HIPAA Compliance Guides for Therapists
HIPAA is 400+ pages of federal regulation. These guides distill the rules that actually matter for private practice therapists into plain-language explanations — what you must do, why it matters, and exactly how to do it.
Each guide is written specifically for mental health practitioners — not hospital compliance teams or legal departments. If you see clients in a private practice setting, these are the HIPAA topics that affect you most directly.
Why HIPAA Compliance Matters for Private Practice Therapists
93%
of HIPAA violations are preventable
The vast majority of OCR fines result from compliance gaps that could have been closed with basic policies and the right software.
$43K
average HIPAA fine for therapy practices
The average enforcement action costs therapy practices $43,000 — not including legal fees, reputation damage, and client notification costs.
Feb 16
2026 HIPAA deadline
All covered entities must update their Notice of Privacy Practices by February 16, 2026 to reflect new patient rights under the revised HIPAA Privacy Rule.
The 2026 HIPAA deadline applies to every therapy practice.
By February 16, 2026, all covered entities must update their Notice of Privacy Practices to reflect revised patient rights under the HIPAA Privacy Rule. This is not optional and is not limited to large practices. Solo therapists, group practices, and telehealth providers are all required to comply. Failure to update is an automatic violation — independent of whether you have had any actual breach or complaint.
In-Depth HIPAA Guides
Business Associate Agreements (BAAs) for Therapists — Complete Guide
What a BAA is, who you need one with, what it must contain, and what to do if a vendor refuses to sign one.
HIPAA-Compliant Telehealth for Therapists — 2026 Complete Guide
Which telehealth platforms are actually HIPAA-compliant, what to look for, and how to run HIPAA-safe video sessions.
Psychotherapy Notes vs Progress Notes Under HIPAA — What Therapists Get Wrong
The critical HIPAA distinction between psychotherapy notes and progress notes — and why mixing them up puts your practice at legal risk.
Common HIPAA Questions from Therapists
Do I need HIPAA compliance if I don't bill insurance?
Yes. HIPAA applies to any 'covered entity' — which includes healthcare providers who transmit health information electronically in connection with covered transactions. If you use an EHR, electronic billing, or any electronic health records system, you are a covered entity regardless of whether you bill insurance directly. Cash-pay therapists who use an EHR are subject to HIPAA.
What is the single most important HIPAA document a therapist needs?
A signed Business Associate Agreement (BAA) with your EHR vendor. Without a BAA, using any software platform to store or transmit client information is a HIPAA violation — even if the platform is otherwise secure. Most therapists are unaware that they need to actively request and sign a BAA — it is not automatic.
How long do I need to keep therapy records under HIPAA?
HIPAA requires covered entities to retain certain administrative records (like BAAs and policies) for 6 years. However, clinical records retention is governed by state law, which is often longer — typically 7 to 10 years for adults and until the patient's 25th birthday for minors in many states. Always check your state's specific requirements, as state law supersedes HIPAA's minimum when it is stricter.
Is SimplePractice HIPAA-compliant?
Yes — SimplePractice is HIPAA-compliant when used on a paid plan that includes a signed Business Associate Agreement. The BAA is included with all paid SimplePractice plans (Starter, Essential, and Plus). Free trials also include a BAA. Using SimplePractice on a properly signed BAA plan is one of the most common ways therapists achieve baseline HIPAA compliance for records, billing, telehealth, and client communication.
What happens during a HIPAA audit?
An OCR audit typically begins with a document request: your Security Risk Assessment, Privacy and Security policies, BAA copies, workforce training documentation, and your Notice of Privacy Practices. Auditors may also interview staff about their understanding of HIPAA obligations. Most audits are desk audits conducted by email and document submission — not in-person inspections. The audit is resolved when you demonstrate compliance or pay a corrective action plan fine.
HIPAA Tools for Therapists
State-Specific HIPAA Guides
Several states impose mental health privacy requirements stricter than federal HIPAA. If you practice in one of these states, federal compliance alone is not sufficient.
The guides on this site are written for educational purposes and do not constitute legal advice. For specific compliance questions, consult a healthcare attorney licensed in your state. HIPAA regulations are updated periodically — all content is reviewed for accuracy against current HHS guidance.