HIPAA compliance isn't optional for therapy practices. It's the law, it protects your clients, and it protects you — a single breach can cost tens of thousands of dollars in OCR penalties and expose you to civil liability. For solo therapists, the compliance burden can feel overwhelming, partly because the official HIPAA materials are written for hospital administrators, not a person running a one-person practice from a home office or small suite.
This guide cuts through that noise. It's written for solo therapy practices specifically — what HIPAA actually requires of you, which parts are automated by modern EHR systems, and which parts you have to handle yourself. The checklist at the end gives you a clear yes/no way to assess your current compliance posture.
In This Article
- What HIPAA Compliance Means for Solo Therapy Practices
- The 6 Areas of a Therapy Practice That HIPAA Covers
- Physical Security: Office, Devices, and Paper Records
- Digital Security: EHR, Email, Messaging, and Cloud Storage
- Administrative Safeguards: BAAs, Training, and Policies
- Full Compliance Checklist (Interactive)
- What PractiCalm Handles Automatically vs. What You Must Do
- Common HIPAA Violations for Therapists (and How to Avoid Them)
What HIPAA Compliance Means for Solo Therapy Practices
HIPAA — the Health Insurance Portability and Accountability Act — is a federal law that sets national standards for protecting sensitive health information. As a therapist, you're considered a "covered entity" the moment you store, process, or transmit any Protected Health Information (PHI). This includes client names, appointment dates, clinical notes, diagnosis codes, insurance information, and anything else that can be used to identify a client in connection with their mental health care.
The Privacy Rule covers how you use and disclose PHI. The Security Rule covers the technical and physical safeguards required to protect it. The Breach Notification Rule requires you to report unauthorized disclosures. The Enforcement Rule gives HHS the authority to investigate and impose penalties.
For solo therapists, the most actionable rule is the Security Rule, which breaks down into three categories: administrative safeguards (policies, training, risk assessments), physical safeguards (workstation security, device locks, paper record storage), and technical safeguards (encryption, access controls, audit trails).
Who enforces this? The HHS Office for Civil Rights (OCR) investigates HIPAA complaints and breaches. In 2025, OCR settled or imposed civil monetary penalties totaling over $40 million across healthcare providers — including small practices. The minimum penalty for a violation stemming from willful neglect is $10,000 per violation category, per year. Don't assume "I'm small" means "no one will notice."
The good news: HIPAA compliance for a solo practice is manageable. Most of the technical requirements are satisfied by using a HIPAA-compliant EHR, encrypted email, and proper device management. The administrative requirements — a risk assessment, policies, and training — take time but are one-time investments. This guide covers all of it.
The 6 Areas of a Therapy Practice That HIPAA Covers
HIPAA doesn't just cover your clinical notes. It covers every surface where PHI might exist in your practice. Here's a map of the six areas that matter for solo therapists:
Physical Office / Space
Where you conduct sessions and store records — includes office layout, visitor access, record storage.
Devices and Workstations
Laptops, phones, tablets used for clinical work — includes screens, hard drives, and removable media.
Digital Systems and EHR
Your electronic health record, billing software, and any cloud-based storage where PHI lives.
Communication Channels
Email, text messaging, client portal, and any digital communication involving client information.
Administrative and Policies
Risk assessments, security policies, training records, and business associate agreements.
Paper Records and Faxes
Any physical documents containing PHI — including superbills, session notes, and lab results.
Most solo therapists think "I have an EHR, so I'm compliant." That's only one of six areas. The next sections break down what you need to do in each one.
Physical Security: Office, Devices, and Paper Records
Physical security is often the most overlooked area of HIPAA compliance for solo practices — partly because it's obvious once you think about it, but easy to forget when you're focused on the clinical and business side of building your practice.
Office and Workspace
Whether you practice from a dedicated office, a shared suite, or a room in your home, the physical space where client information exists needs to be reasonably protected:
- Private workspace: If you work from home, set up your office in a space that's physically separate from common household areas. A dedicated room with a door that locks is the standard expectation. This protects against incidental disclosure — a family member seeing a client file, for instance.
- Sound privacy: The room should be sufficiently private that conversations inside can't be overheard by people outside. This applies especially if your office is in a shared building.
- Visitor and contractor access: If you have maintenance staff, cleaning personnel, or anyone else who might enter your workspace, they should not have unsupervised access to areas where client records (paper or electronic) are visible.
- Sign-in sheets and lobby areas: If you have a waiting area, client names should not be visible on a sign-in sheet in the open. Use a numbering system or just ask clients to announce themselves rather than write their name on a public list.
Devices and Workstations
Your laptop, phone, and any device that accesses client information must have basic protections:
- Automatic screen lock: Set devices to lock after no more than 5–10 minutes of inactivity. Configure this in your OS settings — it's free and required.
- Device passwords: Require a password, PIN, or biometric to unlock any device that accesses client records. No exceptions for "it's just my phone."
- Full-disk encryption: Both macOS (FileVault) and Windows (BitLocker) offer free built-in full-disk encryption. If a laptop is stolen, encryption is what protects the data from being accessed. Enable it.
- Remote wipe capability: Set up Find My Device (iOS) or Find My Device (Android/Windows) so you can remotely wipe a lost or stolen device. This is especially important for phones, which are easily lost.
- No shared devices for clinical work: If you share a family computer, don't use it for accessing your EHR or writing session notes. Keep clinical work on a dedicated, encrypted device.
Paper Records
If you maintain any paper records — and many practices still do, at least partially — they need the same protection standards as digital records:
- Locked storage: Paper records should be stored in a locked cabinet or room. If you have a home office, a fireproof locking file cabinet is standard.
- Shredding policy: Any paper containing client information that you discard must be cross-cut shredded. A basic strip-cut shredder does not adequately protect against reconstruction. Standard for solo practices: get a cross-cut shredder and use it consistently.
- Record retention schedules: Most states require keeping clinical records for 5–7 years after the last contact (varies by state and record type — check your state licensing board). Keep records beyond the minimum as long as there's no compelling reason to destroy them. When you do dispose of them, shred first.
Digital Security: EHR, Email, Messaging, and Cloud Storage
Digital security is where solo therapists are most likely to have gaps. The technical requirements in the HIPAA Security Rule are specific, but they're achievable with the right software and habits.
HIPAA-Compliant EHR
The single biggest compliance decision you'll make is your EHR. Not all EHRs are HIPAA-compliant — the software must meet specific technical standards for access control, audit logging, transmission security, and contingency planning. If your current EHR doesn't explicitly state HIPAA compliance, it probably doesn't meet the requirements.
What HIPAA compliance means for an EHR:
- Access controls: Role-based logins so each user has exactly the access they need (no shared credentials)
- Audit logging: Every access, edit, and export of client records is logged and immutable
- Encryption in transit: All data transmitted between your device and the EHR server is encrypted (TLS 1.2+)
- Encryption at rest: Data stored on the EHR's servers is encrypted
- Business Associate Agreement (BAA): The EHR vendor signs a BAA agreeing to protect PHI to the same standard you're legally bound to
- Breach notification: The vendor notifies you if they experience a breach affecting your data
When evaluating an EHR, ask the vendor directly: "Do you sign Business Associate Agreements?" If the answer is no, that's a disqualifier. If the vendor doesn't know what a BAA is, that's a worse disqualifier.
See our full comparison of the best EHR systems for solo therapy practices in 2026, including which platforms meet HIPAA requirements and which don't.
Email and Text Messaging
This is where solo therapists most frequently run into compliance risk. Regular email and text messaging are not HIPAA-compliant unless specific conditions are met.
Regular email and text = not HIPAA compliant by default
Your standard Gmail, Outlook, and SMS texting are not HIPAA-compliant communication channels for PHI. Sending a client their appointment reminder with their name on it via unencrypted SMS is a HIPAA violation. This applies to any communication that contains identifiable client information.
Encrypted email: If you need to communicate with clients via email (appointment reminders, general information, document sharing), use a HIPAA-compliant email service or a client portal. HIPAA-compliant email services (like Paubox, Hushmail, or Virtru) encrypt messages in transit and at rest, and sign BAAs. If you're sending intake forms or clinical documents via email, this is required.
Client portal: The simplest solution for solo practices is to communicate through a secure client portal within your EHR — that way, all communications are inside the HIPAA-compliant environment and don't need separate encryption. PractiCalm includes secure messaging via its client portal as part of intake processing.
Text messaging: Standard SMS is not compliant. If you text clients, use a HIPAA-compliant messaging platform. Your EHR likely offers one. If you must use personal texting for scheduling, strip identifying information — use initials or a client number, never full names or appointment specifics.
Cloud Storage and File Sharing
If you're storing client records on personal Dropbox, Google Drive, or iCloud without a BAA in place, that's a violation. Standard consumer cloud services are not HIPAA-compliant because the vendors don't sign BAAs with individual users (they do with business accounts at higher tiers).
Use HIPAA-compliant storage: your EHR's document storage, or a business-tier cloud service (Google Workspace Business Plus, Microsoft 365 Business Premium) that signs BAAs. The cost difference between personal and business tiers is minimal; the compliance difference is enormous.
Video Telehealth Sessions
If you're conducting telehealth, the video platform must be HIPAA-compliant. In 2025, the HHS OCR confirmed that platforms used for telehealth must be covered by a BAA. The most common HIPAA-compliant telehealth platforms are SimplePractice (built-in), TherapyNotes, Doxy.me (HIPAA version), and Zoom for Healthcare. Standard Zoom, Google Meet, and FaceTime are not HIPAA-compliant for clinical use.
Administrative Safeguards: BAAs, Training, and Policies
Administrative safeguards are the "paperwork" layer of HIPAA compliance — but they're not just bureaucratic. They're what protects you when something goes wrong, and they demonstrate that you took compliance seriously if OCR investigates.
Risk Assessment
HIPAA requires a written Risk Analysis — an assessment of where PHI exists in your practice, what threats it faces, and how likely and severe those threats are. This is a one-time exercise that you update whenever your practice changes significantly (new software, new service lines, remote work arrangements).
The OCR provides a free Security Rule Risk Assessment tool on their website. It's designed for small practices and walks you through the process step by step. Completing it takes 2–4 hours for a solo practice. The output is a document you keep on file and update as needed.
A risk assessment is required, not optional. If OCR investigates a breach and you don't have one, that's a violation in itself — and the penalty tier is higher.
Business Associate Agreements (BAAs)
A BAA is a legal contract between you (a covered entity) and any third party that handles PHI on your behalf. Every vendor that touches client data must sign one. This includes your EHR vendor, email provider (if business-tier), billing service, clearinghouse, and any subcontractor who does work involving your client data.
BAAs are not negotiation exercises — they're standard forms. The vendor typically provides theirs. You review it, sign it, and keep a copy on file. If a vendor refuses to sign a BAA, don't use them for anything involving PHI.
Who needs a BAA:
- EHR software vendor
- HIPAA-compliant email provider
- Billing or claims clearinghouse
- Credit card processor (yes — they handle billing data)
- IT support if they have any access to systems containing PHI
- Virtual receptionist or answering service (if they see client names or appointment details)
If you don't know whether a vendor needs a BAA, ask them: "Do you sign Business Associate Agreements?" If yes, get it signed before using the service for anything client-related.
Security Policies and Procedures
You need written policies covering how you handle PHI in your practice. The policies don't need to be exhaustive — they need to be accurate and followed. Key policies for a solo practice:
- Access management: Who can access what, and how access is granted and revoked
- Device security: Password requirements, screen lock settings, encryption standards
- Transmission security: Which communication channels are approved for PHI
- Contingency planning: What happens if a device is lost or stolen (remote wipe procedures)
- Breach notification: What to do and who to call if a breach is discovered
- Disposal procedures: How paper records and electronic media are securely disposed of
Keep these policies in a physical or digital binder that's accessible but secure. You won't need to reference them daily, but you'll need them if you're audited.
HIPAA Training
You are required to train staff (including yourself) on HIPAA policies and procedures, and to document that training. For solo practices with no staff, this means completing training yourself and keeping a record of it. Free training resources are available through the HHS HIPAA Training page.
Training must cover:
- What HIPAA is and why it matters
- What PHI is and where it appears in your practice
- Your specific security policies and procedures
- How to identify and report potential breaches
Annual refresher training is the standard. Document the date, topic, and completion. If you hire any staff in the future, they're required to complete training before accessing any PHI.
Full Compliance Checklist
Use this checklist to assess your current compliance posture. Check each item that applies. At the end, you'll have a clear picture of where you stand.
How'd you score? Items 1–8 (physical security) are the basics. Items 9–16 (digital security) are where most solo practices have the most gaps. Items 17–25 (administrative) are the documentation layer — having these in place matters most if you're ever investigated. Items 26–28 are contingency planning and often overlooked by new practices.
What PractiCalm Handles Automatically vs. What You Must Do
PractiCalm is built around the principle that compliance infrastructure shouldn't be your job — it should be built into the platform. Here's what the system handles automatically and what remains your responsibility.
PractiCalm Handles These HIPAA Requirements Automatically
The platform is designed to eliminate the compliance overhead that typically falls on solo therapists. Here's what's built in:
- HIPAA-compliant EHR with BAA: Every PractiCalm account includes a signed Business Associate Agreement. The EHR meets all Security Rule technical requirements: encrypted storage, access controls, audit logging, and secure data transmission.
- Client portal with secure messaging: Client-facing communications happen inside the portal — no PHI via standard email or SMS. Intake forms, appointment confirmations, and clinical documents all route through the encrypted portal.
- Access logging: Every action on client records — viewing, editing, exporting — is logged with a timestamp and user ID. Audit trail available to you at any time.
- Role-based access: Only authorized individuals can access client data. Shared credentials aren't used — each session is individually authenticated.
- Automatic backups: Data is backed up on a rolling schedule with off-site redundancy. No action required from you.
- Encrypted data transmission: All data between your browser and PractiCalm's servers is encrypted via TLS 1.2+. No unencrypted connections.
- Insurance verification data handling: PHI involved in insurance verification is stored and processed within the same HIPAA-compliant environment — it doesn't route through third-party clearinghouse intermediaries without BAAs in place.
PractiCalm Handles
- EHR compliance and BAA
- Secure client portal messaging
- Encrypted data transmission
- Audit logging on all record access
- Role-based access controls
- Automatic data backups
- Insurance verification PHI handling
- Session note storage and security
You Still Own
- Physical office security and locks
- Device-level security (encryption, passwords, screen lock)
- Paper record storage and shredding
- Written Risk Assessment (use the HHS tool)
- Security policies (we provide templates)
- HIPAA training completion and documentation
- BAAs with other vendors (credit card processor, IT, etc.)
- Breach response if your device is compromised
The division of labor is deliberate: PractiCalm handles the digital infrastructure where most HIPAA violations occur, while you handle the physical and administrative requirements that require your direct attention in your specific practice environment. This is a better allocation of effort than trying to do everything yourself or outsourcing to a consultant.
Common HIPAA Violations for Therapists (and How to Avoid Them)
Most HIPAA violations for solo therapists aren't malicious — they're accidents. Someone sends an email to the wrong client, a laptop gets stolen from a coffee shop, a staff member accesses records they shouldn't. Knowing where the risks are helps you avoid them.
Emailing client information from a personal Gmail or Outlook account
Standard consumer email is not HIPAA-compliant. Sending intake documents, session notes, or any PHI via Gmail or Yahoo is a violation. Fix: Use your EHR's client portal for all PHI communications, or switch to a HIPAA-compliant email service (Hushmail, Paubox, Virtru). This is the most common violation we see among new solo practices.
Unencrypted laptop or phone stolen from a public place
A therapist leaves their laptop at a coffee shop, someone takes it, and it contains unencrypted session notes or intake forms. The breach notification requirement kicks in, clients must be notified, and OCR can investigate. Fix: Enable full-disk encryption (FileVault/BitLocker) and remote wipe on all devices. This takes 20 minutes to set up and is the single most important device security step.
Sending appointment reminders via unencrypted text message
Even a text that says "Reminder: session tomorrow with your therapist" includes a client's phone number and appointment date — that's PHI. Standard SMS is not encrypted end-to-end and is not HIPAA compliant. Fix: Use your EHR's secure messaging or a HIPAA-compliant text platform. If you must use SMS for scheduling, strip all identifying information (don't use client name, don't mention session time or type).
Sharing a client file folder via personal Dropbox or Google Drive
Storing intake forms, session notes, or superbills in a personal Dropbox or Google Drive folder — without a BAA in place — is a violation. These services don't sign BAAs with personal/free accounts. Fix: Use your EHR's document storage, or use business-tier cloud accounts (Google Workspace Business Plus, Microsoft 365 Business Premium) with signed BAAs.
Discussing a client case in a public space where others can hear
This is a Privacy Rule violation, not a Security Rule one — and it's easier to do accidentally than people realize. Discussing a client's treatment plan at a coffee shop, even in general terms, can constitute unauthorized disclosure of PHI. Fix: Clinical discussions happen in private spaces only — your office, a private room, or a HIPAA-compliant video platform. Never discuss clients in public locations, even if you don't use their name.
Sending a fax to the wrong number
Faxing is still common in healthcare, and misdialing a fax number is an surprisingly common source of breaches. The OCR has investigated cases where therapists faxed client records to an unintended recipient and didn't discover it for weeks. Fix: Double-check all fax numbers before sending. When possible, use secure electronic transmission instead. If you fax, keep a log of what you sent and to which number.
No BAA with credit card processor
When you process a credit card for a client session, you're transmitting billing information through the payment processor. If you don't have a BAA with that processor, you're handling PHI with a vendor who hasn't agreed to protect it to HIPAA standards. Fix: Most major payment processors (Stripe, Square) offer HIPAA-compliant business tiers. Switch to the HIPAA tier and get the BAA signed. This is a compliance gap that most solo therapists don't know exists.
Keeping client records on a personal (non-work) device without encryption
If you access your EHR from a personal phone or laptop that you also use for personal browsing, streaming, and apps — and that device isn't encrypted — you're in violation. Personal devices used for clinical work must meet the same security standards as dedicated work devices. Fix: Either use a dedicated work device for all clinical access, or ensure your personal device meets the same standards: disk encryption, screen lock, no PHI in unencrypted storage.
If you discover a breach — a stolen laptop, a misdirected fax, unauthorized access to records — you're required to document the breach and notify affected clients within 60 days of discovery. OCR must also be notified (for breaches affecting 500+ individuals, notify OCR immediately; for smaller breaches, report annually). Notifying clients doesn't mean you're automatically liable — the response matters. Having your documentation in order (what happened, when, what data was affected) is part of demonstrating that you handled it appropriately.
HIPAA compliance is a process, not a checkbox. The solo therapists who stay compliant are the ones who automate the technical infrastructure (EHR, email, messaging) so they only have to manage the physical and administrative elements themselves. That setup takes a few days of focused work upfront, then maintenance is minimal.
For the full practice setup guide — including tech stack decisions, licensing, and the first 90 days — read how to start a therapy practice in 2026. For a direct comparison of EHR platforms and their compliance features, see the best EHR systems for solo therapy practices.
Handle the Compliance Infrastructure Automatically
PractiCalm's EHR includes HIPAA compliance built in — BAA, encrypted storage, audit logging, and a secure client portal. Your job is the practice; our job is the infrastructure.
Start Your Intake →