Solutions
PricingThe Golden Thread
Company
Sign inSchedule a callTry for free
Sign inTry for free
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
The Golden Thread
Business of Therapy
Therapist Life
Clinical Academy
Clinician Spotlight
The Golden Thread

HIPAA Compliance Requirements Checklist for Therapists

Business Best Practices
 • 
May 20, 2025

HIPAA Compliance Requirements Checklist for Therapists

Vivian Chung Easton, LMFT, CHC
Clinical Product Lead @ Blueprint
Share this article

In Brief

If you're a therapist, you’ve likely heard of HIPAA, the Health Insurance Portability and Accountability Act, but truly understanding what it requires (and how it applies to your daily work) can feel overwhelming. With the increasing use of telehealth platforms, digital note-taking, cloud storage, and even AI tools in therapy practices, safeguarding your clients' privacy isn’t just important—it’s essential.

We put together this guide and checklist to help demystify HIPAA, ease your worries, and walk you through the core concepts and compliance requirements step by step. We’ll break everything down into straightforward language and offer a practical checklist so you can feel confident and informed. 

Even if you already have some knowledge of HIPAA, the technical language and detailed rules can be intimidating. Don’t worry, you’re not alone, and it doesn’t have to be complicated. By the end of this article, you’ll have a clearer understanding of what HIPAA means for your practice and how to stay compliant without stress. Let’s start by looking at a few fundamental concepts every therapist should understand to protect client confidentiality and build a compliant practice.

Core Concepts Therapists Must Know About HIPAA

What is PHI (Protected Health Information)?
Protected Health Information, or PHI, includes any health-related information that can be linked to an individual. This could be anything from medical records and therapy notes to billing details or appointment dates—whether it’s spoken, written, or stored electronically. If the information identifies a client and relates to their health care, it’s considered PHI.

Covered Entities vs. Business Associates
Understanding your role under HIPAA is essential. Most therapists fall under the category of “covered entities,” which means they are directly responsible for complying with HIPAA regulations. On the other hand, services you might hire, like billing companies, transcription services, or cloud-based record systems, are typically “business associates.” They also have HIPAA responsibilities. One of your roles as a covered entity is to ensure you have a contract signed with any business associate you hire. These contracts are called business associate agreements (BAA) and they are required to maintain HIPAA  

The Minimum Necessary Rule
This rule is all about sharing information thoughtfully. Even when you have signed permission to share PHI with other professionals involved in a client’s care, HIPAA requires that you disclose only the minimum amount necessary to get the job done. For example, if you are speaking to a case manager who is asking about the client’s attendance to treatment, you would not share about the client’s diagnosis or treatment goals. It’s a principle of restraint that reinforces your client’s right to privacy, and it applies to both internal and external communications.

HIPAA Compliance in Daily Practice: What You Need to Secure

HIPAA compliance affects various aspects of your daily practice. Here are the key areas you need to focus on:

  • Client Records: Keep both paper and digital records containing PHI private and secure. Store physical records in locked cabinets and use encryption for electronic files.
  • Communication Tools: Ensure that email, phone, texting, and client portals used for communication meet HIPAA standards. Choose secure, encrypted platforms and obtain client consent for electronic communication.
  • Telehealth Platforms: As virtual care becomes more common, make sure your telehealth platform complies with HIPAA, using end-to-end encryption, strong authentication, and access controls. Regularly update software and perform security audits.
  • Billing and Insurance Interactions: Safeguard client PHI when submitting claims or dealing with insurance companies. Follow minimum necessary standards and use secure transmission methods.
  • Third-Party Vendors: Thoroughly evaluate billing services, EHRs, transcription tools, and other vendors that handle PHI. Ensure they comply with HIPAA and sign Business Associate Agreements (BAAs) outlining their responsibilities to protect client data.

Keep in mind, HIPAA compliance is a continuous process, not a one-time task. Regularly train any staff, update your policies, and stay informed about the latest HIPAA guidelines to maintain compliance and protect your clients' privacy.

Common Pitfalls and Gray Areas

While HIPAA provides clear guidelines, some areas can be tricky to handle. Here are some common pitfalls and gray areas that therapists should keep in mind:

  • Emailing with clients: Encrypted email services are necessary for HIPAA compliance when communicating with clients. However, even with encryption, avoid including PHI in subject lines and obtain client consent before using email for sensitive discussions. When in doubt, choose secure client portals or phone calls instead.
  • Group practices and shared access to records: In group practices, ensure that access to client records is granted only when necessary. Implement role-based access controls and regularly review permissions to maintain the minimum necessary standard. Establish clear policies for sharing client information within the practice.
  • Using AI or apps: As AI-powered tools and mental health apps gain popularity, carefully evaluate their HIPAA compliance before bringing them into your practice. Look for tools that encrypt data, have secure authentication, and sign BAAs. Be open with clients about the use of these technologies and obtain their written informed consent.
  • Personal devices and HIPAA risks: Using personal smartphones, tablets, or computers for work can introduce HIPAA risks. If personal devices must be used, implement strong security measures such as encryption, password protection, and remote wipe capabilities. 

Staying HIPAA compliant requires ongoing effort and adaptation as technology evolves. Regularly assess your practices and seek advice from HIPAA experts or legal counsel when needed to handle these gray areas effectively.

Documentation and Disclosure Best Practices

When addressing HIPAA compliance, proper documentation and disclosure practices are very important. Here's what you should keep in mind:

  • HIPAA-compliant release of information forms: Your release of information (ROI) forms need to include clear patient identification, a detailed description of the PHI being disclosed, the purpose of the disclosure, recipient information, and a statement about the right to revoke authorization. Use straightforward language and ensure the patient or their representative signs and dates the form. Typically, these forms are valid for one year from the date of signing unless permissions are revoked first.
  • Tracking authorizations and revocations: Set up a system to track client authorizations, expiration dates, and revocations. This could be a spreadsheet, database, or your EHR's built-in functionality. Record the date of authorization, the specific PHI authorized for release, the purpose, and the recipient. If a client revokes their authorization, update your records immediately.
  • Handling record requests: When clients or third parties request records, verify their identity and authority to access the PHI. If it's a third party, ensure you have a valid authorization from the client. Provide only the minimum necessary information to fulfill the request. Keep a record of all disclosures, including the date, the recipient, and the purpose.
  • Communicating with family members: Be cautious when discussing a client's PHI with family members. Generally, you need the client's authorization to disclose information. However, there are limited exceptions, such as when the client is present and gives verbal permission, or when sharing information is needed for safety purposes. Always use your professional judgment and document any disclosures.
  • Responding to subpoenas: Before releasing any information in response to a subpoena, consult with legal counsel, such as through your liability insurance provider, to ensure that the release complies with both legal and ethical standards, including patient confidentiality.

The key to HIPAA compliance lies in maintaining clear, thorough documentation and being careful with disclosures. Regularly review your policies and procedures to ensure they follow the latest HIPAA regulations and best practices.

The HIPAA Checklist for Therapists

To help you manage the complexities of HIPAA compliance, we've created an easy-to-follow checklist. This checklist covers five main areas: physical and digital security, documentation and disclosures, vendor and tool compliance, client communication and consent, and planning for breach prevention and response.

Physical and Digital Security

  • Secure physical records: Keep paper files containing PHI in locked cabinets or rooms with limited access.
  • Encrypt electronic PHI: Apply encryption to all electronic devices and systems that store or send PHI, including computers, laptops, smartphones, and tablets.
  • Implement access controls: Use unique user IDs, strong passwords, and role-based access to restrict PHI access to authorized individuals.

Documentation and Disclosures

  • Maintain updated policies: Develop and regularly review HIPAA policies and procedures, including those for PHI use, disclosure, and patient rights.
  • Obtain valid authorizations: Ensure you have valid, signed authorization forms before sharing PHI with third parties, unless an exception applies.
  • Track disclosures: Keep a record of all PHI disclosures, noting the date, recipient, and purpose of each disclosure.

Vendor and Tool Compliance

  • Evaluate third-party compliance: As much as possible, assess the HIPAA compliance of all vendors and tools that manage PHI on your behalf, such as EHRs, billing services, and telehealth platforms.
  • Execute BAAs: Sign business associate agreements (BAAs) with all vendors that access, process, or store PHI to ensure they meet HIPAA requirements.

Client Communication and Consent

  • Provide notice of privacy practices: Give clients a clear, written notice explaining how their PHI will be used, shared, and protected.
  • Obtain informed consent: Inform the client about your policies surrounding PHI and secure written client consent around the use and sharing of their PHI, including for treatment, payment, and healthcare operations.
  • Communicate securely: Use secure, encrypted methods for sharing PHI with clients, such as secure email or client portals.

Breach Prevention and Response Plan

  • Conduct risk assessments: Regularly assess risks to identify potential vulnerabilities and threats to PHI security.
  • Develop a breach response plan: Create a detailed plan outlining steps to take if a PHI breach occurs, including notification procedures and mitigation measures.
  • Train staff: Provide ongoing HIPAA training to all staff members to ensure they know their roles and responsibilities in protecting PHI and preventing breaches.

Remember, this checklist serves as a starting point. Adapt it to your practice needs and keep up with the latest HIPAA regulations and best practices to ensure compliance and safeguard your clients' privacy.

What To Do If There's a Breach or Violation

Even with the best efforts to maintain HIPAA compliance, breaches can still happen. Whether it's a lost device, an unauthorized disclosure, or an email sent to the wrong recipient, having a plan to respond quickly and effectively is important. Here's a step-by-step guide on what to do if you experience a HIPAA breach or violation:

  1. Contain the breach: Act immediately to stop the breach from continuing. This may involve shutting down affected systems, revoking access, or securing any compromised data.
  2. Assess the scope: Determine the extent of PHI involved in the breach and compare it to national reporting standards. This will help you decide if you need to report the breach to the Department of Health and Human Services (HHS).
  3. Notify affected individuals: If the breach involves unsecured PHI, notify affected individuals as soon as possible, and no later than 60 days after discovering the breach. The notice should include a description of what happened, the types of PHI involved, and steps individuals can take to protect themselves.
  4. Report to HHS: If the breach affects 500 or more individuals, report it to HHS within 60 days of discovery. For smaller breaches, you can submit an annual report.
  5. Investigate and mitigate: Conduct a thorough investigation to find out the cause of the breach and take steps to prevent similar incidents in the future. This may involve updating policies, providing additional training, or implementing new security measures.

Having a written Breach Response Policy is important for handling these situations effectively. Your policy should outline clear procedures for containing breaches, notifying affected parties, and reporting to HHS. Regularly review and update your policy to ensure it remains current and comprehensive.

Responding to a HIPAA breach can be stressful, but by following these steps and having a solid plan in place, you can reduce the impact on your clients and your practice.

Key Takeaways

While a HIPAA compliance checklist serves as a helpful tool for therapists, it's only the beginning of fostering a culture of compliance within your practice. Compliance should be an ongoing mindset, not just a one-time task. Here are some key strategies to cultivate a compliance culture:

  • Promote ethical, secure care: Make compliance a core value in your practice. Regularly communicate its importance to your team and lead by example.
  • Stay updated with changing rules: HIPAA regulations, especially those related to technology, can change over time. Commit to staying informed about updates and adjusting your policies accordingly.
  • Provide continuous training: Offer regular HIPAA training to your staff, ensuring they understand their roles in maintaining compliance. Make training engaging and relevant to their daily work.
  • Implement clear policies: Develop clear, accessible HIPAA policies that outline expectations and procedures for handling PHI. Update these policies regularly to reflect best practices.
  • Encourage open communication: Motivate your team to ask questions and report potential compliance issues without fear of retaliation. Create a safe, transparent environment for discussing HIPAA matters.
  • Use technology wisely: As you adopt new technologies like AI and telehealth tools, prioritize HIPAA compliance in your selection and implementation processes.

Remember, various resources are available to support your HIPAA compliance efforts. The Department of Health and Human Services (HHS) offers valuable guidance and updates. Professional organizations like the American Psychological Association (APA) provide HIPAA resources tailored to mental health professionals. Your professional liability insurance provider may also offer risk management resources and support.

Building a culture of compliance takes time and ongoing effort, but it's vital for protecting your clients' privacy and maintaining the integrity of your practice. By making HIPAA compliance a daily priority and staying committed to ethical, secure care, you can create a practice environment that inspires trust and supports your clients' well-being.

Conclusion

Share this article

Citations

About the Author

Vivian Chung Easton is the Clinical Product Lead at Blueprint, a leading therapist enablement technology platform. A licensed clinician (LMFT) with over a decade of experience in nonprofit community mental health and digital health, she is also certified in healthcare compliance (CHC). Vivian leverages prompt engineering to enhance the quality and precision of clinical notes, ensuring they meet the highest standards of accuracy, compliance, and usability. Her work bridges clinical excellence with operational integrity, driving innovation in mental and behavioral health services.

You might also like
Business Best Practices
 • 
May 2025
Therapist Strategies for Reducing No Shows
Business Best Practices
 • 
May 2025
Agitation ICD-10: Understanding Clinical Applications and Diagnostic Considerations for Mental Health Professionals
Business Best Practices
 • 
May 2025
Autism Spectrum Disorder ICD-10: A Comprehensive Guide for Mental Health Professionals
Business Best Practices
 • 
May 2025
ICD-10 Code F23: A Clinical Guide to Brief Psychotic Disorder and Acute Psychosis 
Subscribe to The Golden Thread

The business, art, and science of being a therapist.

Subscribe to The Golden Thread and get updates directly in your inbox.
By subscribing, you agree to receive marketing emails from Blueprint.
We’ll handle your info according to our privacy statement.

You’re subscribed!

Oops! Something went wrong while submitting the form.

Blueprint automates progress notes, drafts smart treatment plans, and surfaces actionable insights before, during and after every client session.

team@blueprint.ai

Certifications

HIPAA Compliant
PHIPA Compliant
Type 2 Compliant
256-Bit Encryption
PrivacyTerms
© 2025 Blueprint. All Rights Reserved.