HIPAA violations can cost therapists anywhere from $100 to $50,000 per incident—and that's before considering the reputational damage, licensing board complaints, and loss of client trust. Yet many therapists operate with only a vague understanding of what HIPAA actually requires.
This guide cuts through the complexity. You'll learn exactly what HIPAA requires of mental health practitioners, how to implement compliant systems, and how to avoid the mistakes that trigger investigations.
What Is HIPAA?
The Health Insurance Portability and Accountability Act (HIPAA) is federal legislation that establishes standards for protecting sensitive patient health information. For therapists, HIPAA governs how you:
- Store client records
- Communicate with clients
- Share information with other providers
- Handle billing and insurance claims
- Use technology in your practice
The Three HIPAA Rules
1. Privacy Rule
Establishes standards for who can access protected health information (PHI) and under what circumstances.
2. Security Rule
Requires administrative, physical, and technical safeguards to protect electronic PHI (ePHI).
3. Breach Notification Rule
Mandates procedures for responding to and reporting data breaches.
Who Must Comply with HIPAA?
Covered Entities
You're a covered entity if you:
- Transmit any health information electronically in connection with certain transactions (billing, claims, eligibility inquiries)
- Bill insurance for your services
Most therapists who accept insurance are covered entities.
Business Associates
Anyone who handles PHI on your behalf:
- EHR/practice management software vendors
- Billing services
- Telehealth platforms
- Cloud storage providers
- Answering services
- Shredding companies
You must have a Business Associate Agreement (BAA) with each of these.
Business Associate Agreements: Complete Guide →
Cash-Pay Practices
If you're entirely private pay and never transmit health information electronically for HIPAA-covered transactions, you may not be a covered entity under HIPAA. However:
- Many states have privacy laws that mirror HIPAA
- Licensing boards require confidentiality protections
- Best practice is to follow HIPAA standards regardless
Protected Health Information (PHI)
PHI is any information that can identify a patient and relates to their health, treatment, or payment.
Examples of PHI
| Category | Examples |
|---|---|
| Identifiers | Name, address, phone, email, SSN, DOB |
| Clinical | Diagnoses, treatment notes, assessments |
| Billing | Insurance claims, CPT codes, payment records |
| Scheduling | Appointment times, calendar entries |
| Communication | Emails, texts, voicemails about treatment |
The 18 HIPAA Identifiers
HIPAA specifically lists 18 identifiers that make health information "protected":
- Names
- Geographic data (smaller than state)
- Dates (except year) related to individual
- Phone numbers
- Fax numbers
- Email addresses
- Social Security numbers
- Medical record numbers
- Health plan beneficiary numbers
- Account numbers
- Certificate/license numbers
- Vehicle identifiers
- Device identifiers
- URLs
- IP addresses
- Biometric identifiers
- Full-face photos
- Any other unique identifier
If health information includes any of these, it's PHI.
The Privacy Rule: What You Can and Can't Share
Permitted Disclosures (No Authorization Required)
You may share PHI without client authorization for:
Treatment
- Consulting with the client's psychiatrist
- Referring to another provider
- Coordinating care with other treating clinicians
Payment
- Submitting insurance claims
- Providing information for coverage determinations
- Collecting payment from clients
Healthcare Operations
- Quality improvement activities
- Training staff
- Compliance activities
Required Disclosures
You must share PHI when:
- The client requests access to their records
- HHS investigates your HIPAA compliance
Authorization Required
For most other disclosures, you need written client authorization:
- Sharing with family members (with exceptions)
- Providing information for legal proceedings
- Marketing purposes
- Research (with exceptions)
Psychotherapy Notes: Extra Protection
HIPAA gives special protection to "psychotherapy notes"—personal notes kept separate from the medical record that document your impressions, analysis, and conversation details.
Psychotherapy notes can never be disclosed without authorization, even for treatment, payment, or operations—with limited exceptions (imminent harm, legal requirements).
The Security Rule: Protecting Electronic PHI
The Security Rule requires three categories of safeguards:
Administrative Safeguards
| Requirement | What It Means |
|---|---|
| Risk assessment | Identify vulnerabilities in your systems |
| Security policies | Written policies for PHI handling |
| Workforce training | Train staff on HIPAA requirements |
| Access management | Control who can access what |
| Incident procedures | Plan for responding to breaches |
Physical Safeguards
| Requirement | What It Means |
|---|---|
| Facility access | Secure your office space |
| Workstation security | Protect computers from unauthorized access |
| Device controls | Policies for laptops, phones, portable media |
Technical Safeguards
| Requirement | What It Means |
|---|---|
| Access controls | Unique user IDs, automatic logoff |
| Audit controls | Track who accesses PHI |
| Integrity controls | Protect PHI from improper alteration |
| Transmission security | Encrypt PHI in transit |
HIPAA Compliance Checklist for Therapists
Documentation and Policies
- Written HIPAA policies and procedures
- Notice of Privacy Practices (provided to all clients)
- Documentation of risk assessments
- Business Associate Agreements with all vendors
- Breach notification procedures
- Record retention policy (typically 7+ years for adults)
Technology
- HIPAA-compliant EHR system
- HIPAA-compliant email (or policy not to send PHI via email)
- HIPAA-compliant telehealth platform
- HIPAA-compliant texting (or policy prohibiting PHI via text)
- Encrypted devices (laptops, phones)
- Secure passwords and multi-factor authentication
- Automatic screen locks
Training
- Initial HIPAA training for yourself
- Annual refresher training
- Training for any staff (even part-time)
- Documentation of all training
Physical Security
- Secure file storage (locked cabinets)
- Private office space for sessions
- Secure disposal of paper records (shredding)
- Screen positioned away from windows/doors
HIPAA Training Requirements: What Therapists Need →
HIPAA and Your Practice Technology
EHR/Practice Management Software
Your EHR must be HIPAA-compliant and you must have a BAA with the vendor.
Questions to ask:
- Do you provide a Business Associate Agreement?
- Where is data stored? (Must be secure, typically US-based)
- Is data encrypted at rest and in transit?
- What happens to data if I cancel service?
Standard email (Gmail, Yahoo, Outlook personal) is not HIPAA-compliant for sending PHI.
Options:
- Use HIPAA-compliant email service (Hushmail, Paubox)
- Don't send PHI via email (appointment reminders only, no clinical content)
- Client portal messaging within your EHR
HIPAA Compliant Email and Texting →
Telehealth Platforms
Video platforms must be HIPAA-compliant with a signed BAA.
Compliant: Doxy.me, SimplePractice Telehealth, Zoom for Healthcare, VSee
Not compliant: Regular Zoom, FaceTime, Skype consumer, Google Meet
HIPAA for Telehealth: Complete Requirements →
Texting
Standard SMS texting is not HIPAA-compliant.
Options:
- Don't text PHI (limit to "See you tomorrow at 3")
- Use HIPAA-compliant texting platform
- Use secure client portal messaging
HIPAA Compliant Email and Texting →
HIPAA and Billing
When you submit claims to insurance, you're transmitting PHI. This is a covered transaction that triggers HIPAA requirements.
What's Protected
- Client name and identifiers
- Diagnosis codes (ICD-10)
- Procedure codes (CPT)
- Dates of service
- Claim information
Billing Compliance Requirements
- Electronic claims must be transmitted securely
- Billing records must be retained per HIPAA requirements
- Clearinghouses and billing services need BAAs
- Documentation supporting claims must be secure
ICD-10 Codes for Mental Health →
Business Associate Agreements
A BAA is a contract between you (covered entity) and any vendor who handles PHI on your behalf.
Who Needs a BAA
- EHR vendor
- Telehealth platform
- Practice management software
- Billing service
- Cloud storage (if storing PHI)
- Answering service
- IT support with PHI access
- Shredding company
What a BAA Must Include
- How the BA will safeguard PHI
- Limits on PHI use and disclosure
- Breach notification requirements
- Return or destruction of PHI at contract end
- Right to terminate for violations
No BAA = HIPAA Violation
Using a service that handles PHI without a BAA is itself a HIPAA violation—even if no breach occurs.
Business Associate Agreements: Complete Guide →
Documentation Requirements
HIPAA influences how you document clinical work:
Minimum Necessary Standard
When using or disclosing PHI, limit it to the minimum necessary to accomplish the purpose. Your documentation should include what's clinically relevant—not extraneous detail.
Access and Amendment Rights
Clients have the right to:
- Access their records (you must provide within 30 days)
- Request amendments to their records
- Receive accounting of disclosures
Retention Requirements
HIPAA requires retention of certain documentation for 6 years. Many states require longer (7-10 years for adults, longer for minors). Follow the more stringent requirement.
HIPAA Compliant Documentation for Therapists →
Breach Response
A breach is unauthorized access, use, or disclosure of PHI.
What to Do If a Breach Occurs
- Contain the breach immediately
- Assess what information was affected and how many individuals
- Document everything about the incident
- Notify affected individuals (within 60 days)
- Notify HHS (timing depends on breach size)
- Notify media (if 500+ individuals in a state affected)
Breach Risk Assessment
Not every security incident is a breach requiring notification. Consider:
- Nature and extent of PHI involved
- Who accessed or received the PHI
- Whether PHI was actually viewed
- Extent to which risk has been mitigated
HIPAA Breach Response: Step-by-Step Guide →
HIPAA Violation Examples and Consequences →
Penalties for Non-Compliance
Civil Penalties
| Violation Category | Penalty Range |
|---|---|
| Unknowing | $100 - $50,000 per violation |
| Reasonable cause | $1,000 - $50,000 per violation |
| Willful neglect (corrected) | $10,000 - $50,000 per violation |
| Willful neglect (not corrected) | $50,000+ per violation |
Annual cap: $1.5 million per violation category.
Criminal Penalties
Intentional violations can result in:
- Fines up to $250,000
- Imprisonment up to 10 years
- For violations involving intent to sell or harm
Beyond Federal Penalties
- State attorney general actions
- Licensing board complaints
- Malpractice liability
- Reputational damage
- Loss of insurance panel participation
Common HIPAA Mistakes Therapists Make
- No BAA with telehealth platform — Using Zoom without healthcare plan
- Texting clinical information — "How's your anxiety today?"
- Email without encryption — Sending session notes via Gmail
- Leaving screens visible — PHI visible to others in shared spaces
- No risk assessment — Required but often skipped
- Inadequate training documentation — Training yourself isn't enough—document it
- Discussing clients in public — Elevator conversations, coffee shops
- Social media mistakes — Even vague posts about "a client today"
- Lost/stolen devices — Unencrypted laptop with client data
- Improper disposal — Throwing records in regular trash
HIPAA Violation Examples and Consequences →
Frequently Asked Questions
- Am I covered by HIPAA if I only do private pay?
- If you never transmit health information electronically for HIPAA-covered transactions (like insurance billing), you may not be a covered entity. However, state laws and licensing board requirements still mandate confidentiality protections. Most experts recommend following HIPAA standards regardless.
- Can I use regular Zoom for telehealth?
- No. Standard Zoom doesn't offer a BAA. You need Zoom for Healthcare (paid plan with BAA) or another HIPAA-compliant platform.
- What if a client texts me clinical information?
- You can't control what clients send. The issue is whether you respond with PHI and whether you've educated clients about secure communication. Document your policy and client acknowledgment.
- Do I need to encrypt my laptop?
- If your laptop contains or accesses PHI, encryption is strongly recommended and often required under the Security Rule's addressable implementation specifications. Most experts consider it essential.
- How long must I keep records?
- HIPAA requires 6 years for certain documentation. State laws often require longer (7-10 years for adults, until age of majority plus several years for minors). Follow the longest applicable requirement.
HIPAA compliance isn't optional—it's foundational to ethical, legal practice. Start with the basics: secure your technology, get your BAAs in place, train yourself, and document your efforts. The goal isn't perfection; it's reasonable, documented safeguards that protect your clients and your practice.