HIPAA Compliance for Solo Therapists in Chicago, Illinois — 2026 Guide
Illinois Mental Health and Developmental Disabilities Confidentiality Act adds state-level protection requirements. This guide covers what solo therapists in Chicago must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in Illinois, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.
Chicago solo therapists frequently use third-party scheduling tools (Calendly, Acuity, Square Appointments) that collect appointment details linking client names to therapy services — each of which constitutes PHI requiring a BAA. Illinois has one of the most protective mental health privacy laws in the country, meaning Chicago therapists face HIPAA enforcement from OCR Region 5 (Chicago) and potential MHDDCA enforcement by the Illinois Department of Financial and Professional Regulation simultaneously.
$39,000
Average HIPAA fine in Illinois
Illinois law is stricter than HIPAA for mental health records.
Source: HHS Office for Civil Rights enforcement data, 2025
Illinois Law Requirements for Solo Therapists
Illinois solo therapists operate under HIPAA and the Illinois Mental Health and Developmental Disabilities Confidentiality Act (MHDDCA), one of the strictest mental health privacy laws in the country. The MHDDCA grants near-absolute confidentiality to mental health records — they cannot be disclosed to courts, law enforcement, or other healthcare providers without the client's written consent in most circumstances. The MHDDCA also applies to third-party billing and coordination of care, creating compliance complexity that HIPAA alone does not address. Illinois law extends protection to records of anyone who receives mental health services, regardless of whether the provider accepts insurance or processes billing through HIPAA-covered channels.
OCR Region 5 in Chicago is one of the most accessible OCR offices in the country, and the Illinois Department of Financial and Professional Regulation enforces MHDDCA violations independently from federal HIPAA enforcement.
Top HIPAA Violations for Solo Therapists in Chicago — and How to Fix Them
These are the violations OCR most frequently cites for solo therapists in Illinois. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.
Client scheduling app without BAA
HOW TO FIX IT
Migrate scheduling to SimplePractice's built-in scheduling system (included in all plans), which is covered under SimplePractice's HIPAA BAA. Alternatively, use Acuity Scheduling's HIPAA plan ($45/month) or Jane App, both of which offer BAAs.
No device encryption policy
HOW TO FIX IT
On Mac: enable FileVault (System Settings > Privacy & Security > FileVault). On Windows: enable BitLocker (Settings > Update & Security > Device Encryption). Write a one-page device security policy documenting this and keep it on file.
Missing HIPAA Security Risk Assessment
HOW TO FIX IT
Use HHS's free Security Risk Assessment Tool at healthit.gov to walk through the SRA process step-by-step. The tool generates a downloadable report you can retain as documentation.
The #1 Tech Compliance Gap for Solo Therapists in Chicago
Popular scheduling tools like Calendly used without BAA
SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.
Trusted by 225,000+ Therapists — Recommended for Solo Therapist in Chicago
50% Off Your First 4 Months of SimplePractice
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Limited-time summer offer · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
Solo Therapist HIPAA Compliance Checklist — Chicago
Work through this checklist to confirm your practice meets the baseline HIPAA requirements for solo therapists in Illinois. Every item marked incomplete is a potential OCR audit finding.
Replace any scheduling tool that does not offer a HIPAA BAA (standard Calendly, Square, Acuity free plans) with a HIPAA-compliant alternative: SimplePractice scheduling, Acuity's HIPAA add-on, or Jane App
Enable full-disk encryption on every device used for client work and create a written device security policy
Complete and document a written Security Risk Assessment using the HHS free tool at healthit.gov
Review Illinois MHDDCA requirements and ensure your consent and release authorization forms meet state-specific standards
Sign BAAs with all vendors: EHR, telehealth, email, scheduling, and billing clearinghouse
Implement a written access control policy specifying who can access client records and under what circumstances
Create written procedures for responding to Illinois MHDDCA record release requests — stricter than HIPAA
Post an updated 2026 Notice of Privacy Practices and have clients sign it at intake
This checklist covers the most common compliance gaps for solo therapists in Chicago. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.
Frequently Asked Questions — Solo Therapists in Chicago
Does a solo therapist in Chicago need to comply with HIPAA?
Illinois Mental Health and Developmental Disabilities Confidentiality Act adds state-level protection requirements.
What is the average HIPAA fine for therapy practices in Illinois?
The average HIPAA fine for therapy practices in Illinois is $39,000. Illinois law is stricter than HIPAA for mental health records.
What are the most common HIPAA violations for solo therapists?
Client scheduling app without BAA. No device encryption policy. Missing HIPAA Security Risk Assessment.
What is the February 2026 HIPAA deadline?
By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.
What is SimplePractice and does it solve HIPAA compliance?
SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.
Does Calendly need a HIPAA BAA for a therapy practice?
Yes — any scheduling tool that collects appointment information linking a client's identity to a mental health appointment contains PHI and requires a HIPAA BAA. Standard Calendly does not offer a BAA. HIPAA-compliant alternatives that offer BAAs include SimplePractice's scheduling feature, Acuity Scheduling's HIPAA plan, Jane App, and Kareo.
How does Illinois MHDDCA differ from HIPAA for Chicago therapists?
The Illinois MHDDCA is significantly more protective than HIPAA: it requires written consent for virtually every third-party disclosure including to courts and law enforcement, it applies to all mental health records regardless of whether the provider participates in insurance, and it cannot be waived by general HIPAA authorizations. For Chicago therapists, standard HIPAA release forms may not satisfy Illinois law — consult a healthcare attorney before creating release authorization forms.