Navigating HIPAA compliance can feel overwhelming. The HIPAA (the Health Insurance Portability and Accountability Act) is a core part of ethical practice, client trust, and professional protection. Navigating it can feel overwhelming, but there are plenty of resources that can help.

This article offers a clear, practical, therapist‑centred guide to navigating HIPAA compliance, with real‑world examples and actionable steps you can implement immediately.

What Is HIPAA?

HIPAA is a U.S. federal law designed to protect Protected Health Information (PHI) – any information that can identify a client and relates to their mental or physical health, treatment, or payment.

For therapists, HIPAA matters because:

• You handle deeply sensitive personal information
• Breaches can harm clients emotionally, professionally, and financially
• Non‑compliance can lead to fines, audits, lawsuits, and licensing issues
• Ethical codes (APA, ACA, NASW) closely align with HIPAA principles

It’s important to note that HIPAA compliance isn’t about perfection. It’s about reasonable, documented safeguards.

Who Must Comply with HIPAA?

You’re required to comply with HIPAA if you are a covered entity, which includes:

• Licensed therapists, counsellors, psychologists, and social workers
• Private practices that transmit health information electronically (e.g., billing insurance)

You are also responsible for HIPAA compliance if you work with business associates, such as:

• EHR platforms
• Billing services
• Virtual assistant services
• Cloud storage providers

If they access PHI, you must have a Business Associate Agreement (BAA) in place.

The Three Core HIPAA Rules

1. The Privacy Rule

The Privacy Rule governs when and how PHI can be used or disclosed.

As a therapist, this means:

• You may only access PHI for legitimate clinical or operational purposes
• You must obtain written authorization for disclosures outside treatment, payment, or healthcare operations
• Clients have the right to access their records, request corrections, and receive an accounting of disclosures

For example, you cannot confirm someone is your client to a third party (even a spouse) without explicit permission.

2. The Security Rule

The Security Rule applies specifically to electronic PHI (ePHI) and requires safeguards in three areas:

Administrative Safeguards

• Written HIPAA policies and procedures
• Risk assessments
• Staff training (even if you are a solo practitioner)

Physical Safeguards

• Locked offices or filing cabinets
• Screen privacy in shared spaces
• Secure disposal of paper records

Technical Safeguards

• Strong passwords and two‑factor authentication
• Encrypted devices and platforms
• Automatic screen locks

As mentioned, HIPAA does not require “perfect security”, it requires reasonable and appropriate security for your size and practice type.

3. The Breach Notification Rule

If PHI is accessed, disclosed, or lost improperly, you may be required to:

• Notify affected clients
• Notify the Department of Health and Human Services (HHS)
• In some cases, notify the media

Examples of breaches include:

• Lost or stolen laptops without encryption
• Emails sent to the wrong recipient
• Hacked accounts or compromised passwords

Prompt documentation and response are critical.

3 Common HIPAA Pitfalls for Therapists

1. Using Non‑Compliant Technology

Common mistakes include:

• Using standard Gmail or Yahoo for client communication
• Storing notes in non‑encrypted cloud services
• Using video platforms without BAAs

What to do instead:

• Use HIPAA‑compliant email or secure client portals
• Choose EHRs designed for mental health
• Confirm telehealth platforms provide a BAA

2. Casual Communication Errors

Examples:

• Leaving detailed voicemail messages
• Texting sensitive information
• Discussing cases in public spaces

Best practice:

• Obtain written consent for voicemail or text communication
• Keep messages minimal and non‑specific
• Assume you’re always in a semi‑public environment

3. Poor Documentation

HIPAA expects documentation of:

• Policies and procedures
• Risk assessments
• Training
• Breach responses

If it’s not documented, it effectively didn’t happen.

HIPAA‑Compliant Record Keeping

An important distinction when it comes to record keeping is progress notes vs psychotherapy notes.

Progress notes form part of the official medical record and typically include information such as diagnoses, treatment plans, session dates, and clinical summaries. These records are generally accessible to clients upon request.

Psychotherapy notes, by contrast, are the therapist’s private reflections and process notes, kept separately from the medical record and afforded much stronger protections under HIPAA.

Best practice is to store psychotherapy notes in a secure, separate location with highly restricted access, ensuring they’re not co-mingled with standard clinical documentation.

Therapists should also clearly understand the limited circumstances under which psychotherapy notes can be disclosed, as they usually require explicit client authorization except in very narrow, legally defined situations.

With regards to retention and disposal of records, while HIPAA does not define specific periods, therapists must also follow:

• State laws
• Licensing board requirements

General best practices:

• Retain records for the legally required minimum
• Shred paper records
• Use secure digital deletion methods

Teletherapy and HIPAA Compliance

Teletherapy introduces additional risks but is fully compatible with HIPAA when handled correctly.

Key requirements:

• HIPAA‑compliant video platforms
• Secure internet connections
• Private environments on both ends
• Informed consent specific to telehealth

Also consider:

• Client location and licensure laws
• Emergency protocols for remote sessions

Business Associate Agreements (BAAs)

You need a BAA with any vendor that:

• Stores PHI
• Transmits PHI
• Accesses PHI

Common examples:

• EHR providers
• Cloud backup services
• Billing platforms
• Practice management tools

Even if the platform claims to be “secure”, no BAA means no compliance.

Creating a Simple HIPAA Compliance System

For therapists who want clarity without overwhelm:

1. List all places PHI is stored or transmitted
2. Confirm encryption and access controls
3. Obtain BAAs where required
4. Write basic HIPAA policies (templates are acceptable)
5. Conduct a simple annual risk assessment
6. Train yourself and any staff annually
7. Document everything

HIPAA compliance is an ongoing process, not a one‑time setup.

Summary

Navigating HIPAA compliance requires intentional systems, ethical awareness, and consistent follow‑through. When therapists understand HIPAA as a framework for protecting human vulnerability (not just avoiding penalties) it becomes far less intimidating and far more meaningful. With clear safeguards in place, you protect your clients, your practice, and yourself – allowing you to focus on what truly matters: healing work.

Save Time, Energy and Money With The Professional's Mental Wellbeing Toolkit

This comprehensive resource is designed specifically for mental health professionals, equipping you with:

• Personal wellbeing tools. Prevent burnout, manage stress, and maintain a fulfilling career.
• Client-facing tools. Evidence-based exercises, worksheets, and techniques to enhance therapy sessions.