If you run a therapy practice, HIPAA compliance probably feels like a constant weight on your shoulders. You know it matters. You know the penalties for getting it wrong can be devastating. But between client sessions, administrative tasks, and trying to grow your practice, staying current with regulations can feel overwhelming.
Here is the good news: HIPAA compliance does not have to be complicated. This comprehensive 2025 checklist breaks down everything you need to know into actionable steps. Whether you are a solo practitioner working from a home office or managing a multi-location group practice, this guide will help you protect your clients, your reputation, and your livelihood.
What HIPAA Actually Means for Your Therapy Practice
The Health Insurance Portability and Accountability Act protects sensitive patient health information from being disclosed without consent. For therapists, this covers everything from session notes and treatment plans to billing records, appointment schedules, and even casual conversations about clients.
HIPAA consists of several rules, but three matter most for therapy practices: the Privacy Rule (who can access patient information), the Security Rule (how to protect electronic health information), and the Breach Notification Rule (what to do when something goes wrong). Understanding these rules is the foundation of compliance.
What Changed in 2025: Key Updates You Need to Know
The Department of Health and Human Services continues to strengthen HIPAA requirements. The 2025 updates reflect the reality that most therapy practices now rely heavily on technology, from telehealth platforms to cloud-based EHR systems.
2025 HIPAA Updates at a Glance
- 1. Stricter requirements for telehealth platform security and encryption
- 2. Enhanced patient rights for accessing and transferring their records
- 3. Increased scrutiny of Business Associate Agreements with technology vendors
- 4. New requirements for mobile device management and remote work security
- 5. Expanded definitions of what constitutes a reportable breach
These changes reflect a simple truth: as therapy practices become more digital, the attack surface for potential breaches expands. The good news is that practices using modern, purpose-built practice management software often find compliance easier than those cobbling together generic tools.
Administrative Safeguards Checklist
Administrative safeguards are the policies, procedures, and actions you take to manage your workforce and protect patient information. Think of these as the "people and process" side of compliance.
Administrative Safeguards Checklist
- Designate a Privacy Officer responsible for HIPAA compliance
- Designate a Security Officer (can be the same person in small practices)
- Complete a comprehensive risk assessment annually
- Document all policies and procedures in writing
- Train all workforce members on HIPAA requirements
- Implement sanctions for policy violations
- Review and update policies at least annually
- Maintain documentation for a minimum of six years
Risk Assessment: The Foundation of Compliance
A risk assessment is not just a checkbox exercise. It is an honest evaluation of where your practice might be vulnerable. Walk through your entire operation: How do clients schedule appointments? Where are their records stored? Who has access to what? How do you communicate with clients between sessions?
Document every potential risk, rate its likelihood and impact, and create a plan to address each one. This document becomes your roadmap for the year and your evidence of good faith compliance efforts if anything goes wrong.
Physical Safeguards Checklist
Physical safeguards protect the actual devices and locations where patient information lives. Even in an increasingly digital world, physical security matters.
Office-Based Practices
- ✓ Lock file cabinets containing patient records
- ✓ Position computer screens away from public view
- ✓ Use privacy screens on monitors
- ✓ Secure server rooms or equipment closets
- ✓ Control visitor access to clinical areas
- ✓ Shred documents before disposal
Home Office and Remote Work
- ✓ Dedicate a private workspace for client sessions
- ✓ Use headphones during telehealth sessions
- ✓ Lock devices when stepping away
- ✓ Secure any printed documents
- ✓ Ensure family members cannot overhear sessions
- ✓ Use encrypted storage for portable devices
Technical Safeguards Checklist
Technical safeguards are the technology measures that protect electronic protected health information (ePHI). This is where many practices struggle, but modern practice management software can handle most of these requirements automatically.
Technical Safeguards Checklist
- Implement unique user identification for all system users
- Enable automatic logoff after periods of inactivity
- Encrypt all ePHI at rest and in transit
- Require multi-factor authentication (MFA) for all logins
- Maintain audit logs of all system access
- Implement role-based access controls
- Establish backup and disaster recovery procedures
- Keep all software updated with security patches
- Use secure, HIPAA-compliant telehealth platforms
Common Technical Mistakes to Avoid
- X Using personal email (Gmail, Yahoo) for client communication
- X Storing patient information in unsecured cloud services like Dropbox
- X Conducting telehealth sessions over standard Zoom or FaceTime
- X Sharing login credentials between staff members
- X Failing to encrypt laptops and mobile devices
Business Associate Agreements: Your Vendor Safety Net
Every vendor that handles patient information on your behalf must sign a Business Associate Agreement (BAA). This legal contract ensures they are also bound by HIPAA requirements and shares liability if they cause a breach.
Review your vendor list carefully. Your EHR provider, billing service, telehealth platform, cloud storage provider, IT support company, and even your shredding service all need BAAs. If a vendor refuses to sign a BAA, that is a major red flag, and you should find an alternative.
Vendors That Need BAAs
- ✓ Electronic Health Record (EHR) providers
- ✓ Practice management software
- ✓ Telehealth platforms
- ✓ Medical billing services
- ✓ Cloud storage providers
- ✓ IT support and managed services
- ✓ Secure messaging platforms
- ✓ Document shredding services
Red Flags in Vendor Selection
- ! Refuses to sign a BAA
- ! Cannot explain their security measures
- ! No SOC 2 or HITRUST certification
- ! Data stored outside the United States
- ! No clear breach notification procedures
- ! Uses consumer-grade (non-HIPAA) products
- ! Poor reviews from other healthcare providers
- ! No dedicated security or compliance team
Breach Response: Have a Plan Before You Need One
Nobody wants to think about data breaches, but having a response plan ready is essential. When a breach happens, you will be stressed and under time pressure. A documented plan ensures you take the right steps in the right order.
Breach Response Steps
- 1Identify and contain the breach immediately - stop ongoing unauthorized access
- 2Document everything from the moment of discovery with timestamps
- 3Conduct a risk assessment to determine the breach severity and scope
- 4Notify affected individuals within 60 days of discovery
- 5Report to HHS if 500 or more individuals are affected
- 6Notify local media if 500 or more individuals in a single state are affected
- 7Implement corrective actions to prevent similar incidents
Staff Training Requirements
Every workforce member who handles patient information needs HIPAA training. This includes therapists, administrative staff, billing personnel, and even contractors who might access your systems. Training should happen during onboarding and at least annually thereafter.
Document all training sessions, including the date, topics covered, and attendees. Keep these records for at least six years. When regulations change or you update your policies, provide additional training to ensure everyone stays current.
Essential Training Topics
- • What constitutes PHI and ePHI
- • Minimum necessary standard
- • Patient rights under HIPAA
- • Proper disposal of PHI
- • Password security and MFA
- • Recognizing phishing attempts
- • Incident reporting procedures
- • Social engineering awareness
Frequently Asked Questions
Do I need a BAA with my landlord?
Generally no, unless your landlord has access to your patient records or systems. If they only provide physical space and do not handle any PHI, a BAA is not required.
Can I use regular Zoom for telehealth?
No. Standard Zoom accounts are not HIPAA-compliant. You need Zoom for Healthcare or another platform that offers a BAA and appropriate security controls.
How long do I need to keep patient records?
HIPAA requires keeping documentation for six years. However, state laws often require longer retention periods for clinical records, sometimes 7-10 years or longer for minors. Follow whichever requirement is stricter.
Is texting clients a HIPAA violation?
Standard SMS texting is not secure and should be avoided for PHI. If you need to text clients, use a HIPAA-compliant secure messaging platform that encrypts messages and offers a BAA.
What counts as a reportable breach?
Any unauthorized access, use, or disclosure of PHI is potentially reportable unless you can demonstrate a low probability that the PHI was compromised. When in doubt, document the incident and conduct a risk assessment.
Do I need cyber liability insurance?
While not required by HIPAA, cyber liability insurance is strongly recommended. A single breach can cost hundreds of thousands of dollars in notifications, legal fees, and penalties. Insurance provides critical financial protection.
Key Takeaways
- ✓Conduct a comprehensive risk assessment annually and after any significant changes to your practice
- ✓Train all workforce members during onboarding and provide annual refresher training
- ✓Ensure every vendor that handles PHI has signed a Business Associate Agreement
- ✓Implement technical safeguards including encryption, MFA, and audit logging
- ✓Document all policies, training, and incidents - keep records for at least six years
- ✓Have a breach response plan ready before you need it
- ✓Choose practice management software with built-in HIPAA compliance features
HIPAA compliance is not a one-time achievement. It is an ongoing commitment to protecting your clients and your practice. By following this checklist and making compliance part of your daily operations, you build a foundation of trust that strengthens every therapeutic relationship.
TheraFocus: Built for HIPAA Compliance
Stop worrying about compliance gaps. TheraFocus includes encryption, audit logging, role-based access controls, secure messaging, and signed BAAs as standard features. Focus on your clients while we handle the technical requirements.
Start Your Free TrialFound this helpful?
Share it with your colleagues
TheraFocus Team
Healthcare Compliance Experts
The TheraFocus team is dedicated to empowering therapy practices with cutting-edge technology, expert guidance, and actionable insights on practice management, compliance, and clinical excellence.