The New Therapist’s Guide to Setting Up a HIPAA-Compliant Practice in 2026

By /

You just got licensed. You’ve got your supervision hours logged, your NPI number, your ideal client in mind – and now someone mentions HIPAA and your stomach drops.

You know it’s important. You know violations can result in fines. But nobody handed you a clear checklist during your training program, and the official HHS documentation reads like it was written specifically to be incomprehensible.

This guide is the one I wish I had. Plain English. Practical steps. No law degree required.

What HIPAA Actually Requires (The Short Version)

HIPAA – the Health Insurance Portability and Accountability Act – sets national standards for protecting “protected health information” (PHI). PHI is basically any information that could identify a client and relate to their health condition, treatment, or payment.

As a therapist in private practice, you are a covered entity. That means HIPAA applies to you directly.

The three main rules:

  • Privacy Rule – Controls who can access PHI and when you can share it
  • Security Rule – Governs electronic PHI (emails, EHR systems, texting with clients)
  • Breach Notification Rule – What you have to do if PHI is exposed

Most compliance anxiety among new therapists centers on the Security Rule – specifically, the question of “am I handling digital information the right way?” Let’s work through that.

Step 1: Use a HIPAA-Compliant EHR

This is the single most impactful decision you’ll make. Your Electronic Health Record (EHR) system stores notes, treatment plans, and sometimes billing info. If it isn’t HIPAA-compliant, nothing else you do matters much.

What makes an EHR HIPAA-compliant?

  • They sign a Business Associate Agreement (BAA) with you – this is non-negotiable and legally required
  • Data is encrypted in transit and at rest
  • Access logs exist so you can see who accessed what
  • They have a documented security program

Popular HIPAA-compliant options for solo practitioners:

  • SimplePractice – Most popular, great UX, built-in billing and scheduling
  • TherapyNotes – Preferred by insurance-heavy practices, strong documentation tools
  • Therapy Brands (formerly TheraNest) – Flexible pricing for small practices
  • Jane App – Popular in Canada, expanding in the US

What you should NOT use: Google Docs, Dropbox (without a BAA), standard Gmail, Apple Notes, or any general-purpose cloud storage without first getting a signed BAA from the provider.

?? Google does offer HIPAA-compliant Workspace accounts with a BAA – but this requires a paid Google Workspace account and a signed agreement, not your personal Gmail.

Step 2: Lock Down Your Email and Messaging

This is where most new therapists unknowingly create problems.

Standard email is not HIPAA-compliant. That means you shouldn’t send session notes, diagnoses, or billing info through regular Gmail or Outlook without additional protections.

Your options:

  • Use your EHR’s messaging system – Most HIPAA-compliant EHRs have a secure client portal. Use that for all clinical communication.
  • Get a HIPAA-compliant email provider – Options include Hushmail for Healthcare, Proton Mail for Business (with BAA), or Google Workspace (with signed BAA)
  • Get informed consent for unsecured channels – If a client insists on communicating via regular email or text, document that they’ve been informed of the risks and consent to that method

Texting: Standard SMS is not HIPAA-compliant. If you want to text clients (appointment reminders are fine for many practices), use a compliant platform like Spruce Health, Klara, or your EHR’s built-in reminder system.

Step 3: Secure Your Physical Space

HIPAA compliance isn’t purely digital. Your physical office matters too.

For in-office practice:

  • Lock paper files in a secured cabinet
  • Position your computer so clients in the waiting area can’t see the screen
  • Shred documents with PHI – don’t just recycle them
  • Use a white noise machine in the waiting room (this helps with both privacy and client comfort)

For telehealth/home office:

  • Conduct sessions in a private space – not a coffee shop, not a shared office with open walls
  • Use headphones
  • Use a HIPAA-compliant video platform (Zoom for Healthcare with BAA, Doxy.me, or your EHR’s telehealth feature)
  • Lock your computer when you step away

Step 4: Get Your Business Associate Agreements in Order

A Business Associate Agreement (BAA) is a contract between you and any vendor who handles PHI on your behalf. If someone has access to your clients’ protected information, you need a BAA with them.

Who typically needs a BAA:

  • Your EHR provider
  • Your email provider (if they handle clinical communication)
  • Your billing service
  • Your telehealth platform
  • Your bookkeeper (if they see client names + billing info)
  • Your virtual assistant (same)

Most HIPAA-compliant vendors make BAA signing easy – it’s usually a checkbox in your account settings or a document they send you. If a vendor refuses to sign a BAA, that’s a red flag and you shouldn’t use them for anything touching PHI.

Step 5: Write a Privacy Notice and Get Signed Consent

HIPAA requires you to provide clients with a Notice of Privacy Practices (NPP) – a plain-language document explaining how you use and protect their information.

Your NPP should cover:

  • What PHI you collect
  • How you use it (treatment, billing, etc.)
  • When you can disclose it without permission (mandatory reporting, emergencies, legal requirements)
  • Their rights regarding their own records
  • Your contact information for privacy questions

Most EHRs have template NPPs built into their intake document systems. Customize it to reflect your practice – and have clients sign it before or during the first session.

Step 6: Have a Breach Response Plan

Nobody wants to think about this, but you need to know what to do if something goes wrong.

A breach can be as simple as sending a progress note to the wrong email address, or as serious as your laptop being stolen.

The basic response protocol:

  1. Assess – What information was exposed? To whom? How many clients affected?
  2. Contain – Stop the breach from continuing (change passwords, notify the platform, retrieve the document if possible)
  3. Notify – Affected clients must be notified within 60 days. If 500+ clients are affected, you also notify HHS and local media (rare for solo practices).
  4. Document – Even if you determine it wasn’t a reportable breach, document your risk assessment

Your malpractice insurance may cover HIPAA breach response costs – check your policy.

Step 7: Train Yourself (and Any Staff)

HIPAA requires covered entities to train workforce members on privacy policies. For solo practitioners, this means you need to train yourself – and document that you did.

This doesn’t need to be a big production. A simple annual review of your own privacy policies, plus keeping up with any software changes to your EHR, is usually sufficient for a solo practice.

If you hire a biller, admin, or virtual assistant who touches PHI, they need formal training too.

The Compliance Stack for a Solo Private Practice (2026)

Here’s a minimal but solid setup:

  • ? EHR: SimplePractice or TherapyNotes (BAA included)
  • ? Email: Use the EHR portal for clinical communication; Hushmail or Google Workspace for general business
  • ? Video: Your EHR’s telehealth feature, or Doxy.me (free tier is HIPAA-compliant with BAA)
  • ? Texting: Spruce Health or EHR reminders only
  • ? Payments: Stripe (they sign BAAs), IvyPay, or through your EHR
  • ? Physical: Locking file cabinet, shredder, screen privacy filter if in shared space
  • ? Documents: Signed NPP in every client file, BAAs with every vendor

Common Mistakes New Therapists Make

  • Using personal Gmail for clinical communication – even just once, even just a quick question
  • Storing notes in Google Docs without a BAA – very common, easy to fix
  • Using standard Zoom instead of Zoom for Healthcare – different product, requires different account setup
  • Not getting BAAs signed before using a service – retroactively signing is better than nothing, but get in the habit of doing it first
  • Leaving client files visible on the screen during sessions – other clients in the waiting room or family members during telehealth can see more than you think

Final Thought: Compliance Is a Practice, Not a Checkbox

HIPAA compliance isn’t something you achieve once and forget. As your practice grows, your software stack changes, and you hire help, your compliance posture needs to evolve.

The good news: if you’re using a reputable EHR, conducting sessions in private, communicating through secure channels, and have your BAAs signed – you’re already ahead of most new therapists.

The goal isn’t perfection. It’s a good-faith, documented effort to protect your clients. That’s what HIPAA is actually looking for.

Looking for tools to run a more organized practice? Check out the Free Therapy Intake Bundle – templates, scripts, and resources built for new and early-career therapists.

Leave a Comment

Your email address will not be published. Required fields are marked *

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by
Scroll to Top