HIPAA + Baker Act + Florida §491 Compliance for Therapists — 2026 Guide
Florida therapists operate under HIPAA (federal), the Baker Act, and Florida Statutes §491 governing counselors and therapists. Florida also enforces one of the strictest breach notification timelines in the country — just 30 days. Here is your complete 2026 compliance guide.
$48,000
Avg fine in Florida
30 Days
FL breach notification
3 Laws
HIPAA + Baker + §491
Florida-Specific Rules Therapists Must Know
Florida Statutes §491.0147 imposes confidentiality obligations on LMHCs, LCSWs, and MFTs that run parallel to HIPAA — violating either can trigger separate penalties
The Baker Act (Florida Mental Health Act) creates mandatory disclosure duties when a client is at risk — these must be documented in your EHR with timestamps
Florida's breach notification law (FIPA) requires notification within 30 days of discovering a breach affecting Florida residents — shorter than HIPAA's 60-day window
Telehealth therapists based outside Florida serving Florida residents are subject to Florida law under Telehealth Bill SB 7028
Florida's Agency for Health Care Administration (AHCA) conducts independent HIPAA audits separate from federal OCR — practices can be audited by both
Group practices in Miami-Dade and Broward counties have been disproportionately targeted in 2024-2025 enforcement sweeps
Top 5 HIPAA Violations in Florida Therapy Practices
Missing or outdated BAA with EHR vendor
Typical fine: $15,000–$50,000
Many therapists switched platforms during COVID and never executed a new BAA with their current EHR provider.
Baker Act disclosures not documented
Typical fine: $10,000–$30,000
Mandatory Baker Act disclosures must be logged in the health record with the legal basis cited. Undocumented disclosures = unauthorized disclosures under HIPAA.
Non-HIPAA telehealth platform
Typical fine: $10,000–$25,000
Standard Zoom, FaceTime, and Google Meet are not HIPAA-compliant. Florida OCR has actively pursued these violations since 2023.
Breach notification delayed beyond 30 days
Typical fine: $25,000–$75,000
Florida's FIPA requirement of 30 days is stricter than HIPAA's 60 days. Practices that follow only the federal timeline are in violation of state law.
Psychotherapy notes mixed with general record
Typical fine: $7,000–$20,000
Florida §491 reinforces that psychotherapy notes must be stored separately. Many EHR default configurations do not do this automatically.
Trusted by 225,000+ Therapists — Recommended for Florida Therapist in Florida
Get Your Practice 100% HIPAA Compliant in 2026
SimplePractice is the #1 HIPAA-compliant practice management platform built specifically for therapists. Includes secure messaging, telehealth, billing, and a signed BAA — everything you need to stay compliant and protect your clients.
Start Free Trial with SimplePractice →30-day free trial · No credit card required
Need HIPAA-compliant email only? See Hushmail for Healthcare →
FAQ — Florida Therapist HIPAA
Does the Baker Act override HIPAA confidentiality?
Not exactly — the Baker Act creates specific mandatory disclosure situations that are permitted under HIPAA's public interest and safety exceptions. However, all Baker Act-related disclosures must still be properly documented in your records with the legal basis. Undocumented disclosures are treated as unauthorized under HIPAA.
What is Florida Statutes §491 and how does it affect my therapy practice?
Florida §491 is the state law governing licensed mental health counselors (LMHCs), marriage and family therapists, and clinical social workers. It includes confidentiality requirements that overlap with HIPAA but also go further in some areas. You must comply with both simultaneously — the stricter rule always applies.
My practice was audited by AHCA — is that different from an OCR audit?
Yes. Florida's Agency for Health Care Administration (AHCA) enforces state health laws independently from the federal Office for Civil Rights (OCR). Being cleared in an AHCA audit does not protect you from OCR enforcement, and vice versa. Florida therapists can face dual-track enforcement.
I'm a telehealth therapist based in Georgia but I see Florida clients. Does Florida law apply?
Yes. Under Florida's SB 7028 and the NY SHIELD Act (for any NY clients), if your clients are physically located in Florida when receiving services, Florida law applies to that encounter regardless of where your practice is based.