← Back to Blog

HIPAA Compliance Tracking for Therapy Practices: A Practical Guide (2026)

JW
Jennifer Walsh Healthcare Compliance Officer
April 1, 2026 · 10 min read

HIPAA Compliance Tracking for Therapy Practices: A Practical Guide (2026)

Therapy practices handle some of the most sensitive protected health information in healthcare. Mental health records, diagnoses, treatment notes, and session content carry a privacy weight that routine medical records often don't. A breach of mental health PHI doesn't just create regulatory exposure — it can cause direct harm to patients whose diagnoses, medications, or treatment histories were never meant to be disclosed to employers, family members, or the general public.

This is why HIPAA compliance for therapy practices isn't just a regulatory checkbox. It's a professional and ethical obligation that aligns directly with therapeutic relationships built on trust and confidentiality.

Yet many therapy practices — particularly independent therapists, small group practices, and behavioral health groups — operate with minimal HIPAA documentation. The compliance gap isn't usually intentional. It's the result of clinicians focused on clinical work, administrative staff stretched thin, and compliance systems that feel like they were designed for hospital systems rather than practices of five therapists.

This guide covers what HIPAA compliance tracking looks like for therapy practices, the specific compliance risks the behavioral health setting creates, and how to build a defensible compliance program that doesn't require a full-time compliance staff.

Why Therapy Practices Face Unique HIPAA Risks

Psychotherapy Notes Have Heightened HIPAA Protections

HIPAA's Privacy Rule includes special protections for psychotherapy notes that go beyond standard PHI. Psychotherapy notes — defined as notes recorded by a mental health professional in the process of a counseling session that are kept separately from the rest of the patient's medical record — receive stronger protections:

  • Patients generally cannot access psychotherapy notes under HIPAA's access rights (the right to access doesn't extend to psychotherapy notes in most cases)
  • Using or disclosing psychotherapy notes requires specific written authorization beyond a standard treatment release, with limited exceptions
  • Insurance companies generally cannot require psychotherapy notes for payment authorization

What this means for compliance tracking: Your practice needs clear written policies distinguishing psychotherapy notes from general therapy records, and documentation showing how psychotherapy note access, storage, and disclosure is controlled differently from other records.

Multiple Communication Channels Create PHI Exposure

Therapy practices communicate with patients across channels that create HIPAA exposure: phone messages confirming appointments, secure messaging through patient portals, text appointment reminders, and email exchanges about scheduling, insurance, and treatment progress.

Each of these channels requires documented policies:

  • How does your answering machine message avoid disclosing PHI to someone who is not the patient?
  • What is your policy for communicating with patients via text or email?
  • What level of clinical information can be shared in messaging that might be seen by a household member?

The minimum necessary standard requires staff to limit PHI disclosure to what's needed. A voicemail confirming "your therapy appointment tomorrow at 3pm" may be appropriate; a voicemail saying "your appointment with Dr. Smith at the anxiety treatment center tomorrow at 3pm" may disclose PHI the patient didn't want disclosed to others in their household.

Telehealth Expands the Attack Surface

The shift to telehealth during and after the pandemic dramatically expanded the ePHI surface area for therapy practices. Video sessions conducted through HIPAA-compliant platforms are one thing; the surrounding infrastructure — appointment scheduling systems, billing, secure messaging, session recordings where enabled — creates additional compliance requirements.

HIPAA requires a Business Associate Agreement with any telehealth platform used for clinical services. The platform's own HIPAA compliance doesn't satisfy your obligation to have a BAA in place.

Mandated Reporting Creates Privacy Rule Complexity

Therapy practices navigate mandatory reporting obligations (child abuse, elder abuse, threats of harm) that require disclosures of PHI without patient authorization. HIPAA permits these disclosures but requires that the minimum necessary information be disclosed and that the disclosure be documented in the patient record.

Staff training for therapy practices must include the specific scenarios where PHI can be disclosed without authorization, how to document those disclosures, and when to involve clinical supervision in the decision.

What HIPAA Compliance Tracking Looks Like for Therapy Practices

Training Tracking

Therapy practices must train all workforce members on HIPAA policies and procedures at hire and annually thereafter. Workforce includes:

  • Licensed therapists (all license types: LCSW, LPC, LMFT, PhD, PsyD)
  • Unlicensed clinical staff (associates, interns, trainees)
  • Administrative staff (schedulers, billing staff, front desk)
  • Contracted billing services (if they are workforce, not Business Associates)

What to track:

  • Date training was completed
  • Training content covered (initial vs. refresher, Security Rule vs. Privacy Rule, telehealth-specific)
  • Staff name and role
  • Attestation or signature confirming completion

Compliance software like HIPAAGuard handles training assignment by role, tracking completions with timestamps, and generating documentation reports for audit preparation. Manual tracking via spreadsheet creates gaps — staff turnover, partial completions, and annual reminders that get missed.

Risk Assessment Tracking

The Security Risk Analysis isn't a one-time event. For therapy practices, it should be reviewed and updated when:

  • You add or change your EHR/practice management software
  • You implement telehealth or switch telehealth platforms
  • You add a new office location
  • Clinical staff begin accessing records remotely or on personal devices
  • A staff member leaves with access credentials to clinical systems

What to track:

  • Date the initial SRA was conducted
  • Risk assessment findings and risk levels assigned to each identified risk
  • Remediation actions taken (what was done to reduce each identified risk)
  • Review dates for subsequent annual reviews

Business Associate Agreement Tracking

Therapy practices typically work with more Business Associates than clinicians realize. A BAA inventory should track:

| Vendor Type | Examples | BAA Required? |

|-------------|----------|---------------|

| EHR / practice management | SimplePractice, TherapyNotes, TheraNest | Yes |

| Telehealth platform | Doxy.me, Zoom for Healthcare, VSee | Yes |

| Billing services | Insurance billing companies, clearinghouses | Yes |

| Cloud storage | Google Workspace (Business), Microsoft 365 | Yes (via BAA addendum) |

| IT support | Any company with access to clinical systems | Yes |

| Patient communication | Appointment reminder services, patient portals | Yes |

| Credit card processing | If integrated with patient records | Depends on data access |

Tracking BAA status: which BAs have signed agreements, when agreements were executed, and when they should be reviewed (typically when contracts renew or vendor services change significantly).

Incident and Breach Tracking

Every incident that might involve unauthorized access to or disclosure of PHI should be logged, even if the ultimate determination is that it's not a reportable breach. The documentation of your incident response — how you identified the event, what the four-factor risk assessment concluded, and what action you took — is what demonstrates compliance to OCR.

Incidents to log in a therapy practice:

  • Patient calls to report they received another patient's communication
  • Staff member sends clinical note to wrong patient
  • Voicemail left with PHI for an unintended recipient
  • Lost or stolen laptop or phone containing patient records
  • Staff accessing records of patients who are not their own clients
  • Vendor data breach notification where patient PHI may have been affected

Building a HIPAA Compliance Program for Your Therapy Practice

Step 1: Conduct Your Security Risk Analysis

Start with the SRA. Map all the places ePHI exists in your practice: EHR database, telehealth platform, email, cloud storage, billing system, session recordings where applicable. Assess threats and vulnerabilities to each. Document the findings.

This doesn't require a technical background. Compliance platforms guide you through the assessment with structured questionnaires. What matters is that the analysis is documented and proportionate to your actual environment.

Step 2: Adopt Written Policies for Therapy-Specific Scenarios

Your policies should address:

  • Psychotherapy notes: definition, storage, access controls, disclosure rules
  • Telehealth: HIPAA-compliant platform requirements, session privacy, recordings
  • Communication: phone/text/email policies, voicemail guidelines, minimum necessary standard
  • Mandatory reporting: when disclosure is permitted, how to document
  • Remote access: policies for staff accessing records from outside the office
  • Business Associate management: BAA requirement for all vendors

Step 3: Train Your Full Workforce

Therapy practices often train licensed clinicians while overlooking administrative staff, interns, and associates. The Privacy Rule violation risk is often highest at the front desk, not in the clinical session. Train everyone, document completion, and run annual refreshers.

Step 4: Implement Tracking Systems

Use compliance software to maintain:

  • Training completion log
  • Risk assessment and remediation records
  • BAA inventory
  • Incident/breach log

The tracking systems must be maintained over time, not just created once. Software that sends reminders, tracks due dates, and generates compliance reports makes maintenance sustainable for a small practice without compliance staff.

Compliance Software for Therapy Practices

HIPAAGuard

HIPAAGuard is designed for independent practices and small healthcare groups, making it well-suited for therapy practices of 1-20 clinicians. The platform handles the full compliance program: risk assessment, policy library, training tracking, BAA management, and incident logging.

For therapy practices specifically, HIPAAGuard includes:

  • Training modules that address behavioral health-specific scenarios
  • Policy templates that cover telehealth and psychotherapy notes
  • Role-based training assignment (licensed clinicians vs. administrative staff)
  • Flat-rate pricing that doesn't penalize practices for having large intern or trainee cohorts

Pricing: Free (1 provider) | $89/month flat rate

SimplePractice / TherapyNotes HIPAA Features

EHR platforms built for therapy (SimplePractice, TherapyNotes, TheraNest) include built-in HIPAA-compliant infrastructure for session notes, secure messaging, and telehealth. They are Business Associates, not compliance tools — they don't manage your risk analysis, training documentation, or BAA inventory. Use them as your EHR; use a separate compliance platform for program management.

Frequently Asked Questions

Does HIPAA apply to private-pay-only therapists?

If a therapist never submits electronic claims to insurance companies and never transmits PHI electronically in connection with standard HIPAA transactions, they may not technically qualify as a covered entity. However, many private-pay-only therapists still submit insurance through clients' out-of-network claims, use electronic scheduling systems, or communicate via email in ways that create ePHI. Additionally, many therapy licensing boards have their own confidentiality requirements that parallel HIPAA's standards. Most therapy practices are better served by implementing HIPAA-aligned practices regardless of technical covered entity status.

Can parents access their minor child's therapy records?

This is one of the most complex areas in therapy practice privacy law, and the answer depends on state law, the nature of the treatment, and the minor's age. HIPAA defers to state law on minor patient privacy in many situations. The bottom line for compliance: your practice needs written policies governing minor patient records and parent access, and those policies need to be consistent with your state's specific law.

What if a patient asks me to fax records to their new therapist?

A patient request for records disclosure is an authorization from the patient — you can disclose pursuant to the authorization. Use the minimum necessary information relevant to the referral. If faxing, use a HIPAA-compliant fax service (not a generic online fax service without a BAA) and include a standard HIPAA confidentiality notice.

How do we handle HIPAA compliance for therapy interns and trainees?

Interns and trainees are workforce members under HIPAA when they are under your practice's supervision and accessing patient records. They require the same HIPAA training as licensed staff. Their access to records should be limited to the cases under their supervision, with access controls that prevent access to unassigned cases. Track their training completions the same way you track licensed staff.

Our group practice has different clinicians who each handle their own compliance. Is that okay?

No. HIPAA compliance is a practice-level obligation, not an individual clinician obligation. The covered entity is the practice, not the individual therapist. The practice must have a unified compliance program that applies to all clinicians operating under its umbrella — even if each clinician operates with significant autonomy. Individual clinicians can be designated as Privacy Officer or Security Officer, but there must be a single documented compliance program for the practice entity.