For Therapists, Counselors, and Psychiatrists

HIPAA Compliance for Therapists

Built for solo therapists, group counseling practices, psychiatrists, and family therapy clinics. Handles psychotherapy notes, telehealth, and the special protections under 45 CFR § 164.508(a)(2).

No signup required for the quiz. See your compliance score in 2 minutes.

What OCR Audits in Mental Health & Therapy Practices

Why mental health & therapy practices face unique HIPAA risk

Psychotherapy notes get special protection

Psychotherapy notes (sometimes called process notes) require separate authorization for most uses or disclosures under 45 CFR § 164.508(a)(2) — even by other staff at the same practice. They must be stored separately from the rest of the chart.

Telehealth introduces new vendors

Every telehealth platform you use is a Business Associate. Most therapists onboarded telehealth tools without signing BAAs — HHS has been increasingly enforcing this post-COVID. 45 CFR § 164.502(e).

Solo therapists are still covered entities

Practices think they're too small to be audited. OCR enforcement data shows the opposite — 55% of fines hit practices smaller than 50 employees. Solo therapists are not below the line.

Patient-record subpoenas need careful handling

Therapy records are frequently subpoenaed in family-court and custody cases. 45 CFR § 164.512(e) sets specific requirements for responding — practices that hand over records without proper authorization or court order risk fines.

Built For You

What TrackHIPAA does for therapists

Psychotherapy Notes Policy

Written policy implementing the separate-authorization requirement of 45 CFR § 164.508(a)(2), with workforce sanctions for unauthorized access.

Telehealth BAA template

Ready-to-send BAA covering telehealth platforms, video session storage, and the appointment-scheduling tools therapists actually use.

Subpoena response workflow

Step-by-step procedure for responding to subpoenas, court orders, and discovery requests under 45 CFR § 164.512(e), with a documentation template.

Custody / family-law disclosures

Specific procedures for handling sensitive disclosures in family court matters, including minor patients and the personal-representative rules.

SRA for solo telehealth practice

Risk assessment wizard tailored for solo therapists: home-office setup, personal devices, video platforms, EHR vendor relationships.

Policies Included

Documents customized for therapists

Each policy is generated from your practice profile (state, size, systems used) and signed off by you as Privacy Officer.

  • Notice of Privacy Practices (with psychotherapy notes language)
  • Psychotherapy Notes Policy
  • Patient Right of Access (with psychotherapy notes exception)
  • Authorization for Disclosure to Family/Court
  • Telehealth Business Associate Agreement
  • Workforce Sanction Policy
  • Breach Response Procedure

Plus 25+ additional policies covering every HIPAA requirement — full list on the pricing page.

Frequently Asked

Mental Health & Therapy Practice-specific questions

Are psychotherapy notes treated differently from the rest of the chart?

Yes. Under 45 CFR § 164.508(a)(2), psychotherapy notes (also called process notes) require separate written authorization for most disclosures, including to other staff at the same practice. They must be kept separate from the designated record set and have additional access restrictions.

Do I need a BAA with my telehealth platform?

Yes. Any telehealth platform transmitting your session video, screen-shares, or chat metadata is a Business Associate under 45 CFR § 160.103. Major platforms (SimplePractice, TheraNest, etc.) publish their BAAs publicly — sign them before continuing to use the service.

What if a parent requests their teenager's therapy records?

It depends on state law and the specific service. Generally, parents are personal representatives under 45 CFR § 164.502(g), but states often carve out mental-health services for minors (especially substance abuse). TrackHIPAA generates a state-specific overlay; consult a healthcare attorney for the exact disclosure rules in your state.

See all 14 general FAQs →

Get audit-ready in 2 minutes

Take the free 15-question compliance quiz tailored to therapists. See your score, identify gaps, no signup required.