HIPAA Compliance for Licensed Counselors in Nashville, Tennessee — 2026 Guide
Tennessee's growing counseling market means many new LPCs setting up practices without compliance guidance. This guide covers what licensed counselors in Nashville must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in Tennessee, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.
Nashville's rapidly expanding counseling market includes a large proportion of new LPCs establishing solo practices for the first time. Many launch using free or low-cost web tools for client intake without realizing these tools require BAAs. Tennessee's new HIPAA attestation requirement for license renewal creates a formal enforcement pathway — compliance gaps will be documented in the licensing process.
$35,000
Average HIPAA fine in Tennessee
TN counseling board now requires HIPAA attestation for license renewal.
Source: HHS Office for Civil Rights enforcement data, 2025
Tennessee Law Requirements for Licensed Counselors
Nashville Licensed Professional Counselors operate under HIPAA and Tennessee Code Annotated §63-22 (the LPC licensing act), which imposes confidentiality requirements on all client communications. The Tennessee Board of Professional Counselors has added a HIPAA compliance attestation requirement to license renewal as of 2024 — meaning counselors who cannot document basic compliance elements risk license renewal denial. Tennessee's growing behavioral health market has drawn OCR Region 4 (Atlanta) attention to Nashville practices, particularly for intake-related violations involving unencrypted web forms. Tennessee law also requires records to be maintained for a minimum of 10 years after the last treatment date, exceeding HIPAA's 6-year standard for administrative records.
OCR Region 4 (Atlanta) covers Tennessee, and the Tennessee Board of Professional Counselors now requires HIPAA attestation at license renewal — creating a second formal enforcement pathway for Nashville LPC compliance.
Top HIPAA Violations for Licensed Counselors in Nashville — and How to Fix Them
These are the violations OCR most frequently cites for licensed counselors in Tennessee. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.
Client intake via unencrypted web form
HOW TO FIX IT
Switch client intake to SimplePractice's built-in client portal, which collects intake forms through a HIPAA-compliant encrypted platform covered under SimplePractice's BAA. Alternatively, use IntakeQ ($29.90/month), which is purpose-built for HIPAA-compliant intake forms and includes a BAA.
No workforce sanction policy in place
HOW TO FIX IT
Create a one-page workforce sanctions policy even as a solo practice: specify that accessing PHI outside your designated purpose results in specific consequences. Store it in your compliance files. This is required by HIPAA even for one-person covered entities.
BAA not updated after vendor changes
HOW TO FIX IT
Create a vendor management log: list every service you use, their BAA status, and the date you last reviewed it. When you change or add vendors, immediately assess BAA requirements. Keep current BAAs on file for each vendor.
The #1 Tech Compliance Gap for Licensed Counselors in Nashville
Online intake forms collected without HIPAA-compliant tool
SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.
Trusted by 225,000+ Therapists — Recommended for Licensed Counselor in Nashville
50% Off Your First 4 Months of SimplePractice
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Limited-time summer offer · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
Licensed Counselor HIPAA Compliance Checklist — Nashville
Work through this checklist to confirm your practice meets the baseline HIPAA requirements for licensed counselors in Tennessee. Every item marked incomplete is a potential OCR audit finding.
Replace any standard web form tool (Google Forms, Typeform, JotForm standard) with a HIPAA-compliant intake form solution: SimplePractice's client portal, IntakeQ, or JotForm HIPAA plan
Create a written workforce sanctions policy — even if you have no employees, having a written policy protects you if you add staff or contractors later
Audit your vendor list and update BAAs whenever you change vendors — BAAs do not transfer between providers
Complete your Tennessee LPC renewal HIPAA attestation with accurate documentation of your compliance practices
Sign BAAs with all current vendors: EHR, email, telehealth, intake form tool, scheduling, and payment processing
Complete and document a written Security Risk Assessment
Create a written record retention policy: Tennessee law requires records for at least 10 years after the last treatment date
Post and update your Notice of Privacy Practices for the 2026 deadline
This checklist covers the most common compliance gaps for licensed counselors in Nashville. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.
Frequently Asked Questions — Licensed Counselors in Nashville
Does a licensed counselor in Nashville need to comply with HIPAA?
Tennessee's growing counseling market means many new LPCs setting up practices without compliance guidance.
What is the average HIPAA fine for therapy practices in Tennessee?
The average HIPAA fine for therapy practices in Tennessee is $35,000. TN counseling board now requires HIPAA attestation for license renewal.
What are the most common HIPAA violations for licensed counselors?
Client intake via unencrypted web form. No workforce sanction policy in place. BAA not updated after vendor changes.
What is the February 2026 HIPAA deadline?
By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.
What is SimplePractice and does it solve HIPAA compliance?
SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.
Can I use Google Forms for client intake in my Nashville counseling practice?
No — standard Google Forms is not HIPAA-compliant. Google will not sign a HIPAA BAA for free Google products. If you collect client intake information via standard Google Forms, each submission is a potential HIPAA violation. HIPAA-compliant alternatives include SimplePractice's client portal (integrated with your EHR), IntakeQ (standalone intake form platform), or JotForm's HIPAA plan. Switching is typically a 1–2 hour setup process.
What does Tennessee's new HIPAA attestation for LPC license renewal require?
The Tennessee Board of Professional Counselors requires LPCs to attest at license renewal that they are in compliance with HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. While the Board does not typically audit compliance documentation during renewal, attestation creates a formal legal record — making a false attestation a potential basis for license revocation. To complete the attestation confidently, ensure you have: a signed BAA with your EHR and major vendors, a completed Security Risk Assessment, an updated Notice of Privacy Practices, and documentation of annual HIPAA training.