HIPAA Compliance for Therapists

What Is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) is a US federal law that establishes standards for protecting sensitive patient health information. As a therapist, HIPAA applies to you if you transmit any health information electronically.

Key HIPAA Rules for Therapists

The Privacy Rule

Governs how Protected Health Information (PHI) can be used and disclosed. Key requirements:

• Clients must receive a Notice of Privacy Practices
• Obtain written authorisation before sharing PHI (with limited exceptions)
• Provide clients access to their records upon request
• Maintain a minimum necessary standard — only access PHI needed for the task

The Security Rule

Requires safeguards for electronic PHI (ePHI):

• Administrative: Risk assessments, workforce training, incident response plans
• Physical: Secure workstations, device controls, facility access
• Technical: Encryption, access controls, audit logs, automatic logoff

The Breach Notification Rule

If a breach of unsecured PHI occurs, you must:

• Notify affected individuals within 60 days
• Report to the Department of Health and Human Services (HHS)
• For breaches affecting 500+ individuals, notify the media

Practical Steps for Compliance

• Use HIPAA-compliant practice management software
• Encrypt all electronic communications containing PHI
• Sign Business Associate Agreements (BAAs) with all vendors who handle PHI
• Conduct annual risk assessments
• Train all staff on HIPAA requirements
• Maintain audit logs of who accesses client records
• Have a documented breach response plan