Therapy HIPAA Hub
CRITICAL URGENCY — California

HIPAA Compliance for Solo Therapists in Los Angeles, California — 2026 Guide

California therapists face both HIPAA and the California Confidentiality of Medical Information Act simultaneously. This guide covers what solo therapists in Los Angeles must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in California, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.

Solo therapists in Los Angeles face dual enforcement from both the federal OCR Region 9 (San Francisco) and the California BBS, which operates independently and has increased audit activity since 2024. California's 5-day breach notification requirement is among the strictest in the nation — a solo therapist who discovers a breach on Monday must have patient notifications out by Friday.

$47,000

Average HIPAA fine in California

California has its own state-level enforcement separate from federal OCR.

Source: HHS Office for Civil Rights enforcement data, 2025

California Law Requirements for Solo Therapists

Los Angeles therapists face the most complex compliance environment of any solo practice in the country. In addition to HIPAA, they must comply with the California Confidentiality of Medical Information Act (CMIA), which imposes stricter breach notification deadlines — 5 business days to notify patients versus HIPAA's 60 days. CMIA also prohibits the sale of medical information in any form and gives patients stronger access rights than federal law. The California Board of Behavioral Sciences (BBS) additionally enforces its own record-keeping requirements: therapy records must be maintained for a minimum of 7 years for adults and until the client's 25th birthday for minors. Non-compliance with BBS standards can trigger license revocation proceedings independent of any OCR investigation. Average fines in California reach $47,000.

OCR Region 9 (San Francisco) covers California, and the California BBS conducts independent audits — a violation reported to OCR can simultaneously trigger a BBS investigation and license review.

Top HIPAA Violations for Solo Therapists in Los Angeles — and How to Fix Them

These are the violations OCR most frequently cites for solo therapists in California. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.

1

Missing updated NPP (required by Feb 2026)

HOW TO FIX IT

Download the 2026 model NPP from HHS.gov and add a California-specific section covering CMIA rights including the 5-day breach notification right. Post it on your website and have new clients sign it at intake.

2

No encrypted email for client contact

HOW TO FIX IT

Use SimplePractice's built-in HIPAA-compliant client messaging portal, or switch to Hushmail for Healthcare ($9.99/month) which includes BAA, secure messaging, and HIPAA-compliant web forms.

3

Psychotherapy notes not separately stored

HOW TO FIX IT

In your EHR, create a separate note type specifically for psychotherapy process notes. In SimplePractice, use a custom note template flagged as 'psychotherapy notes' and stored in a restricted folder. Document this procedure in your policies.

The #1 Tech Compliance Gap for Solo Therapists in Los Angeles

California adds CMIA on top of HIPAA — double liability for therapists

SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.

☀️ Summer 2026 Offer

Trusted by 225,000+ Therapists — Recommended for Solo Therapist in Los Angeles

50% Off Your First 4 Months of SimplePractice

SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.

✓ 7-day free trial✓ 50% off first 4 months✓ Free credentialing available (up to 2 payers)✓ BAA included
Claim 50% Off SimplePractice →

Limited-time summer offer · No credit card required for trial

Need HIPAA-compliant email only? See Hushmail for Healthcare →

Solo Therapist HIPAA Compliance Checklist — Los Angeles

Work through this checklist to confirm your practice meets the baseline HIPAA requirements for solo therapists in California. Every item marked incomplete is a potential OCR audit finding.

Update your Notice of Privacy Practices for the 2026 HIPAA requirements AND add a California CMIA rights section with the 5-business-day breach notification right

Establish a breach notification procedure that meets the 5-business-day California CMIA deadline — stricter than HIPAA's 60 days

Store psychotherapy process notes in a physically or electronically separate location from progress notes and general medical records

Switch to a HIPAA-compliant email service: Hushmail for Healthcare or Google Workspace Business with BAA

Sign BAAs with every vendor handling PHI: EHR, email, telehealth, scheduling, and billing

Create a written data disposal policy — California CMIA requires documents containing PHI to be rendered permanently unreadable before disposal

Complete an annual Security Risk Assessment and retain documentation for at least 6 years

Review your professional liability insurance to confirm it covers both HIPAA and California CMIA violations

This checklist covers the most common compliance gaps for solo therapists in Los Angeles. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.

Frequently Asked Questions — Solo Therapists in Los Angeles

Does a solo therapist in Los Angeles need to comply with HIPAA?

California therapists face both HIPAA and the California Confidentiality of Medical Information Act simultaneously.

What is the average HIPAA fine for therapy practices in California?

The average HIPAA fine for therapy practices in California is $47,000. California has its own state-level enforcement separate from federal OCR.

What are the most common HIPAA violations for solo therapists?

Missing updated NPP (required by Feb 2026). No encrypted email for client contact. Psychotherapy notes not separately stored.

What is the February 2026 HIPAA deadline?

By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.

What is SimplePractice and does it solve HIPAA compliance?

SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.

What is the difference between HIPAA and California CMIA for therapists?

California CMIA adds several protections beyond HIPAA: a 5-business-day patient notification deadline for breaches versus HIPAA's 60 days, a prohibition on selling medical information in any form, stronger patient access rights, and civil penalties of $1,000 per violation payable directly to the patient. For LA therapists, HIPAA sets the federal floor and CMIA raises the bar higher in every significant area.

Do psychotherapy notes need to be stored differently than progress notes in California?

Yes — HIPAA itself requires psychotherapy process notes to be stored separately from the rest of the medical record, and California reinforces this requirement. In practice, this means creating a physically or digitally separate file that cannot be accessed by billing staff or others who access general records. Many therapists in California use SimplePractice's custom note templates to separate process notes from progress and SOAP notes.