HIPAA compliance is not optional for therapists — yet many solo practitioners and small group practices operate with significant compliance gaps, often without realizing it. The consequences range from corrective action plans to fines that can reach $50,000 per violation. This guide covers what HIPAA requires of therapy practices in 2026, what's changed recently, and how to build a compliance program that protects your patients and your practice.
HIPAA Basics: What Therapists Must Know
The Health Insurance Portability and Accountability Act has two main rules that affect therapy practices:
The Privacy Rule
The Privacy Rule governs how you use and disclose protected health information (PHI). Key requirements for therapists:
- Minimum necessary standard: Share only the minimum PHI required for a given purpose. Don't send an entire treatment record when a summary would suffice.
- Patient rights: Patients have the right to access their records, request amendments, receive an accounting of disclosures, and request restrictions on certain uses of their information.
- Notice of Privacy Practices: You must provide patients with a clear notice describing how their information may be used and their rights.
- Psychotherapy notes: These receive special protection under HIPAA. They cannot be disclosed without specific patient authorization, even for treatment, payment, or operations.
The Security Rule
The Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI):
- Administrative safeguards: Risk assessments, workforce training, incident response procedures, business associate agreements.
- Physical safeguards: Facility access controls, workstation security, device and media controls.
- Technical safeguards: Access controls (unique user IDs, automatic logoff), audit controls, integrity controls, transmission security (encryption).
What Changed in 2025–2026
The HHS Office for Civil Rights (OCR) has been actively updating HIPAA regulations to address modern technology use:
Telehealth Permanence
The COVID-era telehealth flexibilities have been formalized. Therapists conducting telehealth sessions must use platforms that provide end-to-end encryption and have signed Business Associate Agreements. The temporary allowances for consumer-grade video tools like FaceTime and standard Zoom have expired.
AI and Automated Processing
New guidance specifically addresses AI tools that process PHI. The key requirements: any AI system that accesses PHI must be covered by a BAA, must implement appropriate technical safeguards, and must provide patients with transparency about how their information is processed. On-device processing architectures that de-identify data before transmission receive favorable treatment under the new guidance because they minimize the PHI that third-party systems access.
Increased Enforcement
OCR has significantly increased enforcement actions against small practices. The "we're too small to be noticed" assumption is no longer safe. Recent settlements include solo practitioners fined $25,000–$100,000 for violations that could have been prevented with basic compliance measures.
The HIPAA Compliance Checklist for Therapists
1. Conduct a Risk Assessment
This is the single most common compliance gap in therapy practices. HIPAA requires a documented risk assessment identifying threats to the confidentiality, integrity, and availability of ePHI. This isn't a one-time task — it must be updated annually or whenever significant changes occur (new software, new location, new telehealth setup).
2. Implement Access Controls
Every system containing ePHI must have unique user logins, strong passwords, and automatic logoff. If your EHR login is shared among staff, or if your laptop doesn't auto-lock after inactivity, you have a compliance gap.
3. Encrypt Everything
Encryption is an "addressable" safeguard under HIPAA, meaning you must implement it unless you document why an alternative is equally protective (good luck with that argument). In practice, encrypt your laptop hard drive, use encrypted email for PHI, and ensure your practice management software encrypts data at rest and in transit.
4. Execute Business Associate Agreements
Any vendor that accesses, stores, or transmits PHI on your behalf is a business associate and requires a BAA. This includes your EHR vendor, billing service, cloud storage provider, telehealth platform, AI documentation tool, and even your IT support company. No BAA means no compliance.
5. Train Your Workforce
All staff — including administrative assistants, interns, and independent contractors — must receive HIPAA training. Document the training and retrain annually. For solo practitioners, self-training still needs to be documented.
6. Develop Policies and Procedures
You need written policies covering: PHI use and disclosure, breach notification, patient rights requests, device management, remote work security, and incident response. These don't need to be elaborate — clear, specific, and followed is better than lengthy and ignored.
7. Prepare for Breaches
Have an incident response plan before you need it. Know who to notify (patients, HHS, potentially media for breaches over 500 individuals), the timeline (60 days for HHS notification), and the steps for containment and remediation.
Technology and Compliance
Your choice of practice management software has an enormous impact on your compliance posture. A well-designed platform handles many compliance requirements automatically:
- Access controls: Built-in role-based permissions and automatic session timeouts.
- Encryption: Data encrypted at rest and in transit by default.
- Audit trails: Automatic logging of who accessed what records and when.
- BAA coverage: The vendor provides a signed BAA as part of the service agreement.
- Secure messaging: HIPAA-compliant communication with patients through a patient portal rather than email or text.
Conversely, stitching together consumer-grade tools — Google Docs for notes, Venmo for payments, regular text messages for reminders — creates a compliance nightmare.
Common Violations in Therapy Practices
Based on recent OCR enforcement actions and audits, the most common violations in therapy practices are:
- No risk assessment: The number one finding in audits.
- Unencrypted devices: A stolen, unencrypted laptop containing patient records is an automatic breach.
- Missing BAAs: Using cloud services or billing companies without executed BAAs.
- Improper disclosures: Discussing patient information in public areas, sending PHI via unencrypted email, or faxing to wrong numbers.
- Failure to provide records: Patients have a right to their records within 30 days. Delays or denials are violations.
Building a Sustainable Compliance Program
Compliance doesn't have to be overwhelming. The key is choosing tools that build compliance into your daily workflow rather than treating it as a separate administrative task. When your documentation is automated, your billing is integrated, and your patient communication flows through a secure portal, most compliance requirements are met without any extra effort on your part.
For group practices, a unified platform is even more critical — compliance gaps multiply with each additional clinician using their own tools and workflows.
Learn more about Mediyn's security and compliance architecture, including BAA coverage, on-device PHI processing, and automatic audit trails.