Therapists handle some of the most sensitive PHI that exists — session notes, diagnoses, treatment histories, and now telehealth recordings. The stakes of a HIPAA breach in mental health are uniquely high: your clients' careers, custody arrangements, and safety can depend on confidentiality you're legally required to protect. This guide covers what therapy HIPAA compliance actually requires and where practices consistently fall short.
Get Your Practice Audit-Ready →Mental health practices operate at the intersection of several HIPAA risk factors that other healthcare settings don't face simultaneously. The nature of the information — diagnoses, session content, medications, treatment histories — is more sensitive than most medical records. The rise of telehealth expanded the attack surface. And the solo or small-group practice structure means there's no compliance officer, no legal team, and often no one who's ever had a formal HIPAA education.
Therapy practices also handle a category of PHI with extra legal protections: psychotherapy notes. HIPAA treats these differently from general mental health records — they require specific patient authorization for disclosure beyond standard treatment, payment, and operations exceptions. Many therapists don't know this distinction, which means their psychotherapy notes may be incorrectly included in general record requests or disclosed in situations where they legally shouldn't be.
The telehealth surge created compliance debt that hasn't been resolved. During the COVID-19 public health emergency, HHS exercised enforcement discretion for consumer video platforms. That discretion ended. Practices still conducting sessions over consumer Zoom accounts, FaceTime, or Google Meet — without HIPAA-compliant platform BAAs — have been out of compliance for some time.
A gap assessment of a typical therapy practice finds 5–9 actionable deficiencies. Psychotherapy note handling, telehealth platform BAAs, and client intake form procedures are consistently among them.
These are the compliance areas with direct application to mental health practices — and where therapy-specific audits most often find gaps:
Psychotherapy notes (process notes, session notes) have extra HIPAA protections beyond standard medical records. They must be kept separate from the general treatment record, require specific patient authorization for most disclosures, and cannot be included in a general records request without specific consent. Notes on paper must be stored securely with access controls; digital notes require encrypted storage, audit logging, and access restrictions to treating clinicians only.
Telehealth therapy sessions must be conducted over HIPAA-compliant platforms with a signed Business Associate Agreement. Consumer tools — standard Zoom, FaceTime, Skype, Google Meet — are not compliant. The platform must encrypt sessions in transit, maintain access logs, and have contractual data protection obligations. HIPAA-compliant telehealth options include Zoom for Healthcare (with BAA), SimplePractice, Doxy.me, and TherapyNotes — but having the platform isn't enough; the BAA must be executed.
Intake forms collect sensitive mental health histories, diagnoses, medication lists, and personal background — all PHI. HIPAA requires a Notice of Privacy Practices (NPP) to be provided at intake, with patient acknowledgment documented. If intake forms are sent electronically, the transmission channel must be HIPAA-compliant (not standard email). Forms stored digitally require the same encrypted storage and access controls as session notes. Paper forms require secure storage with restricted access.
Mental health billing involves PHI — diagnoses, treatment codes, session details transmitted to insurance companies. Your billing system or billing vendor is a Business Associate and requires a signed BAA. EDI claim submissions must use HIPAA-standard transaction formats. EOBs and remittance advice containing patient data must be handled and stored securely. Many therapy practices use billing services or clearinghouses without current BAAs — one of the most commonly cited violations in mental health practice audits.
Any system storing electronic PHI — EHR, telehealth platform, billing software, email — requires specific technical controls: unique user IDs, automatic session timeout, encryption at rest and in transit, audit logging, and access controls limiting who can view which records. Many solo practitioners use a single login across all devices, including personal phones and computers. BYOD (bring your own device) policies require device encryption and remote-wipe capability.
Mental health breaches require the same notification as any healthcare breach — affected patients within 60 days, HHS annually (or immediately for 500+ records). But the harm calculus is different. A mental health record breach can expose a client's diagnosis to employers, family members, or courts in ways that create immediate, concrete harm. Therapists have an ethical obligation to clients that aligns with, but exceeds, the minimum HIPAA notification requirements. A documented incident response plan is required before a breach occurs.
HIPAA distinguishes between psychotherapy notes (raw session notes a therapist keeps for personal use, separate from the medical record) and mental health records (diagnoses, treatment summaries, medication, progress notes in the general record). Psychotherapy notes have extra protections — they require specific written authorization for most disclosures, not just TPO authorization. If your session notes are integrated into your EHR or the general client record, they lose this extra protection. Many therapists are unaware of this distinction and handle both categories identically, which is often both an under-protection of session notes and an over-restriction of other records.
Therapy practices don't need a hospital-scale compliance program. They need structured documentation, compliant technology, and clear procedures — delivered by someone who understands the specific obligations of a mental health practice. Here's how we get you there:
We review your complete compliance posture against therapy-specific HIPAA requirements: telehealth platform BAA status, psychotherapy note handling procedures, intake form workflows, billing vendor agreements, technical safeguards, workforce training records, and physical office controls. The output is a prioritized findings report specific to your practice — what's missing, what risk each gap creates, and what to address first. Most therapy practices receive 5–9 findings. No guessing, no generic checklists.
We produce the documentation your practice needs: a formal risk assessment, Notice of Privacy Practices (customized for mental health), BAA templates for telehealth platforms and billing vendors, psychotherapy note handling procedures, workforce training materials, and an incident response plan. Where technology gaps exist, we specify exactly what needs to change in your current systems. Most documentation is delivered within 72 hours of kickoff. We don't hand you a PDF and disappear.
Therapy practices evolve: adding group therapy changes how records are handled; adding telehealth opens new BAA obligations; adding associate clinicians requires new access controls and training. We provide ongoing support to keep your compliance current — reviewing platform changes, updating BAAs when you add vendors, refreshing risk assessments annually, and ensuring your NPP stays current with regulatory changes. Direct senior consultant access throughout.
These are the violations most commonly found in mental health practice audits — and the gaps most likely to expose a therapy practice today.
Standard Zoom, FaceTime, Google Meet, and Skype are not HIPAA-compliant for therapy sessions. HHS enforcement discretion for consumer platforms during the COVID-19 PHE ended in 2023. Practices still using these platforms without a Business Associate Agreement from a HIPAA-eligible plan are now exposed. If your telehealth vendor doesn't offer a BAA — or you've never signed one — you need to address this before your next session.
Many therapists maintain a single set of clinical notes without distinguishing between protected psychotherapy notes and the general treatment record. This matters because: (1) psychotherapy notes require specific written authorization for most disclosures, not just standard TPO exceptions; (2) they cannot be included in a general records release without specific consent; (3) integrating them into the EHR general record eliminates their extra legal protection. This distinction requires deliberate process design — most practices have never thought it through.
Emailing intake forms — which contain mental health histories, diagnoses, medications, and personal background — through standard Gmail or Outlook without message-level encryption is a HIPAA violation. The fact that a patient emailed you first does not create a compliant channel. Intake workflows must use encrypted, HIPAA-compliant intake software or a secure client portal with a BAA from the platform vendor. Many therapists use PDF forms over email without realizing it's non-compliant.
Insurance billing involves transmitting diagnoses, session codes, and patient identifiers — all PHI. Your billing service or clearinghouse is a Business Associate. A missing or outdated BAA is one of the most commonly cited violations in mental health practice audits, and one of the easiest for OCR to identify. Many therapists started using a billing service without executing a BAA, or signed one early in the relationship that predates current regulatory requirements.
Therapists in solo or small practices frequently conduct telehealth, take session notes, and access client records from personal iPhones, iPads, and laptops. HIPAA doesn't prohibit BYOD, but it requires that any device accessing ePHI has device encryption enabled, automatic screen lock configured, a documented device policy, and remote wipe capability. A lost or stolen personal phone with access to your EHR or client emails is a reportable breach without these controls in place.
HIPAA requires covered entities to provide patients with a Notice of Privacy Practices at the first service delivery and to post it prominently (including on any website describing services). The NPP must describe how PHI is used, patient rights, and your legal duties. Many therapy practices use an NPP downloaded from the internet years ago that hasn't been updated since, or lack one entirely for telehealth-only clients who never set foot in a physical office. An NPP that doesn't reflect your current operations provides no legal protection.
Fixed pricing, direct senior consultant access, and a 72-hour promise from kickoff to initial deliverable. No account managers, no templated PDFs, no surprises.
A structured review of your therapy practice's full compliance posture — telehealth platform status, session note handling, intake procedures, billing BAAs, device controls, and training records. Prioritized findings report within 72 hours.
Book a Call →Notice of Privacy Practices (mental health specific), BAA templates for telehealth and billing vendors, psychotherapy note handling procedures, and workforce training materials — all customized for your practice. Delivered in 72 hours.
Book a Call →Deep review of your telehealth platform, EHR, billing vendor, and other service agreements for compliance gaps and hidden costs. Includes recommendations for HIPAA-compliant alternatives where needed and BAA negotiation guidance.
Book a Call →A 30-minute discovery call costs nothing. We'll scope the engagement, identify your biggest gaps, and tell you exactly what HIPAA compliance looks like for a practice your size — before any money changes hands.
Book a Free Discovery Call →Free call · No commitment · 72-hour delivery after kickoff
Yes. Licensed therapists, psychologists, LCSWs, LPCs, and other mental health providers are covered entities under HIPAA if they transmit PHI electronically — which virtually all practices do through insurance billing, EHR systems, and telehealth. This applies to solo practitioners as well as group practices. Size doesn't grant an exemption; it only affects penalty tiers if you're found non-compliant.
Yes. HIPAA gives extra protection to psychotherapy notes — session notes kept separately from the medical record for a therapist's own use. They require specific patient authorization for most disclosures (beyond standard TPO exceptions), cannot be included in a general records release without specific consent, and must be kept separate from the general treatment record to retain their extra protection. Therapists who don't distinguish between session notes and general mental health records often inadvertently lose this protection.
Standard Zoom is not. Zoom for Healthcare — with a signed Business Associate Agreement — is HIPAA-compliant. The distinction is important: you need both the right Zoom plan and a signed BAA from Zoom. Consumer FaceTime, Google Meet, and Skype don't offer BAAs at all. HHS enforcement discretion that allowed consumer tools during the COVID-19 public health emergency has ended. Practices conducting therapy sessions on non-BAA platforms are now at risk.
A compliant NPP must describe: how you use and disclose PHI (including mental health-specific limitations); patient rights (access, amendment, accounting of disclosures, restrictions, confidential communications); your legal duties as a covered entity; and how patients can file a complaint. For therapy practices, the NPP should specifically address psychotherapy note protections and any state law requirements that provide additional privacy rights. It must be provided at first service delivery and posted prominently — including on any website describing your services.
HIPAA violations can result in civil penalties from HHS OCR ($141–$2,134,831 per violation category), and are frequently accompanied by complaints to state licensing boards. Licensing boards can investigate independently and impose sanctions including license suspension or revocation — separate from and in addition to federal HIPAA penalties. In mental health, where client confidentiality is a core ethical obligation, a licensing board may view a HIPAA violation as an ethics violation regardless of whether HHS takes action.