HIPAA Compliance for Solo Therapists: What You Actually Need to Do
HIPAA compliance feels like a black box. You know you need it. You know the penalties are scary. But when you try to figure out what you actually need to do as a solo therapist, you find 400-page compliance manuals written for hospital systems.
Here's the practical version. What solo therapists actually need to do, stripped of the legal jargon and enterprise-scale requirements that don't apply to a one-person practice.
First: what HIPAA actually requires
HIPAA has three main rules that affect therapists:
The Privacy Rule governs how you use and disclose protected health information (PHI). In practice: don't share client information without authorization, give clients access to their records when requested, and have a Notice of Privacy Practices.
The Security Rule applies specifically to electronic PHI (ePHI). It requires administrative, physical, and technical safeguards to protect electronic client data. This is where most of the practical compliance work lives for solo therapists.
The Breach Notification Rule requires you to notify affected individuals and HHS if a breach of unsecured PHI occurs. You need a plan for this, even if you never have to use it.
The actual checklist for solo therapists
1. Risk assessment (required, not optional)
HIPAA requires every covered entity to conduct a risk assessment. For a solo therapist, this means documenting: what PHI you have, where it's stored, what threats exist, and what you're doing about them.
This doesn't need to be a 50-page document. A structured review of your practice operations covering where ePHI lives (EHR, email, phone, cloud storage, paper files), who has access, and what protections are in place is sufficient. Review it annually.
2. Business Associate Agreements (BAAs)
Any vendor that handles PHI on your behalf needs a signed BAA. This includes:
Your EHR (SimplePractice, TherapyNotes, etc. — they all provide BAAs). Your email provider if you send PHI via email (Google Workspace and Microsoft 365 both offer BAAs). Your cloud storage if you store files containing PHI (Google Drive with BAA, encrypted cloud storage). Your billing service if they handle client information. Any clinical tool that processes client data.
If a vendor won't sign a BAA, they can't touch your PHI. Period.
3. Encryption
Encrypt ePHI at rest (stored data) and in transit (data being transmitted).
In transit: use HTTPS for all web-based tools (check for the lock icon). Use encrypted email for any communication containing PHI, or better yet, communicate through your EHR's secure messaging.
At rest: your EHR handles this for data stored in their system. For files on your own computer, enable full-disk encryption (FileVault on Mac, BitLocker on Windows). For cloud storage, ensure your provider encrypts stored data (Google Drive and OneDrive do this by default with a BAA in place).
4. Access controls
Use unique login credentials for every system that contains PHI. Use strong, unique passwords (a password manager makes this easy). Enable two-factor authentication (2FA) on every account that offers it — your EHR, email, cloud storage, and any clinical tools.
If you share a computer with anyone (including family members), use separate user accounts so no one can accidentally access your clinical systems.
5. Device security
Your phone and laptop probably contain PHI. Protect them:
Enable auto-lock (5 minutes or less on a computer, immediately on a phone). Use a strong passcode or biometric authentication. Enable remote wipe capability in case of loss or theft (Find My iPhone, Find My Device for Android, Find My for Mac). Keep operating systems and software updated.
If you use a personal phone for any clinical purpose (even just receiving a client text), it needs these protections.
6. Minimum necessary standard
Only access, use, or disclose the minimum amount of PHI necessary for the purpose. In practice: don't pull up a client's full chart when you only need their phone number. Don't include clinical details in an email when a message saying "Your appointment is confirmed for Thursday" suffices.
This principle also applies to your staff, if you ever hire anyone — they should only have access to the PHI they need for their job function.
7. Notice of Privacy Practices
Provide every client with a Notice of Privacy Practices (NPP) that explains how you use and protect their information, their rights regarding their PHI, and how to file a complaint. Most EHRs include a template NPP. Customize it for your practice, have clients sign an acknowledgment, and keep the signed acknowledgment in their record.
8. Incident response plan
You need a written plan for what to do if a breach occurs. For a solo therapist, this can be a one-page document covering: how to identify a breach, how to contain it, how to assess what was compromised, how to notify affected individuals (within 60 days), and how to notify HHS if it affects 500+ individuals (unlikely for a solo practice, but the plan should exist).
9. Training
HIPAA requires workforce training on privacy and security practices. As a solo therapist, your "workforce" is you. Document that you've reviewed HIPAA requirements annually. If you have an admin assistant, they need training too.
10. Documentation
Document everything listed above. The risk assessment, BAAs, policies, training records, and incident response plan should all be written down and stored securely. If you're ever audited, documentation is what demonstrates compliance.
What you DON'T need
A compliance officer. That's an enterprise requirement. You're your own compliance officer.
Expensive compliance software. A structured document (even a Word doc or spreadsheet) covering your risk assessment and policies is sufficient for a solo practice.
A lawyer on retainer. A one-time legal review of your NPP and policies is smart. Ongoing legal counsel for HIPAA is unnecessary for a solo practice that's following the basics.
To stop using technology. HIPAA doesn't prohibit cloud storage, email, or mobile devices. It requires that you use them with appropriate safeguards. The safeguards described above are those safeguards.
The tools matter
The single biggest thing you can do for HIPAA compliance is choose tools that are built for it. A purpose-built clinical platform with encryption at rest, signed BAAs, access controls, and audit logging handles most of the technical compliance requirements automatically.
Theracharts was built with HIPAA compliance as a foundation, not an afterthought. AES-256-GCM encryption at rest, BAAs signed with all infrastructure providers, mandatory 2FA for therapist accounts, full audit logging with 6-year retention, and PHI stripped from all outgoing emails. The compliance work is built into the platform so you can focus on clinical work.