HIPAA applies to every private practice therapist โ solo practitioners included. The requirements are more straightforward than most therapists fear, but the violations that happen most often are the easiest to prevent.
Are You a Covered Entity?
Yes. Any licensed mental health professional who transmits health information electronically (including billing, email, or EHR use) is a HIPAA Covered Entity. This applies to LCSWs, LPCs, LMFTs, psychologists, and psychiatrists in private practice regardless of practice size.
What Is Protected Health Information (PHI)?
PHI is any individually identifiable health information โ including:
- Client name, address, date of birth, phone number
- Diagnosis codes and treatment records
- Session notes and progress documentation
- Payment and billing records
- Any combination of identifiers that could identify a specific individual
Required Safeguards
HIPAA requires three categories of safeguards:
- Physical safeguards โ Locked file cabinets for paper records; locked office with restricted access; screen locks on workstations; shredding for paper PHI.
- Administrative safeguards โ Written privacy policies; staff training (even if "staff" is just you); a designated Privacy Officer role (you can designate yourself); a risk analysis document identifying PHI risks.
- Technical safeguards โ Encrypted email for any message containing PHI; encrypted EHR storage; strong unique passwords; two-factor authentication where available.
Business Associate Agreements (BAAs)
Any vendor who handles PHI on your behalf is a Business Associate and must sign a BAA before you share data with them. Required BAAs include:
- Your EHR platform (SimplePractice, TherapyNotes, etc.)
- Billing software or superbill generators (Superbilled provides a BAA at onboarding)
- Cloud storage services used for clinical documents
- HIPAA-compliant email providers (standard Gmail is not acceptable for PHI)
- Virtual assistant services if they access client data
Using a vendor without a BAA is a HIPAA violation even if no breach occurs.
Common Violations to Avoid
- Texting a client's diagnosis or session content on a standard SMS app
- Emailing progress notes or superbills through an unencrypted email account
- Leaving a computer screen with client records visible in a shared space
- Discussing client information where others can hear (open waiting rooms, hallways)
- Storing client records in a personal Dropbox or Google Drive without a BAA
What Constitutes a Breach
A breach occurs when PHI is accessed, used, or disclosed without authorization in a way not permitted by HIPAA. Examples: emailing the wrong client's superbill to the wrong person, a stolen laptop with unencrypted client files, unauthorized access by a former employee.
Breach Notification Requirements
- Notify affected individuals within 60 days of discovering the breach
- Notify the U.S. Department of Health and Human Services (HHS) โ small breaches (under 500 individuals) can be reported annually via the HHS breach portal
- Breaches affecting 500+ individuals in a state require notification to prominent media outlets in that state
Digital Records Are Fine โ With Encryption
HIPAA does not require paper records. Electronic records maintained in an encrypted, access-controlled EHR fully satisfy HIPAA requirements. The key is encryption at rest and in transit, and a signed BAA with the EHR vendor.