60 days. HHS notification for breaches affecting fewer than 500: annually, within 60 days of the end of the calendar year. Media notification for breaches affecting 500+ in a single jurisdiction: within 60 days.
• Prepare notification templates in advance. Draft template letters for breach notification so you are not composing them under crisis pressure. Include all required elements: description of the breach, types of PHI, steps individuals should take, your remediation actions, and contact information.

Client Rights Requirements

• Honour access requests within 30 days. Provide copies of PHI in the format the client requests, if readily producible. You may charge a reasonable, cost-based fee. Do not deny access because of unpaid bills.
• Process amendment requests. Respond in writing within 60 days. If denied, explain the reason and inform the client of their right to submit a statement of disagreement.
• Maintain an accounting of disclosures. Track all disclosures of PHI except those for treatment, payment, healthcare operations, disclosures authorised by the client, and other specific exceptions. Be prepared to provide the accounting within 60 days of a request.
• Honour restriction requests. If a client pays out of pocket in full and requests that you not disclose their PHI to their health plan, you must agree to that restriction.

Business Associate Agreements: What They Are and When You Need Them

A Business Associate Agreement is a contract between a HIPAA-covered entity (you) and a business associate (any vendor or contractor that handles PHI on your behalf). The BAA is not a formality – it is a legal requirement, and its absence is itself a HIPAA violation regardless of whether a breach occurs.

When You Need a BAA

You need a BAA with any entity that:

• Stores, processes, or transmits ePHI on your behalf (EHR vendors, cloud storage providers, backup services)
• Provides claims processing, billing, or payment services involving PHI
• Performs utilisation review, quality assurance, or practice management functions involving PHI
• Provides legal, actuarial, accounting, consulting, data aggregation, management, administration, or financial services involving PHI
• Provides IT support with access to systems containing ePHI
• Provides answering services, appointment scheduling services, or transcription services involving PHI
• Provides AI-powered tools that process clinical content (see AI section below)

When You Do NOT Need a BAA

You do not need a BAA with:

• Other treating providers to whom you disclose PHI for treatment purposes (they are covered entities in their own right)
• A client’s family members or personal representatives (they are not business associates)
• Health plan payers for payment purposes (they are covered entities)
• Cleaning staff, unless they have access to PHI (a cleaning crew that empties trash bins near unlocked file cabinets is a grey area – secure the cabinets)

What a BAA Must Contain

A valid BAA must include:

1. A description of the permitted and required uses of PHI by the business associate
2. A provision that the business associate will not use or disclose PHI other than as permitted by the agreement or as required by law
3. A requirement that the business associate use appropriate safeguards to prevent impermissible use or disclosure
4. A requirement to report any breach or security incident to you
5. A requirement that the business associate ensure its subcontractors agree to the same restrictions and conditions
6. A provision that the business associate will make PHI available to you to satisfy client access requests
7. A provision that the business associate will make PHI available for amendment
8. A provision that the business associate will make information available for an accounting of disclosures
9. A provision that the business associate will make its practices, books, and records available to HHS for compliance determination
10. At termination, a requirement to return or destroy all PHI received from or created on behalf of the covered entity

Common BAA Mistakes

Assuming a vendor’s “HIPAA compliant” marketing claim replaces a BAA. It does not. A vendor can claim compliance all day long, but without a signed BAA, you are in violation.

Using a generic BAA template without customisation. While HHS provides sample BAA language, your BAA should be specific to the services each vendor provides and the types of PHI they access.

Failing to update BAAs when services change. If a vendor adds new features that involve PHI (for example, your scheduling tool adds a clinical notes feature), your BAA needs to be updated to cover the new PHI use.

Not maintaining BAAs for terminated relationships. You must retain BAA documentation for six years, even after the relationship ends. The BAA should specify whether the business associate will return or destroy PHI upon termination.

HIPAA and Telehealth: Special Considerations

The rapid adoption of telehealth therapy has created a set of HIPAA compliance challenges that did not exist before 2020. The COVID-era enforcement discretion that OCR exercised regarding telehealth platforms ended in late 2023, and all telehealth services are now subject to full HIPAA enforcement.

Platform Selection

The most critical telehealth compliance decision is platform selection. Consumer video tools – including standard Zoom, FaceTime, Google Meet (free tier), WhatsApp, and Facebook Messenger – are not HIPAA compliant because they do not sign BAAs, may not provide adequate encryption, and lack the audit logging required by the Security Rule.

HIPAA-compliant telehealth requires:

• A platform vendor that will execute a BAA
• End-to-end encryption (AES-256 at rest, TLS 1.2+ in transit)
• Individual user authentication with MFA
• Automatic session timeouts
• Audit logging of access events
• Waiting room functionality to prevent unauthorised session access

Telehealth-Specific Consent

Beyond your standard informed consent form, telehealth sessions require additional consent disclosures:

• The specific risks of telehealth (technology failure, reduced ability to assess nonverbal cues, potential for unauthorised access to the transmission)
• Who may be present in the room on either end of the session
• Whether sessions will be recorded, and if so, how recordings will be stored and disposed of
• The emergency protocol if the client experiences a crisis during a telehealth session (including the client’s physical location and local emergency contacts)
• The technology failure protocol (how the session will be continued if the video connection drops)

Home Office Compliance

If you conduct telehealth sessions from a home office, the same HIPAA physical safeguards apply as in a clinical setting:

• The space must be private, with a door that closes and where conversations cannot be overheard by household members
• Your screen must not be visible to others
• Work devices must be separate from family devices, or you must implement a HIPAA-compliant mobile device management policy
• Your home Wi-Fi network must be secured with WPA3 (or at minimum WPA2) encryption and a strong password
• Other members of the household should not have access to your work devices

Cross-State Telehealth Compliance

If you provide telehealth services to clients in other states, you must comply with the HIPAA requirements as well as the privacy laws of the client’s state. Some states have privacy protections that exceed HIPAA (see the state-specific considerations section below). You must also hold a valid license in the client’s state unless an interstate compact exemption applies.

HIPAA and AI Tools in Therapy Practice

The emergence of AI-powered tools for therapy practice management – including ambient session documentation, clinical note generation, and scheduling automation – has introduced a new category of HIPAA compliance risk that many therapists are not adequately addressing.

AI Tools as Business Associates

Any AI tool that processes, stores, or transmits PHI is a business associate and requires a BAA. This includes:

• AI documentation tools that generate clinical notes from session recordings or dictation
• AI transcription services that convert session audio to text
• AI-powered scheduling assistants that access client information
• AI chatbots or intake tools that collect health information from clients
• AI analytics tools that process clinical data for outcomes tracking

The AI vendor must sign a BAA, and the BAA must specifically address how PHI is used in AI model training. A critical question to ask any AI vendor: Is client data used to train or fine-tune your AI models? If the answer is yes, this is a HIPAA concern because it constitutes a use of PHI beyond the direct purpose of providing services to the client.

Specific AI Compliance Requirements

Consent for AI processing. While HIPAA does not specifically require separate consent for AI processing (as opposed to general electronic processing of PHI), best clinical practice and ethics codes increasingly call for explicit client consent before AI tools process their session data. Clients should understand what AI tools are being used, what data they process, and how the output is used in their care.

Data residency and storage. Know where the AI vendor stores and processes your clients’ data. If data is processed outside the United States, additional compliance considerations may apply. Some state privacy laws and professional ethics standards require that client data remain within U.S. borders.

AI output in the medical record. When AI generates clinical documentation, the therapist is responsible for reviewing and verifying the accuracy of the output before it becomes part of the medical record. An AI-generated note that contains inaccuracies – misattributed statements, fabricated clinical observations, or incorrect diagnoses – is your liability, not the AI vendor’s.

Model transparency. Under emerging best practices, therapists should be able to explain to clients, in general terms, how AI tools process their data. “A computer generates the first draft of my session notes from the recording” is a sufficient explanation. “I do not know what happens to your data” is not.

Platforms like Galenie are built from the ground up with HIPAA compliance as a foundational requirement, including signed BAAs, end-to-end encryption, and AI features that keep PHI within a controlled, auditable environment – so therapists can benefit from AI-assisted documentation without compromising compliance.

Common HIPAA Violations by Therapists and How to Avoid Them

OCR’s enforcement actions and complaint data reveal patterns of HIPAA violations that recur across mental health practices. Understanding these patterns is the most practical way to avoid them.

1. Failure to Conduct a Risk Assessment

How it happens: The therapist assumes that having an EHR and shredding paper records constitutes HIPAA compliance. No formal risk assessment has ever been conducted.

Why it matters: A risk assessment is the foundational requirement of the Security Rule. Without it, you cannot identify what threats exist to your ePHI or whether your safeguards are adequate. OCR has consistently cited this as the most common HIPAA deficiency.

How to avoid it: Conduct a thorough risk assessment at practice launch and update it annually. Use OCR’s free SRA Tool or hire a HIPAA consultant for a professional assessment. Document everything.

2. Impermissible Disclosures to Family Members

How it happens: A parent calls asking about their adult child’s therapy. A spouse emails asking when their partner’s next appointment is. The therapist provides the information without verifying authorisation.

Why it matters: Adults are entitled to the full protection of their PHI, regardless of family relationships. Even confirming that someone is your client is a disclosure of PHI.

How to avoid it: Establish a policy that no information – including the existence of a therapeutic relationship – is disclosed to anyone without a signed authorisation from the client, a valid legal order, or a mandatory reporting obligation. Verify the identity of anyone requesting information and the scope of any authorisation on file.

3. Unsecured Electronic Communications

How it happens: The therapist sends session notes via unencrypted email, texts appointment reminders that include clinical details, or uses a messaging app without a BAA to communicate with clients about their treatment.

Why it matters: Each transmission of PHI via an unsecured channel is a potential violation of the Security Rule’s transmission security requirement and, if the message reaches an unintended recipient, a breach.

How to avoid it: Use a secure client portal for all clinical communications. If you must use email, use an encrypted email service with a signed BAA. Limit text messages to logistics (appointment times) and never include clinical content. Never use consumer messaging apps (iMessage, WhatsApp, Facebook Messenger) for clinical communications.

4. Lost or Stolen Unencrypted Devices

How it happens: A laptop containing client records is stolen from a car. A phone with access to the EHR is lost at a conference. A USB drive with backup data is misplaced.

Why it matters: An unencrypted lost or stolen device is a reportable breach, potentially affecting every client whose information is on the device. This is one of the most common breach categories reported to OCR.

How to avoid it: Encrypt all devices that contain or access ePHI. Enable remote wipe capability. Do not store ePHI on USB drives. Enable full-disk encryption on laptops (BitLocker for Windows, FileVault for Mac). Use strong device passwords and biometric authentication.

5. Lack of Business Associate Agreements

How it happens: The therapist signs up for a cloud storage service, a scheduling tool, or an AI note-taking app without executing a BAA. The vendor’s website says “HIPAA compliant,” and the therapist assumes that is sufficient.

Why it matters: Using a vendor to process PHI without a BAA is itself a HIPAA violation, separate from any breach that may occur. OCR does not accept “I thought they were compliant” as a defence.

How to avoid it: Before using any tool or service that will touch PHI, confirm the vendor will sign a BAA. Maintain a current inventory of all BAAs. Review the inventory when adding or changing tools. When choosing practice management software, make BAA availability a non-negotiable selection criterion.

6. Improper Disposal of PHI

How it happens: Paper records are thrown in regular office trash. Old computers are donated without wiping the hard drive. A hard drive is “deleted” (files removed from the desktop) rather than securely erased.

Why it matters: PHI in the trash is accessible to anyone. Data on a disposed device can be recovered with commercially available tools. OCR has imposed penalties on providers for dumpster-accessible records.

How to avoid it: Cross-cut shred all paper records. Securely wipe or physically destroy electronic media before disposal. Work with a certified data destruction vendor for large-scale disposal. Document all destruction activities.

7. Sharing PHI in Non-Secure Locations

How it happens: Discussing a case in detail on a phone call in a public coffee shop. Reviewing client records on a laptop in an airport lounge. Having a clinical consultation in an open hallway.

Why it matters: Oral disclosures of PHI in public spaces violate the Privacy Rule. Visual exposure of PHI on a screen in a public area violates the Security Rule’s workstation use standards.

How to avoid it: Conduct clinical discussions only in private settings. Use privacy screens on laptops when working in shared spaces. Never access client records on public Wi-Fi without a VPN. Be aware of your surroundings before opening files containing PHI.

8. Social Media Disclosures

How it happens: A therapist posts about a “challenging case” with enough detail that the client could be identified. A therapist responds to a Google review by referencing the therapeutic relationship. A therapist “likes” a client’s social media post, implicitly confirming the therapeutic relationship.

Why it matters: Any information that could identify a person as your client is PHI. Responding to an online review – even to defend yourself – is a disclosure. Social media interactions with clients create both HIPAA and boundary issues.

How to avoid it: Never reference specific clients on social media, even with details changed. Never respond to client reviews with any information that acknowledges the therapeutic relationship. Establish a social media policy as part of your informed consent process. If you use social media for ethical marketing, keep marketing content and clinical information completely separate.

HIPAA Enforcement: Penalties and What Happens When You Get Audited

Understanding the enforcement landscape helps therapists calibrate their compliance efforts to the actual regulatory risk.

The Penalty Structure

HIPAA penalties are tiered based on the level of culpability:

Tier	Level of Culpability	Penalty per Violation	Annual Cap
1	Did not know and could not reasonably have known	$137 – $68,928	$2,067,813
2	Reasonable cause (not willful neglect)	$1,379 – $68,928	$2,067,813
3	Willful neglect, corrected within 30 days	$13,785 – $68,928	$2,067,813
4	Willful neglect, not corrected	$68,928 – $2,067,813	$2,067,813

Note: Penalty amounts are adjusted annually for inflation. The figures above reflect 2024-2025 adjustments.

Criminal penalties also exist for knowing violations. The DOJ can pursue criminal charges resulting in fines up to $250,000 and imprisonment of up to 10 years for violations committed with the intent to sell, transfer, or use PHI for commercial advantage, personal gain, or malicious harm.

How OCR Investigations Are Triggered

Most OCR investigations originate from one of three sources:

Complaints. Any person can file a HIPAA complaint with OCR. A disgruntled client, a former employee, or a competitor can initiate an investigation with a simple online form. OCR investigates all complaints that meet jurisdictional requirements.

Breach reports. When you report a breach to OCR (as required by the Breach Notification Rule), OCR may investigate the circumstances of the breach. Breaches affecting 500+ individuals are virtually certain to trigger an investigation.

Compliance reviews. OCR conducts periodic compliance audits. While these have historically been less common than complaint-driven investigations, OCR signalled in 2024 that it would increase proactive audits of small healthcare providers, including mental health practices.

What Happens During an OCR Investigation

1. Notification. OCR sends a letter or email notifying you of the investigation and requesting specific documentation.
2. Data request. OCR will request copies of your HIPAA policies, risk assessment, BAAs, training records, breach logs, and any other relevant documentation. You typically have 30 days to respond.
3. Review. OCR reviews your documentation and may request additional information or interviews.
4. Determination. OCR determines whether a violation occurred. Possible outcomes include:
5. No violation found
6. Technical assistance (education without penalty, typically for first-time, low-severity violations)
7. Resolution agreement with a corrective action plan and financial settlement
8. Civil monetary penalty (for uncooperative entities or repeat violations)
9. Corrective action. If a violation is found, you will likely be required to implement a corrective action plan with specific remediation requirements and ongoing monitoring for one to three years.

Practical Perspective on Enforcement

OCR receives over 30,000 complaints per year and has limited enforcement resources. Most investigations of small practices result in technical assistance or voluntary corrective action rather than financial penalties. The practices that face significant penalties are typically those that demonstrate willful neglect, refuse to cooperate with OCR, or have caused substantial harm through repeated or systemic failures.

This does not mean compliance is optional – it means that good-faith efforts to comply substantially reduce your risk. Conducting a risk assessment, documenting your policies, training your staff, executing BAAs, and encrypting your devices will position your practice favourably in the unlikely event of an OCR investigation.

Recent HIPAA Updates and Changes for 2026

HIPAA regulations continue to evolve. Therapists should be aware of the following recent and anticipated changes:

The HIPAA Security Rule Update (NPRM)

In late 2024, HHS published a Notice of Proposed Rulemaking (NPRM) to update the HIPAA Security Rule for the first time since 2013. The proposed changes reflect the dramatic shift in cybersecurity threats since the rule was last updated. Key proposed changes include:

Elimination of the “addressable” vs. “required” distinction. Under the current Security Rule, some implementation specifications are “required” and others are “addressable” (meaning you can implement an alternative measure if the specification is unreasonable or inappropriate). The proposed rule would make all specifications required, with limited exceptions documented through a formal assessment process.

Mandatory encryption. The proposed rule would require encryption of all ePHI at rest and in transit, removing the current “addressable” status. This is already best practice, but the change would make it a hard legal requirement.

Technology asset inventory. Covered entities would be required to maintain an inventory and network map of all technology assets that create, receive, maintain, or transmit ePHI, updated at least annually.

Patch management requirements. The proposed rule would require critical patches to be applied within 15 days and high-priority patches within 30 days.

Multi-factor authentication. MFA for all systems accessing ePHI would be required, not just recommended.

Annual compliance audits. Covered entities would need to conduct annual internal compliance audits, and business associates would be required to verify their compliance to covered entities annually.

While these changes are not yet final as of early 2026, therapists should treat the proposed requirements as a preview of the compliance standard and begin working toward them now. The final rule is expected to be published in 2026 and will include an implementation period for covered entities.

The HIPAA Privacy Rule Proposed Updates

HHS also proposed updates to the Privacy Rule aimed at strengthening reproductive health privacy protections. Under the proposed changes, covered entities and business associates would be prohibited from using or disclosing PHI for the purpose of investigating or imposing liability on individuals seeking, obtaining, providing, or facilitating lawful reproductive healthcare. While this is not specific to mental health, therapists who treat clients dealing with reproductive health issues should be aware of these protections.

Increased OCR Enforcement Focus Areas for 2026

Based on OCR’s enforcement actions and public statements, the following areas are receiving heightened scrutiny:

• Risk analysis compliance – OCR continues to flag absent or inadequate risk assessments as the top deficiency
• Right of access – OCR’s Right of Access Initiative, launched in 2019, has resulted in over 45 enforcement actions against providers who failed to provide timely access to records. Mental health providers have been specifically targeted
• Online tracking technologies – OCR issued guidance in 2022 (updated in 2024) warning that tracking technologies on provider websites (such as Meta Pixel, Google Analytics, and session replay tools) may transmit PHI to third parties without authorisation. If your practice website uses these technologies, evaluate whether they transmit identifiable health information
• Cybersecurity incidents – With ransomware attacks against healthcare providers increasing by over 100% between 2022 and 2024, OCR is investigating breaches resulting from inadequate cybersecurity controls with greater intensity

State-Specific Considerations

HIPAA sets the federal floor for health information privacy, but state laws can and often do provide stronger protections. Where state law is more protective than HIPAA, the state law prevails. Therapists must comply with both frameworks simultaneously.

States with Notably Stricter Privacy Protections

California. The California Consumer Privacy Act (CCPA) / California Privacy Rights Act (CPRA) provides broader privacy rights than HIPAA in some contexts. The Confidentiality of Medical Information Act (CMIA) imposes additional consent requirements for disclosure of medical information and provides a private right of action (individuals can sue providers directly for violations, unlike HIPAA). California also requires specific consent for disclosure of mental health records and HIV/AIDS-related information.

New York. New York Mental Hygiene Law Section 33.13 provides stricter confidentiality protections for mental health records than HIPAA, requiring client consent for most disclosures even when HIPAA would permit them without consent. New York also restricts re-disclosure of mental health information more stringently than HIPAA.

Texas. Texas Health and Safety Code Chapter 611 provides specific confidentiality protections for mental health records that exceed HIPAA in several areas, including requiring patient consent for disclosures that HIPAA would permit under the treatment, payment, or healthcare operations exception.

Connecticut. Connecticut’s data privacy act and mental health record protections provide additional layers beyond HIPAA, including specific requirements for mental health record disclosure and patient access.

Massachusetts. Massachusetts regulations (201 CMR 17.00) impose specific data security requirements that apply to any entity holding personal information of Massachusetts residents, including encryption requirements for portable devices and transmitted records.

Practical Guidance

Given the complexity of state-by-state compliance, therapists should:

1. Identify the states where their clients reside (especially relevant for telehealth practices)
2. Research the mental health privacy laws in each of those states
3. When HIPAA and state law conflict, apply whichever standard provides greater protection to the client
4. Consult with a healthcare attorney licensed in your state(s) of practice for specific guidance
5. Document which state laws you have reviewed and how your policies account for them

Building a Culture of Compliance

HIPAA compliance is not a checklist you complete once and file away. It is an ongoing operational discipline that must be embedded in your daily workflow.

Annual Compliance Calendar

Month	Activity
January	Review and update all HIPAA policies and procedures
February	Conduct annual risk assessment (or update previous assessment)
March	Review and renew all Business Associate Agreements
April	Conduct annual HIPAA training for all workforce members
May	Review physical safeguards (office security, device inventory)
June	Test data backup and recovery procedures
July	Review technical safeguards (access controls, encryption, audit logs)
August	Review and update Notice of Privacy Practices if needed
September	Review breach notification policies and update contact lists
October	Conduct internal compliance audit
November	Review telehealth-specific compliance (platforms, consent, documentation)
December	Compile annual breach log report; submit to HHS if applicable

Integrating Compliance into Daily Practice

The most effective compliance strategy is making HIPAA adherence part of your standard workflow rather than an overlay you think about separately:

• Use HIPAA-compliant practice management software that builds compliance into its architecture – platforms like Galenie handle encryption, audit logging, access controls, and BAA requirements as default features, so compliance is not an additional task
• Include HIPAA-related items in your client intake process so that NPP acknowledgement and consent are captured systematically
• Use encrypted communication channels as your default, not as an exception
• Build documentation habits that naturally separate psychotherapy notes from treatment records
• Conduct five-minute security checks at the end of each day: Is your office locked? Are screens off? Are devices secured? Are paper records filed?

When to Hire a HIPAA Consultant

Consider engaging a HIPAA consultant or healthcare attorney if:

• You are launching a new practice and want to build compliance correctly from the start
• You are implementing new technology (AI tools, telehealth platforms, new EHR) that changes how you handle PHI
• You have experienced a breach and need guidance on notification and remediation
• You receive a complaint or investigation notice from OCR
• You are expanding into telehealth across state lines and need to navigate multi-state compliance
• Your practice is growing and you are hiring staff who will access PHI
• You have not conducted a formal risk assessment in over two years

Key Takeaways

HIPAA compliance for therapists is a structured, manageable process when approached systematically. The essential actions are:

1. Conduct a risk assessment – this is the single most important step and the most commonly missing one
2. Document everything – policies, training, BAAs, breach logs, risk assessments. If it is not documented, it did not happen from a compliance perspective
3. Execute BAAs with every vendor that touches PHI – EHR, scheduling, telehealth, email, cloud storage, AI tools, shredding services
4. Encrypt all ePHI at rest and in transit – this is your most effective protection against breach notification obligations
5. Separate psychotherapy notes from the general medical record to preserve their additional HIPAA protection
6. Train your workforce and document the training annually
7. Know the rules for your state(s) – HIPAA is the floor, not the ceiling
8. Stay current – the HIPAA Security Rule update is coming, and OCR’s enforcement priorities evolve each year
9. Build compliance into your daily workflow rather than treating it as a periodic exercise

HIPAA compliance is ultimately about protecting your clients’ most sensitive information. The same therapeutic values that drive your clinical work – trust, safety, respect for autonomy, and professional integrity – are the values that HIPAA compliance operationalises. A well-run practice is a compliant practice, and a compliant practice is one that clients can trust completely.

---

This article is for educational purposes and does not constitute legal advice. HIPAA regulations are complex and subject to change. Consult a qualified healthcare attorney for guidance specific to your practice, state, and circumstances.