Therapy HIPAA Hub
HIGH URGENCY — California

HIPAA Compliance for Solo Therapists in San Francisco, California — 2026 Guide

Bay Area solo therapists frequently use tech tools that require careful BAA management. This guide covers what solo therapists in San Francisco must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in California, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.

Bay Area solo therapists face an unusually sophisticated client base — many clients work in tech or healthcare and understand their HIPAA rights in detail. San Francisco therapists also frequently use consumer technology tools (Zoom, FaceTime, iMessage) that are not HIPAA-compliant, creating systematic compliance gaps. OCR Region 9's San Francisco office is one of the most active in the country.

$47,000

Average HIPAA fine in California

High concentration of tech-savvy clients who know their HIPAA rights.

Source: HHS Office for Civil Rights enforcement data, 2025

California Law Requirements for Solo Therapists

San Francisco therapists operate at the intersection of HIPAA, California CMIA, and a uniquely tech-informed client population. California CMIA requires breach notifications within 5 business days — far stricter than HIPAA's 60-day window — and gives patients stronger rights to access and restrict their records. OCR Region 9 is headquartered in San Francisco, making it one of the most accessible filing locations for clients who believe their rights have been violated. Bay Area clients frequently work in healthcare technology or cybersecurity and are statistically more likely to recognize HIPAA violations and report them. The California BBS enforces separate record-keeping standards, and the CCPA may additionally apply to therapy practices using digital platforms that collect behavioral data from visitors.

OCR Region 9 is headquartered in San Francisco and processes complaints filed by Bay Area clients directly — shorter processing distance often means faster investigation timelines for San Francisco practices.

Top HIPAA Violations for Solo Therapists in San Francisco — and How to Fix Them

These are the violations OCR most frequently cites for solo therapists in California. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.

1

Telehealth platform without BAA

HOW TO FIX IT

Sign up for SimplePractice's Essential plan ($69/month) which includes HIPAA-compliant telehealth with BAA, or use Doxy.me's paid plan which includes a signed BAA. Document the transition date and start date of the new compliant platform in your records.

2

Using personal iPhone for client calls

HOW TO FIX IT

For client communication, use SimplePractice's built-in messaging or call through a HIPAA-compliant VoIP service. Personal iPhone calls where you discuss PHI require that your carrier has signed a BAA — most personal phone plans do not qualify.

3

No workforce training documentation

HOW TO FIX IT

Create a simple annual training log: list the date, training materials reviewed, and sign it. Store it digitally for 6 years. The HHS website provides free training videos and PDFs at hhs.gov/hipaa.

The #1 Tech Compliance Gap for Solo Therapists in San Francisco

Video therapy platforms not covered under BAA

SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.

☀️ Summer 2026 Offer

Trusted by 225,000+ Therapists — Recommended for Solo Therapist in San Francisco

50% Off Your First 4 Months of SimplePractice

SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.

✓ 7-day free trial✓ 50% off first 4 months✓ Free credentialing available (up to 2 payers)✓ BAA included
Claim 50% Off SimplePractice →

Limited-time summer offer · No credit card required for trial

Need HIPAA-compliant email only? See Hushmail for Healthcare →

Solo Therapist HIPAA Compliance Checklist — San Francisco

Work through this checklist to confirm your practice meets the baseline HIPAA requirements for solo therapists in California. Every item marked incomplete is a potential OCR audit finding.

Replace any non-HIPAA telehealth platform (Zoom standard, FaceTime, Skype) with a BAA-covered option: SimplePractice telehealth, Doxy.me paid plan, or Zoom for Healthcare

Stop using personal iPhone calls for clinical communication — use SimplePractice's client portal or a HIPAA-compliant phone system

Document your own HIPAA training annually, even as a solo practitioner — create a signed, dated training log

Post an updated NPP on your website and have new clients sign it at intake — California law requires this

Switch personal Gmail to Google Workspace Business and request the HIPAA BAA through your admin console

Enable auto-wipe on your iPhone after 10 failed passcode attempts and set a strong alphanumeric passcode

Create a written policy for client records access requests — California patients have stronger access rights than federal HIPAA

Review all third-party apps connected to your Apple account that may have access to calendar data containing PHI

This checklist covers the most common compliance gaps for solo therapists in San Francisco. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.

Frequently Asked Questions — Solo Therapists in San Francisco

Does a solo therapist in San Francisco need to comply with HIPAA?

Bay Area solo therapists frequently use tech tools that require careful BAA management.

What is the average HIPAA fine for therapy practices in California?

The average HIPAA fine for therapy practices in California is $47,000. High concentration of tech-savvy clients who know their HIPAA rights.

What are the most common HIPAA violations for solo therapists?

Telehealth platform without BAA. Using personal iPhone for client calls. No workforce training documentation.

What is the February 2026 HIPAA deadline?

By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.

What is SimplePractice and does it solve HIPAA compliance?

SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.

Is FaceTime HIPAA-compliant for therapy sessions?

No. Standard FaceTime is not HIPAA-compliant. Apple does not sign Business Associate Agreements for FaceTime usage. If you conduct therapy sessions via standard FaceTime without a BAA, every session is a potential HIPAA violation. HIPAA-compliant alternatives include SimplePractice's built-in telehealth, Doxy.me with a paid plan, and Zoom for Healthcare which requires a Business or Enterprise Zoom account with a separately executed BAA.

Does California CCPA apply to solo therapy practices?

The California Consumer Privacy Act applies to businesses with annual gross revenue over $25 million or those that buy or sell personal data on more than 100,000 consumers annually. Most solo therapy practices fall below these thresholds. However, if you use marketing platforms, analytics tools, or third-party scheduling software that collects client data, review their CCPA compliance separately — you may have obligations as a data controller even below the CCPA thresholds.