HIPAA Compliance Checklist for Therapists: 2026 Complete Guide

Overview

HIPAA Compliance Checklist for Therapists: 2026 Complete Guide

HIPAA (Health Insurance Portability and Accountability Act) is a federal law that requires all healthcare providers, including therapists and counselors, to protect the privacy and security of patient health information. According to the HHS Office for Civil Rights (2025), healthcare data breaches affected over 133 million individuals in 2023 alone, making HIPAA compliance more critical than ever for mental health practices.

Key takeaways

• HIPAA Compliance Checklist for Therapists: 2026 Complete Guide HIPAA (Health Insurance Portability and Accountability Act) is a federal law that requires all healthcare providers, including therapists and counselors, to protect the privacy and security of patient health information.
• According to the HHS Office for Civil Rights (2025), healthcare data breaches affected over 133 million individuals in 2023 alone, making HIPAA compliance more critical than ever for mental health practices.
• The consequences of non-compliance are severe: fines ranging from $100 to $50,000 per violation (up to $1.5 million annually), criminal penalties including imprisonment, loss of licensure, and reputation damage that can destroy a practice.
• This comprehensive guide breaks down everything therapists need to know about HIPAA in 2026, with actionable checklists you can implement immediately.
• Understanding HIPAA Basics HIPAA compliance for therapists centers on two core rules: the Privacy Rule (governing how protected health information can be used and disclosed) and the Security Rule (establishing safeguards for electronic protected health information).

Details

The consequences of non-compliance are severe: fines ranging from $100 to $50,000 per violation (up to $1.5 million annually), criminal penalties including imprisonment, loss of licensure, and reputation damage that can destroy a practice.

This comprehensive guide breaks down everything therapists need to know about HIPAA in 2026, with actionable checklists you can implement immediately.

Understanding HIPAA Basics

HIPAA compliance for therapists centers on two core rules: the Privacy Rule (governing how protected health information can be used and disclosed) and the Security Rule (establishing safeguards for electronic protected health information). Every therapist who transmits health information electronically -- including those who bill insurance -- is a "covered entity" under HIPAA and must comply with both rules.

What Is HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) establishes national standards for protecting sensitive patient health information. For therapists, HIPAA primarily involves two rules:The Privacy Rule: Governs how protected health information (PHI) can be used and disclosedThe Security Rule: Establishes safeguards for electronic PHI (ePHI)

The U.S. Department of Health and Human Services (HHS) enforces HIPAA through its Office for Civil Rights (OCR).

Who Must Comply?

Covered Entities include:Healthcare providers who transmit health information electronically (this includes most therapists who bill insurance)Health plansHealthcare clearinghouses

Business Associates are entities that perform services for covered entities involving PHI:Billing servicesEHR vendorsCloud storage providersAnswering servicesIT consultants

If you're a licensed therapist who bills insurance electronically, you're a covered entity and must comply with HIPAA.

What Is Protected Health Information (PHI)?

PHI is any individually identifiable health information, including:NamesAddresses (more specific than state)Dates (birth, admission, discharge, death)Phone numbersEmail addressesSocial Security numbersMedical record numbersHealth plan beneficiary numbersPhotographsAny unique identifying number or code

Mental health records are PHI. This includes session notes, treatment plans, diagnoses, billing records, and appointment schedules.

For substance abuse records, additional protections apply under 42 CFR Part 2.

The Privacy Rule: Complete Checklist

The HIPAA Privacy Rule establishes national standards for when and how protected health information (PHI) can be used, disclosed, and shared with third parties. For therapists, the Privacy Rule requires providing a Notice of Privacy Practices to every client, obtaining authorization before most disclosures, and maintaining documentation of all privacy-related activities for a minimum of six years.

The Privacy Rule establishes standards for how PHI can be used and disclosed.

Notice of Privacy Practices (NPP)

Requirements:[ ] Create a written Notice of Privacy Practices[ ] Include all required elements (see below)[ ] Provide NPP to each new client at first service[ ] Obtain written acknowledgment of receipt (or document good faith effort)[ ] Post NPP prominently in your office[ ] Post NPP on your website if you have one[ ] Review and update NPP when practices change[ ] Retain acknowledgment forms for 6 years

Required NPP Elements:How you use and disclose PHIPatient rights regarding their PHIYour duties to protect PHIHow to file complaintsContact information for your privacy officerEffective date

Resources: The HHS model Notice of Privacy Practices provides templates.

Patient Rights Under the Privacy Rule

Right to Access: Patients can request copies of their records.[ ] Respond to access requests within 30 days[ ] May charge reasonable, cost-based fees for copies[ ] Cannot deny access except in limited circumstances[ ] Provide records in requested format if readily producible

Right to Amend: Patients can request corrections to their records.[ ] Respond within 60 days[ ] May deny amendment but must explain reason[ ] If denied, patient can submit statement of disagreement

Right to Accounting of Disclosures: Patients can request a list of certain disclosures.[ ] Track disclosures for treatment, payment, healthcare operations[ ] Provide accounting upon request[ ] Cover disclosures made in prior 6 years

Right to Request Restrictions: Patients can request limits on uses/disclosures.[ ] You may decline most restriction requests[ ] MUST honor requests to restrict disclosures to health plans for services paid out-of-pocket in full

Right to Request Confidential Communications: Patients can request communication via alternative means.[ ] Honor reasonable requests[ ] Example: sending correspondence to work instead of home

Minimum Necessary Standard

You should use or disclose only the minimum PHI necessary to accomplish the purpose.[ ] Limit access to PHI based on job function[ ] Use role-based access controls in your EHR[ ] Train staff on minimum necessary principles[ ] Review and limit disclosures to insurers

Exceptions (minimum necessary doesn't apply):Disclosures to the patientDisclosures authorized by the patientDisclosures for treatment purposesDisclosures required by law

Permitted Uses and Disclosures

PHI may be used/disclosed without authorization for:[ ] Treatment[ ] Payment[ ] Healthcare operations[ ] As required by law[ ] Public health activities[ ] Abuse/neglect reporting[ ] Health oversight activities[ ] Judicial proceedings (with appropriate process)[ ] Law enforcement (limited circumstances)[ ] Avert serious threat to health or safety[ ] Workers' compensation

All other disclosures require written patient authorization.

For mental health information, additional state laws may apply. See our California telehealth laws guide for state-specific requirements.

Authorization Requirements

When authorization is required, it must include:[ ] Description of information to be disclosed[ ] Identification of person/entity receiving information[ ] Purpose of disclosure[ ] Expiration date or event[ ] Patient signature and date[ ] Statement of right to revoke[ ] Statement that disclosure may result in re-disclosure[ ] Copy provided to patient

Authorizations always required for:Psychotherapy notesMarketing communicationsSale of PHI

Psychotherapy Notes: Special Protections

Psychotherapy notes receive extra HIPAA protection. These are notes maintained separately from the medical record that document:Contents of counseling sessionsTherapist's analysis of conversation

Psychotherapy notes are NOT:Medication prescription/monitoringSession start/stop timesModalities/frequencies of treatmentResults of clinical testsSummaries of diagnosis, treatment plan, symptoms, prognosis, progress

Authorization is required for most disclosures of psychotherapy notes, even for:Treatment by other providersPaymentHealthcare operations

Exceptions (no authorization needed):Your own use for treatmentTraining programs with supervisionDefense in legal proceedingsRequired by HHS for compliance investigationsTo avert serious threatRequired by law (e.g., mandatory reporting)

For documentation best practices, see our SOAP notes guide and documentation requirements guide.

The Security Rule: Complete Checklist

The HIPAA Security Rule requires three categories of safeguards for electronic protected health information (ePHI): administrative safeguards (policies and procedures), physical safeguards (facility and device protections), and technical safeguards (encryption, access controls, and audit trails). The foundation of Security Rule compliance is conducting an annual risk analysis, which the HHS OCR identifies as the most common area of non-compliance among small healthcare providers.

The Security Rule applies specifically to electronic PHI (ePHI) and requires administrative, physical, and technical safeguards.

Risk Analysis and Management

The foundation of Security Rule compliance is conducting a risk analysis.[ ] Conduct initial risk analysis[ ] Identify all systems containing ePHI[ ] Assess threats and vulnerabilities[ ] Determine likelihood and impact of breaches[ ] Document risk analysis findings[ ] Implement security measures based on risk[ ] Review and update annually (at minimum)[ ] Document all risk management decisions

Resources: The HHS Security Risk Assessment Tool provides a free application for small practices.

Administrative Safeguards

Administrative safeguards are policies and procedures to manage security.

Security Management Process:[ ] Implement policies to prevent, detect, contain, correct security violations[ ] Document sanctions for policy violations[ ] Regularly review system activity (audit logs)

Workforce Security:[ ] Implement procedures for workforce authorization[ ] Supervise workforce access to ePHI[ ] Terminate access upon employment termination

Information Access Management:[ ] Implement role-based access controls[ ] Establish access authorization policies[ ] Document access modification procedures

Security Awareness and Training:[ ] Provide security training to all workforce members[ ] Include security reminders (periodic updates)[ ] Train on password management[ ] Train on recognizing malicious software[ ] Train on login monitoring[ ] Document all training

Security Incident Procedures:[ ] Develop incident response procedures[ ] Document and investigate all security incidents[ ] Mitigate harm from known incidents

Contingency Plan:[ ] Develop data backup plan[ ] Develop disaster recovery plan[ ] Develop emergency mode operation plan[ ] Test and revise contingency plans periodically[ ] Assess criticality of applications and data

Business Associate Management:[ ] Identify all business associates[ ] Execute Business Associate Agreements (BAAs)[ ] Review BAAs periodically

Physical Safeguards

Physical safeguards protect physical access to ePHI.

Facility Access Controls:[ ] Implement procedures to control facility access[ ] Control physical access to workstations and servers[ ] Document facility security plans

Workstation Use:[ ] Specify proper workstation functions[ ] Implement policies for workstation location/configuration[ ] Position screens away from public view[ ] Use privacy screens when appropriate

Workstation Security:[ ] Implement physical safeguards for workstations[ ] Secure laptops and portable devices[ ] Use cable locks or secured areas

Device and Media Controls:[ ] Develop policies for device disposal[ ] Develop policies for media re-use[ ] Maintain records of hardware movements[ ] Create backups before moving equipment

Technical Safeguards

Technical safeguards use technology to protect ePHI.

Access Control:[ ] Assign unique user identifications[ ] Establish emergency access procedures[ ] Implement automatic logoff[ ] Implement encryption (addressable but strongly recommended)

Audit Controls:[ ] Implement mechanisms to record and examine access[ ] Review audit logs regularly[ ] Retain audit logs per retention policy

Integrity Controls:[ ] Implement mechanisms to protect ePHI from alteration/destruction[ ] Authenticate ePHI when appropriate

Transmission Security:[ ] Implement integrity controls for transmitted ePHI[ ] Encrypt ePHI in transit (strongly recommended)

Encryption Recommendations

While encryption is "addressable" under HIPAA (meaning you can use alternative measures if encryption is not reasonable and appropriate), the HHS strongly recommends encryption for:[ ] Data at rest (stored data)[ ] Data in transit (email, transmissions)[ ] Mobile devices[ ] Laptops[ ] USB drives[ ] Backup media

Properly encrypted data is not considered "unsecured PHI" and is exempt from breach notification requirements if lost or stolen.

Business Associate Agreements (BAAs)

A Business Associate Agreement (BAA) is a legally required contract between a therapist and any third-party vendor that creates, receives, maintains, or transmits protected health information on the therapist's behalf. Common business associates for therapy practices include EHR vendors, billing services, cloud storage providers, and telehealth platforms. According to HHS enforcement data (2024), failure to execute BAAs is one of the top five HIPAA violations resulting in penalties.

When Is a BAA Required?

You need a BAA with any entity that:Creates, receives, maintains, or transmits PHI on your behalfPerforms functions or activities involving PHI

Common Business Associates for Therapists:EHR vendorsBilling servicesCloud storage providers (Google Drive, Dropbox, etc.)Email providers (if PHI is transmitted)Answering servicesShredding companiesIT supportAccountants (if they access PHI)Collection agenciesClearinghouses

BAA Required Elements[ ] Description of permitted uses/disclosures[ ] Prohibition on unauthorized uses/disclosures[ ] Appropriate safeguards requirement[ ] Reporting of security incidents and breaches[ ] Subcontractor assurances[ ] Access to PHI upon request[ ] Amendment procedures[ ] Accounting of disclosures[ ] Compliance with HHS investigations[ ] Return or destruction of PHI upon termination[ ] Individual liability for compliance

BAA Checklist[ ] Inventory all vendors with access to PHI[ ] Request BAAs from each vendor[ ] Review BAA terms (don't just sign)[ ] Negotiate unfavorable terms if possible[ ] Execute and store BAAs securely[ ] Track BAA expiration dates[ ] Review BAAs when contracts renew[ ] Document vendors who refuse to sign

Red flag: If a vendor won't sign a BAA, they may not be HIPAA-compliant. Consider alternative vendors.

Breach Notification Rule

A HIPAA breach is the unauthorized acquisition, access, use, or disclosure of protected health information that compromises patient privacy. When a breach occurs, covered entities must notify affected individuals within 60 days of discovery, and breaches affecting 500 or more individuals must also be reported immediately to HHS and local media. According to the HHS Breach Portal, small healthcare practices (including therapy offices) account for a growing share of reported breaches, primarily due to stolen devices and email-related incidents.

What Is a Breach?

A breach is acquisition, access, use, or disclosure of PHI in violation of the Privacy Rule that compromises the security or privacy of the PHI.

Assumed to be a breach unless you demonstrate low probability that PHI was compromised based on:Nature and extent of PHI involvedUnauthorized person who used/received PHIWhether PHI was actually acquired or viewedExtent to which risk has been mitigated

Breach Notification Requirements

For breaches affecting fewer than 500 individuals:[ ] Notify affected individuals within 60 days of discovery[ ] Log and report to HHS annually

For breaches affecting 500+ individuals:[ ] Notify affected individuals within 60 days[ ] Notify HHS immediately[ ] Notify prominent media outlets in the state

Individual Notification Content

Written notification must include:[ ] Description of what happened[ ] Types of information involved[ ] Steps individuals should take[ ] What you're doing to investigate and mitigate[ ] Contact information for questions

Breach Response Checklist

If you discover a potential breach:[ ] Contain the breach immediately[ ] Document everything from the start[ ] Conduct risk assessment (four-factor test)[ ] Determine if notification is required[ ] Notify individuals within 60 days if required[ ] Notify HHS via the Breach Portal[ ] Document all steps taken[ ] Review and improve security measures[ ] Consider credit monitoring for affected individuals

Documentation Requirements

HIPAA requires covered entities to retain all privacy and security documentation for a minimum of six years from the date of creation or last effective date. This includes policies, procedures, BAAs, training records, risk assessments, and breach logs. Ease Health's built-in audit logging and policy management tools help practices maintain the documentation trail HIPAA requires without manual record-keeping.

HIPAA requires extensive documentation, retained for six years.

Required Policies and Procedures[ ] Privacy policies and procedures[ ] Security policies and procedures[ ] Notice of Privacy Practices[ ] Business Associate Agreements[ ] Risk analysis documentation[ ] Sanctions policy[ ] Training documentation[ ] Incident response procedures[ ] Contingency/disaster recovery plans

Required Records[ ] NPP acknowledgments[ ] Authorization forms[ ] Access request logs[ ] Amendment request logs[ ] Disclosure accounting logs[ ] Training records[ ] Security incident logs[ ] Risk assessments[ ] BAA inventory

Retention Requirements[ ] Retain HIPAA documentation for 6 years from creation or last effective date[ ] Retain clinical records per state requirements (typically 7-10 years for adults)[ ] Retain records for minors until several years after majority

For complete retention guidance, see our record retention guide.

Implementation Checklist: Getting Started

Phase 1: Assessment (Weeks 1-2)[ ] Inventory all PHI (paper and electronic)[ ] Identify all systems containing ePHI[ ] List all workforce members with PHI access[ ] Identify all business associates[ ] Conduct initial risk analysis

Phase 2: Policy Development (Weeks 3-4)[ ] Draft/update Notice of Privacy Practices[ ] Develop written privacy policies[ ] Develop written security policies[ ] Create incident response procedures[ ] Create sanctions policy[ ] Develop contingency plans

Phase 3: Implementation (Weeks 5-8)[ ] Execute BAAs with all vendors[ ] Implement access controls in EHR[ ] Configure encryption (at rest and in transit)[ ] Set up automatic logoff[ ] Implement audit logging[ ] Secure physical workspace

Phase 4: Training and Communication (Weeks 9-10)[ ] Train all workforce members[ ] Distribute updated NPP[ ] Collect NPP acknowledgments from patients[ ] Post NPP in office and on website

Phase 5: Ongoing Maintenance[ ] Review policies annually[ ] Conduct annual risk analysis[ ] Provide ongoing training[ ] Monitor audit logs[ ] Test contingency plans[ ] Review and update BAAs[ ] Track regulatory changes

Common HIPAA Violations for Therapists

The eight most common HIPAA violations among therapists are: missing Business Associate Agreements, unencrypted devices, improper disposal of PHI, unauthorized access by family or staff, texting PHI via standard SMS, sending PHI over unencrypted email, discussing clients in public spaces, and failing to conduct a risk analysis. According to the HHS Office for Civil Rights (2025), the majority of HIPAA enforcement actions against small providers involve preventable violations in these categories.Lack of Business Associate Agreements

Problem: Using email, cloud storage, or other services without BAAs.

Solution: Inventory all vendors and obtain BAAs. If a vendor won't sign, find an alternative.Unencrypted Devices

Problem: Laptops, phones, or USB drives containing PHI without encryption.

Solution: Enable full-disk encryption on all devices. Use only encrypted USB drives.Improper Disposal

Problem: Throwing away papers with PHI or donating/selling computers without proper wiping.

Solution: Shred all paper documents. Use certified data destruction for electronics.Unauthorized Access by Family or Staff

Problem: Allowing family members or untrained staff to access PHI.

Solution: All workforce members need training. Implement need-to-know access controls.Texting PHI

Problem: Using standard SMS to communicate with clients about treatment.

Solution: Use HIPAA-compliant messaging platforms with BAAs.Email Without Encryption

Problem: Sending PHI via unencrypted email.

Solution: Use email encryption or obtain client consent acknowledging risks.Public Conversations

Problem: Discussing clients in public spaces or where others can overhear.

Solution: Never discuss PHI where unauthorized persons may hear.Missing Risk Analysis

Problem: Never conducting a risk analysis.

Solution: Complete a risk analysis now. Use the free HHS Security Risk Assessment Tool.

HIPAA and Telehealth

Telehealth presents unique HIPAA challenges.

Platform Requirements[ ] Use only HIPAA-compliant video platforms[ ] Obtain BAA from platform vendor[ ] Verify encryption (end-to-end preferred)[ ] Configure platform security settings

HIPAA-compliant platforms typically include: Zoom for Healthcare, Doxy.me, SimplePractice Telehealth, TherapyNotes Telehealth, VSee.

Not compliant by default: FaceTime, Skype, standard Zoom (need healthcare account).

Client-Side Security

You cannot control client environments, but you can:[ ] Inform clients of privacy risks[ ] Recommend private location for sessions[ ] Include telehealth in informed consent[ ] Document client's choice of location

See our California telehealth guide for state-specific telehealth requirements.

Enforcement and Penalties

Civil Penalties

Criminal PenaltiesKnowingly obtaining/disclosing PHI: Up to $50,000 and 1 year imprisonmentOffenses under false pretenses: Up to $100,000 and 5 yearsIntent to sell, transfer, or use for commercial/personal gain: Up to $250,000 and 10 years

State Attorneys General

State attorneys general can also bring HIPAA enforcement actions with fines up to $25,000 per violation category per year.

Frequently Asked Questions

Do I need HIPAA compliance if I don't take insurance?

If you transmit any health information electronically in connection with covered transactions (even just submitting superbills electronically on behalf of clients), you're likely a covered entity. Even if you're not technically covered, following HIPAA is best practice and may be required by state law or licensing boards.

Can I use regular Gmail for client communication?

Not for PHI without a BAA. Google offers a BAA for Google Workspace (paid plans), but you must configure it properly. Free Gmail accounts don't qualify.

What about phone calls about clients?

HIPAA doesn't prohibit phone calls, but you should take precautions: don't discuss PHI in public, verify caller identity, and be cautious about voicemails (which may be heard by others).

Do I need a designated Privacy Officer and Security Officer?

Yes, HIPAA requires designated individuals for these roles. In a solo practice, you can serve as both. The roles can be combined.

How do I handle a records request from a lawyer?

Generally, you need a valid authorization from the client or a court order/subpoena. Consult with your own attorney and consider notifying the client. Substance abuse records have additional protections.

What if my EHR vendor has a breach?

Your BAA should require them to notify you. You still have notification obligations to your patients. This is why BAAs and vendor due diligence matter.

Is HIPAA compliance enough for state requirements?

HIPAA sets a federal floor, but state laws may be stricter. You must comply with both HIPAA and your state's requirements. When state law is more protective of privacy, state law prevails.

Ease Health's EHR platform is built with HIPAA compliance in mind, including encrypted data storage, audit logging, BAA coverage, and role-based access controls. Schedule a demo to see how we help practices maintain compliance.

Related Glossary TermsHIPAA — The full regulatory framework and penalty structure42 CFR Part 2 — Additional privacy rules for substance use recordsEHR — How EHR systems support HIPAA complianceTelehealth — HIPAA requirements specific to virtual care platformsPatient Portal — Secure patient access under HIPAA

Next steps

• Review the key takeaways and adapt them to your practice workflow.
• Use the details section as a checklist when you implement or troubleshoot.
• Share this with your billing or admin team to align on process and terminology.