Therapy HIPAA Hub
CRITICAL URGENCY — California

HIPAA Compliance for Marriage & Family Therapists in San Diego, California — 2026 Guide

California MFTs must navigate HIPAA, CMIA, and complex family privacy rules simultaneously. This guide covers what marriage & family therapists in San Diego must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in California, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.

San Diego MFTs are located in a high-military-population area, which means many practices serve active-duty military families with children — a demographic with especially complex record authorization chains. California's strict CMIA breach notification requirement of 5 business days is particularly challenging for MFTs who manage complex multi-family records.

$47,000

Average HIPAA fine in California

California BBS has increased audits of MFT practices in 2025.

Source: HHS Office for Civil Rights enforcement data, 2025

California Law Requirements for Marriage & Family Therapists

San Diego MFTs operate under the most complex family privacy framework in the country: HIPAA, California CMIA, California Family Code provisions governing child records in custody disputes, and the California BBS's MFT-specific practice standards. CMIA adds breach notification obligations and patient access rights beyond HIPAA. For MFTs seeing children in custody disputes, California Family Code §3025 governs which parent can authorize record disclosure — and courts have interpreted this inconsistently, making a written policy and legal consultation essential. The California BBS has significantly increased audit frequency for MFT practices since 2025, with couples record separation and child consent authorization as the primary audit targets.

The California BBS conducts MFT-specific audits in San Diego and has increased audit frequency in 2025, with couples record separation and child consent authorization as the primary audit targets.

Top HIPAA Violations for Marriage & Family Therapists in San Diego — and How to Fix Them

These are the violations OCR most frequently cites for marriage & family therapists in California. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.

1

Joint vs individual records not properly separated

HOW TO FIX IT

Create individual SimplePractice profiles for each partner and each child in family therapy. Use the platform's case feature to link them administratively for billing purposes while maintaining completely separate clinical records for each individual.

2

Child records access by divorced parents

HOW TO FIX IT

Create a standard custody dispute records policy: when a parent requests records in a custody context, confirm legal custody status via legal documentation before releasing records. Never release a child's records based on a verbal representation of custody rights.

3

No clear policy for subpoenas of couples notes

HOW TO FIX IT

Draft a subpoena response policy with a California healthcare attorney. When you receive a subpoena for couples therapy notes, consult your attorney before responding. California law does not require automatic compliance — you have the right to assert privilege.

The #1 Tech Compliance Gap for Marriage & Family Therapists in San Diego

Managing individual privacy within family systems

SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.

☀️ Summer 2026 Offer

Trusted by 225,000+ Therapists — Recommended for Marriage & Family Therapist in San Diego

50% Off Your First 4 Months of SimplePractice

SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.

✓ 7-day free trial✓ 50% off first 4 months✓ Free credentialing available (up to 2 payers)✓ BAA included
Claim 50% Off SimplePractice →

Limited-time summer offer · No credit card required for trial

Need HIPAA-compliant email only? See Hushmail for Healthcare →

Marriage & Family Therapist HIPAA Compliance Checklist — San Diego

Work through this checklist to confirm your practice meets the baseline HIPAA requirements for marriage & family therapists in California. Every item marked incomplete is a potential OCR audit finding.

Create separate EHR records for each individual in couples or family therapy — link them administratively but maintain separate PHI files

Create a written policy for child record access in custody disputes, referencing California Family Code §3025 and consulting a California healthcare attorney

Develop a subpoena response policy specifically for couples notes — consult an attorney before releasing any couples session content in response to a subpoena

Obtain a conjoint treatment agreement signed by all adult participants at intake

Update your Notice of Privacy Practices to address California CMIA rights and MFT-specific confidentiality

Establish a 5-day California breach notification procedure and assign a designated responder

Sign BAAs with all vendors handling PHI in your practice

Review your child client intake process — in California, both parents with legal custody must consent to treatment for a minor under most circumstances

This checklist covers the most common compliance gaps for marriage & family therapists in San Diego. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.

Frequently Asked Questions — Marriage & Family Therapists in San Diego

Does a marriage & family therapist in San Diego need to comply with HIPAA?

California MFTs must navigate HIPAA, CMIA, and complex family privacy rules simultaneously.

What is the average HIPAA fine for therapy practices in California?

The average HIPAA fine for therapy practices in California is $47,000. California BBS has increased audits of MFT practices in 2025.

What are the most common HIPAA violations for marriage & family therapists?

Joint vs individual records not properly separated. Child records access by divorced parents. No clear policy for subpoenas of couples notes.

What is the February 2026 HIPAA deadline?

By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.

What is SimplePractice and does it solve HIPAA compliance?

SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.

In a California custody dispute, who can authorize access to a child's therapy records?

Under California Family Code §3025, both parents with legal custody have the right to access their child's medical records unless a court order specifies otherwise. However, California courts have interpreted this inconsistently for mental health records — and California Evidence Code §1012 gives the patient a psychotherapist-patient privilege that may restrict access. Before releasing any child's mental health records in a custody dispute, consult a California family law or healthcare attorney.

What should a San Diego MFT do when served with a subpoena for couples therapy notes?

Do not release records automatically. California mental health records are protected by the psychotherapist-patient privilege under Evidence Code §1012. When you receive a subpoena, notify the affected clients immediately so they can assert their privilege through their attorneys. Consult your own healthcare attorney before responding. A subpoena is a demand for records — not a court order — and you generally have the right to object.