Therapy HIPAA Hub
HIGH URGENCY — Illinois

HIPAA Compliance for Solo Therapists in Chicago, Illinois — 2026 Guide

Illinois Mental Health and Developmental Disabilities Confidentiality Act adds state-level protection requirements. This guide covers what solo therapists in Chicago must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in Illinois, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.

Chicago solo therapists frequently use third-party scheduling tools (Calendly, Acuity, Square Appointments) that collect appointment details linking client names to therapy services — each of which constitutes PHI requiring a BAA. Illinois has one of the most protective mental health privacy laws in the country, meaning Chicago therapists face HIPAA enforcement from OCR Region 5 (Chicago) and potential MHDDCA enforcement by the Illinois Department of Financial and Professional Regulation simultaneously.

$39,000

Average HIPAA fine in Illinois

Illinois law is stricter than HIPAA for mental health records.

Source: HHS Office for Civil Rights enforcement data, 2025

Illinois Law Requirements for Solo Therapists

Illinois solo therapists operate under HIPAA and the Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA), one of the strictest mental health privacy laws in the country. The MHDDCA grants near-absolute confidentiality to mental health records — they cannot be disclosed to courts, law enforcement, or other healthcare providers without the client's written consent in most circumstances. The MHDDCA also applies to third-party billing and coordination of care, creating compliance complexity that HIPAA alone does not address. Illinois law extends protection to records of anyone who receives mental health services, regardless of whether the provider accepts insurance or processes billing through HIPAA-covered channels.

OCR Region 5 in Chicago is one of the most accessible OCR offices in the country, and the Illinois Department of Financial and Professional Regulation enforces MHDDCA violations independently from federal HIPAA enforcement.

Top HIPAA Violations for Solo Therapists in Chicago — and How to Fix Them

These are the violations OCR most frequently cites for solo therapists in Illinois. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.

1

Client scheduling app without BAA

HOW TO FIX IT

Migrate scheduling to SimplePractice's built-in scheduling system (included in all plans), which is covered under SimplePractice's HIPAA BAA. Alternatively, use Acuity Scheduling's HIPAA plan ($45/month) or Jane App, both of which offer BAAs.

2

No device encryption policy

HOW TO FIX IT

On Mac: enable FileVault (System Settings > Privacy & Security > FileVault). On Windows: enable BitLocker (Settings > Update & Security > Device Encryption). Write a one-page device security policy documenting this and keep it on file.

3

Missing HIPAA Security Risk Assessment

HOW TO FIX IT

Use HHS's free Security Risk Assessment Tool at healthit.gov to walk through the SRA process step-by-step. The tool generates a downloadable report you can retain as documentation.

The #1 Tech Compliance Gap for Solo Therapists in Chicago

Popular scheduling tools like Calendly used without BAA

SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.

☀️ Summer 2026 Offer

Trusted by 225,000+ Therapists — Recommended for Solo Therapist in Chicago

50% Off Your First 4 Months of SimplePractice

SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.

✓ 7-day free trial✓ 50% off first 4 months✓ Free credentialing available (up to 2 payers)✓ BAA included
Claim 50% Off SimplePractice →

Limited-time summer offer · No credit card required for trial

Need HIPAA-compliant email only? See Hushmail for Healthcare →

Solo Therapist HIPAA Compliance Checklist — Chicago

Work through this checklist to confirm your practice meets the baseline HIPAA requirements for solo therapists in Illinois. Every item marked incomplete is a potential OCR audit finding.

Replace any scheduling tool that does not offer a HIPAA BAA (standard Calendly, Square, Acuity free plans) with a HIPAA-compliant alternative: SimplePractice scheduling, Acuity's HIPAA add-on, or Jane App

Enable full-disk encryption on every device used for client work and create a written device security policy

Complete and document a written Security Risk Assessment using the HHS free tool at healthit.gov

Review Illinois MHDDCA requirements and ensure your consent and release authorization forms meet state-specific standards

Sign BAAs with all vendors: EHR, telehealth, email, scheduling, and billing clearinghouse

Implement a written access control policy specifying who can access client records and under what circumstances

Create written procedures for responding to Illinois MHDDCA record release requests — stricter than HIPAA

Post an updated 2026 Notice of Privacy Practices and have clients sign it at intake

This checklist covers the most common compliance gaps for solo therapists in Chicago. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.

Frequently Asked Questions — Solo Therapists in Chicago

Does a solo therapist in Chicago need to comply with HIPAA?

Illinois Mental Health and Developmental Disabilities Confidentiality Act adds state-level protection requirements.

What is the average HIPAA fine for therapy practices in Illinois?

The average HIPAA fine for therapy practices in Illinois is $39,000. Illinois law is stricter than HIPAA for mental health records.

What are the most common HIPAA violations for solo therapists?

Client scheduling app without BAA. No device encryption policy. Missing HIPAA Security Risk Assessment.

What is the February 2026 HIPAA deadline?

By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.

What is SimplePractice and does it solve HIPAA compliance?

SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.

Does Calendly need a HIPAA BAA for a therapy practice?

Yes — any scheduling tool that collects appointment information linking a client's identity to a mental health appointment contains PHI and requires a HIPAA BAA. Standard Calendly does not offer a BAA. HIPAA-compliant alternatives that offer BAAs include SimplePractice's scheduling feature, Acuity Scheduling's HIPAA plan, Jane App, and Kareo.

How does Illinois MHDDCA differ from HIPAA for Chicago therapists?

The Illinois MHDDCA is significantly more protective than HIPAA: it requires written consent for virtually every third-party disclosure including to courts and law enforcement, it applies to all mental health records regardless of whether the provider participates in insurance, and it cannot be waived by general HIPAA authorizations. For Chicago therapists, standard HIPAA release forms may not satisfy Illinois law — consult a healthcare attorney before creating release authorization forms.