If you are a mental health provider just starting your solo practice, you likely have questions and concerns about Health Insurance Portability and Accountability Act (HIPAA) compliance. In essence, the main purpose of HIPAA rules and regulations is to ensure that your client’s personal health information is protected. At the same time, HIPPA regulations allow therapists to share client information with third parties, such as health insurance companies, while keeping their client’s information secure.
HIPAA privacy rules and HIPAA compliance can be confusing for mental health providers who are just getting started, and understanding the fine details can be overwhelming. This guide will help break down this information for you in simple terms, so that you can set up a HIPAA-compliant practice and focus on what matters most — providing excellent and compassionate mental health care for your clients.
Key takeaways
- HIPAA rules and regulations ensure that your therapy client’s personal health information is kept confidential and secure.
- Any solo provider who transmits health information electronically must follow HIPAA rules.
- Maintaining a HIPAA-compliant solo practice involves using HIPAA-compliant methods for client communication, medical documentation, and communication with third parties.
Why does HIPAA matter for solo mental health providers?
HIPAA laws were put in place to protect patients’ personal information and confidentiality. These policies are especially important in mental health, where clients often feel vulnerable opening up and sharing deeply personal information. Knowing that they have a therapist who is HIPAA-compliant and who values client privacy helps establish a trusting relationship between client and therapist.
But there’s more to it than that. HIPAA privacy rules ensure that you can share important information with other entities — such as health insurance companies, healthcare providers, psychiatrists, and others — in a manner that complies with privacy standards.
Finally, there are consequences to not being HIPAA-compliant. Mental health providers who meet certain criteria are legally obligated to follow HIPAA rules and regulations, and failing to do so may result in fines, legal actions, or removal of professional licenses.
Did you know?
The HHS Office for Civil Rights has settled or imposed civil penalties in 152 cases totaling over $144 million in HIPAA enforcement actions to date — including a $100,000 penalty against a mental health center in 2024 for failing to provide timely access to patient records. HIPAA fines can range from $141 to over $71,000 per violation depending on the severity and whether it was corrected.
Who does HIPAA apply to in a private practice?
You might want to know: Do HIPAA policies apply to me when I work in private practice or as a solo mental health provider?
The answer is that yes, in most cases, these policies apply to you, even if you are in a solo practice and aren’t attached to a hospital or clinic. In a nutshell, any healthcare provider who transmits health information electronically will need to follow HIPAA standards. These transactions may include:
- Insurance claims
- Health insurance benefit eligibility inquiries
- Authorizations requests
Therapists who only accept private pay and never engage in these types of electronic interactions may be exempt from HIPAA compliance. However, as the American Psychological Association (APA) points out, once you engage in even one electronic transaction (as described above) your practice will be subject to HIPAA rules and regulations. This is why the APA recommends all licensed therapists become compliant.
What is protected health information (PHI)?
HIPPA‘s main purpose is to protect patients from the release of protected health information, or PHI. As such, HIPAA privacy rules that you will implement in your practice center on protecting client PHI.
What exactly is PHI? It refers to health information relating to a person’s:
- Present, past, or future health or mental health conditions
- Past, present, or future delivery of health care
- Common personal identifiers, like name, date of birth, address, or Social Security number
What core HIPAA rules do solo providers have to follow?
In order to follow HIPAA rules and ensure protection of PHI for your clients, you should familiarize yourself with a few core rules that you must follow to be compliant.
There are three main rules for HIPAA compliance you should be aware of: privacy rules, security rules, and the breach notification rule.
Privacy Rule basics for mental health providers
The Privacy Rule describes your client’s right to access their protected health insurance, or PHI. While you are obligated to keep your client’s PHI secure, you also must share a client’s health information, upon request. For example, your client may want to share health information with other family members, other medical providers, or they may want to review their records themselves.
Security Rule basics for electronic PHI
The Security Rule protects any identifying information of a client, in all electronic forms. It outlines specific administrative, technical, and physical safeguards that are required to be put into place in order to protect clients’ sensitive protected health information.
Breach Notification Rule overview
The Breach Notification Rule outlines what to do if a client’s PHI is breached. This rule requires that client breaches be promptly reported (within 60 days) to the Department of Health and Human Services Office of Civil Rights.
It’s important that all solo mental health providers follow these HIPAA compliance rules, and also that they stay up-to-date on HIPAA rule changes.
HIPAA and mental health-specific considerations
While HIPAA policies apply to mental health professionals in the same way that they apply to other healthcare professionals, there are some stipulations that are specific to mental health providers.
Psychotherapy notes versus the general medical record
HIPPA policy treats psychotherapy notes differently than other healthcare provider medical documentation.
Psychotherapy notes are defined as:
- Notes taken by a mental health professional
- Notes that document a therapy session conversation or analyze the conversation
Psychotherapy notes can be taken during counseling sessions that are one-on-one, in groups, or as part of a family counseling session. To meet the definition of a psychotherapy note, the notes must be kept separate from the client’s other medical records.
How are psychotherapy notes treated differently than other medical records in terms of privacy protection? The main difference is that you can’t share psychotherapy notes without your client signing an authorization form for the specific release of these notes.
On the other hand, other medical records are often routinely released for treatment, payment, and insurance purposes with a more general consent form.
Communication with family members and third parties
Privacy policies can be tricky when it comes to sharing medical information with individuals other than your client. But it all comes down to consent.
For example, often a client’s family member will be involved in their care. Sometimes a close friend or significant other will play a role. In what circumstances can you share your client’s medical information with them?
You can share this information if your client has the capacity to make healthcare decisions, and:
- Your client has provided verbal or written permission to share.
- A family member is accompanying your client to appointments, is helping support them, or is helping manage payment or insurance company benefits, and your client has given you permission to interact with them.
- There is an emergency situation, and you need to share your client’s information in order to prevent harm. In the case of mental health practices, this might include suicide ideation and other forms of self-harm.
In some cases, a client is incapacitated or has become incapacitated, either because of a psychiatric condition, a cognitive condition, or a physical health condition. In this case, you may be able to share client information with family members if you determine that this is in your client’s best interest.
At other times, the family member may have signed a healthcare proxy that designated them a personal representative to your client, and that allows them access to your client’s information.
Importantly, although you are obligated to share medical information with clients and others who they ask you to share this information with, you are not required to share your psychotherapy notes with them.
Special rules for minors and parents
What if you are seeing a minor for therapy? Can their parents or guardians access their child’s health records? The answer is that they can, in most cases. The exception to this rule is if the child’s parent is not considered their personal representative.
However, this only applies to medical records, including diagnosis, treatment plans, and symptoms. With the exception of disclosure from a child about harming or intending to harm themselves or others, psychotherapy sessions with children are protected by HIPAA. Your psychotherapy notes do not have to be shared with parents.
How do I set up a HIPAA-compliant solo practice?
Setting up a HIPAA-compliant solo practice as a therapist first involves understanding HIPAA rules and regulations and how they apply to you. After this, you can take some first steps to ensure that you are in line with HIPAA requirements.
Designating yourself as the HIPAA privacy and security officer
It’s required by law that all practices have a HIPAA privacy and security officer in place. As a solo provider, you will need to take on this role.
The responsibilities of a HIPAA privacy and security officer include:
- Implementing HIPAA policies and procedures to protect patient PHI
- Conducting risk assessments to ensure that the practice has integrated all aspects of HIPAA security rules
Minimum solo practice requirements
In addition to creating basic HIPAA policies and procedures that you will follow in your practice, you will need to ensure that you have a few basic documents on hand as soon as you begin seeing clients. These include:
- A HIPAA-compliant Notice of Privacy Practices
- A HIPAA-compliant authorization form to release information to third parties
- Business associate agreements (BAAs) for solo providers for any vendors who might handle your patient’s PHI
You should expect to review and update these documents annually, or more often than that, as new updates to HIPAA policies are released.
Protecting client information in day-to-day practice
In your therapy practice, you will be using several different electronic forms and documents for intake, scheduling, and communicating with clients. You will also have various electronic forms you’ll use for charting, storage, record retention, and billing.
All of these electronic forms must comply with HIPAA rules and regulations. How do you know if your electronic technology is HIPAA-compliant?
Here are some key features that make a technology HIPAA-compliant:
- Encryption to protect health information, both at rest and in transit
- Requiring strong passwords
- Two-factor authorization, for anyone accessing software
- Automatic log-offs
- Automatic back-ups of all data
- Secure storage of important data
Technology and HIPAA for solo providers
These days, so much of what therapists do happens via electronic technology. These electronic technologies can be extremely useful. But they have their pitfalls when it comes to security and HIPAA compliance. That’s why it’s crucial that you pick technologies that meet HIPAA standards.
Choosing a HIPAA-capable electronic health record system
As a provider, you’ll need to record important health information for your clients. Electronic health records systems (EHR) are a comprehensive digital version of a medical chart, and include demographic information, appointments, diagnoses, treatment options, and test results.
In order to be HIPAA-compliant, EHRs should offer encryption, require strong passwords, two-factor authentication, and automatic log-offs.
Telehealth HIPAA compliance
Many therapists work from home and use telehealth for therapy sessions. As such, it’s essential to be aware of HIPAA-compliant telehealth requirements. This may include the use of encrypted audiovisual sessions, having secure access controls in place, and using two-factor authorization. You can use identity verification for clients before allowing them to enter a telehealth session. Finally, recording or sharing of telehealth sessions should be restricted unless approved.
For providers seeing clients through Grow Therapy, the platform’s telehealth tools are designed to be HIPAA-aligned, including encrypted audiovisual sessions and secure access controls.
Messaging technologies
There are times you may need to message your clients, and most therapists use appointment reminder services. Any messaging that occurs between therapists and clients or between therapists and other third parties should be encrypted and include identity verification and other access controls. Any automated messages (such as appointment reminders) should not include any diagnoses or other private patient information.
Grow Therapy’s messaging tool meets these requirements by default, covering appointment reminders, document transfers, and client check-ins within a single HIPAA-aligned platform.
Using cloud storage, backups, and encryption
Cloud storage of data and routine backups of data is important. But all of this data should be encrypted for security, whether the data is in storage, in use, or in transit. Access to any client data should be limited, and you should have clear policies in place about who can access this data.
Device security for laptops, tablets, and phones
Laptops, tablets, and phones are frequently used by therapists in their work. This is allowed, but it’s important that you keep HIPAA standards in mind, and that you take measures to protect your client’s personal health information (PHI). This may include:
- Installing software on devices to ensure HIPAA compliance
- Blocking third-party apps, unless they are HIPAA-approved
- Blocking unsecured WIFI networks
- Offering separate, “Guest” WiFi access for clients and other visitors
- Using automatic logoffs
- Using antivirus software
Responding to HIPAA incidents and breaches
A HIPAA breach occurs when protected health information is shared, accessed, or used without authorization or permission. In a solo mental health practice, a breach might occur when:
- A client’s PHI is discussed and overhead by others
- Paper or electronic records are left unsecured
- Email, messaging, or texting happens without proper encryption
- PHI isn’t properly controlled or tracked
Immediate steps to take after a suspected breach
After a suspected breach, you should:
- Stop the breach and secure all technology involved
- Document what happened
- Secure evidence
- Notify law enforcement, if a cyberattack may have been involved
In addition, you must notify all individuals who are affected. If the breach involved a business associate, they must notify anyone affected.
The Breach Notification Rule requires that breaches be reported to the Department of Health and Human Services Office of Civil Rights within 60 days. In cases where multiple individuals are impacted, you may need to notify the media of the occurrence.
Preventing and learning from incidents
Breach incidents serve as reminders of the importance of implementing security measures to protect clients’ personal health information. You can use a breach as an opportunity to perform an audit on all software and systems you have in place, and to take extra steps to implement stronger security features.
HIPAA training and ongoing compliance
As a solo provider, it’s important to do some self-training on the ins and outs of HIPAA compliance. It’s also crucial that you state up-to-date on policies over time, as they often change.
There are many resources available to you as you begin acquainting yourself with HIPAA compliance standards as a solo mental health provider.
Here are some to get you started:
- Training material from the U.S. Department of Health and Humans Services
- HIPAA compliance resources from the American Psychological Association
- Training webinars from the American Psychological Association
Common HIPAA pitfalls for solo mental health providers
HIPAA compliance isn’t just about making sure that the technology you use complies with HIPAA standards. There are also other aspects of your life as a therapist to consider, and how HIPAA compliance comes into play.
Social media and online reviews
Social media and online interactions can be tricky when it comes to HIPAA compliance. On the one hand, you are allowed to have an online presence. But this should not in any way violate your client’s privacy or disclose any of their personal health information.
Here’s what to keep in mind:
- You should not disclose any PHI about your patients online or on social media.
- You should not share their stories anonymously, unless you have consent from them.
- You should not reveal any patient diagnoses or treatment online.
- You should not tag clients in online posts.
- You should not share information about a client with a colleague via electronic message, even anonymously.
- You can respond to online reviews, but you should only do so if you are 100% sure you will not be violating your client’s privacy or disclosing their PHI.
Using personal devices and email accounts
Under HIPPA regulations, you are allowed to use your personal laptop, phone, or tablet for handling your client’s PHI, but your device must meet certain security standards. These may include disk encryption, user authentication, automatic logoffs, use of a secured WIFI network, and use of anti-malware protection.
Emailing and messaging clients can be part of your practice. But you shouldn’t use your personal email account to do this. Using a HIPAA-complaint patient portal or other messaging app or software is required.
Can I use regular email or text to communicate with therapy clients?
Standard email and SMS text messaging are generally not considered HIPAA-aligned because they lack the encryption and access controls required to protect PHI.
You can communicate with clients via email or text only if the client provides informed written consent, acknowledges the risks of unsecured communication, and you have documented that consent. Even then, you should avoid including any PHI — such as diagnoses, session details, or identifying information — in those messages.
The safest approach is to use a HIPAA-aligned patient portal or encrypted messaging platform for all client communications. If you’re using Grow Therapy, the built-in messaging tool is designed to be HIPAA-aligned and covers appointment scheduling, document transfers, and client check-ins within a single secure platform.
Informal consultations and peer discussions
You don’t need to hide that you’re a therapist in public and it may come up in conversation from time to time. You may even be asked for off-the-cuff mental health advice. While you can give general advice about how to deal with mental health challenges, you should not give any informal advice that could be construed as a mental health consultation.
Additionally, it’s normal and encouraged that you consult with other therapists about difficult cases. If you do this, it’s vital that you take confidentiality seriously. Never identify your clients, including by their name, workplace, or where they live. Keep things very general, sharing information about their age, gender, and clinical symptoms only.
If you are meeting with peers in person, make sure your conversations won’t be overheard by others. If you are discussing cases online, only use HIPAA-compliant, secured messaging platforms.
How Grow Therapy can help
Grow Therapy takes HIPAA compliance seriously, and all of our software is HIPAA-aligned. This includes Grow Therapy’s messaging tool, which is what therapists use for appointment scheduling, progress updates, insights, document transfers, questionnaires, worksheets, and check-ins. Therapists also have access to Grow Therapy’s HIPAA-aligned telehealth platform and EHR system.
Working with Grow Therapy means easy access to HIPAA-aligned software and systems, so that you can focus primarily on client care and your growth as a therapist.
