Do Therapists Need to Be HIPAA Compliant? Requirements, Exceptions, and Next Steps

HIPAA Applicability to Therapists

HIPAA sets national rules for how health information is used, disclosed, and safeguarded. For therapists, whether HIPAA applies turns on the Covered Entity Definition and whether you create, receive, maintain, or transmit Electronic Protected Health Information (ePHI) for yourself or on behalf of someone else.

The HIPAA Privacy Rule governs how you use and share protected health information and the rights clients have over their records. The HIPAA Security Rule requires administrative, physical, and technical safeguards when ePHI is involved. If you meet the criteria of a covered entity or act as a business associate to one, these rules apply to you.

Most outpatient therapists who bill health plans electronically fall under HIPAA. Cash-only practices or those avoiding standard electronic transactions may not—details follow.

Covered Entity Status Criteria

Under the Covered Entity Definition, you are a covered entity if you are a health care provider who transmits health information electronically in connection with a HIPAA-covered transaction. These transactions are defined by the Administrative Transaction Standards.

Common triggers that make a therapist a covered entity

• Submitting electronic claims or attachments to health plans (often via a billing service or clearinghouse).
• Checking eligibility/benefits or claim status electronically with an insurer.
• Receiving electronic remittance advice or prior authorization responses.

Situations that typically do not, by themselves, confer covered entity status

• Operating a cash-only practice and never conducting HIPAA-standard electronic transactions.
• Providing clients with paper receipts or superbills for self-submission to their plans.

If you handle PHI for a covered entity as a service provider (for example, contracted utilization reviews for a health plan), you may be a business associate and must sign a Business Associate Agreement and follow applicable HIPAA duties.

Psychotherapy Notes Privacy Controls

Psychotherapy notes are the therapist’s process notes that analyze the contents of a counseling session and are kept separate from the rest of the record. Under Psychotherapy Notes Regulations within the HIPAA Privacy Rule, they receive heightened protections compared with standard clinical documentation.

Except for narrow situations (such as the originator’s own use, training under supervision, or to defend against a client’s legal claim), you generally must obtain a specific, written client authorization before using or disclosing psychotherapy notes. Clients do not have a HIPAA right of access to psychotherapy notes, though you may share them at your discretion or if required by other law.

What is not considered psychotherapy notes

• Medication information, session start/stop times, treatment modality/frequency, test results.
• Summaries of diagnosis, treatment plan, symptoms, prognosis, and progress. These belong in the general record and are subject to access rights.

Best practice is to store psychotherapy notes separately, apply strict access controls, and avoid mixing them with routine progress notes.

Exceptions to HIPAA Compliance

HIPAA does not apply to every therapist in every context. Key exceptions include:

• You are not a covered entity because you never conduct HIPAA-standard electronic transactions, and you are not a business associate to another covered entity.
• Student counseling records at schools or universities governed by FERPA (education records) rather than HIPAA.
• Employment records you maintain as an employer; these are not PHI under HIPAA.
• Substance use disorder programs subject to 42 CFR Part 2; these impose distinct, often stricter consent rules that operate alongside or in place of HIPAA for those records.

Even when HIPAA does not apply, ethical standards and other laws still require rigorous confidentiality and security practices.

State and Local Regulatory Requirements

State Privacy Laws can be more protective than HIPAA and are not preempted when they provide greater privacy or access rights. You must comply with both HIPAA and applicable state or local rules.

Areas to review in your state

• Record retention and client access timelines, including mental health–specific statutes.
• Minor consent and confidentiality rules, including parental access nuances.
• Mandatory reporting, duty-to-warn/duty-to-protect standards, and privilege laws.
• Telehealth requirements, cross-state practice restrictions, and e-prescribing rules.
• Breach notification obligations and any enhanced consumer privacy frameworks.

Confirm requirements with your licensing board and state codes before finalizing policies.

Implementing HIPAA Safeguards

Administrative safeguards (Security Rule)

• Perform a documented risk analysis and implement a risk management plan.
• Adopt written policies for the HIPAA Privacy Rule and Security Rule; designate a privacy/security lead.
• Train your workforce on minimum necessary use, release-of-information, and incident response.
• Execute Business Associate Agreements with EHRs, billing services, telehealth vendors, and cloud providers handling ePHI.

Technical safeguards (Security Rule)

• Encrypt ePHI in transit and at rest; enforce strong authentication and unique user IDs.
• Use role-based access, automatic logoff, and audit logs to monitor access.
• Back up data, test restores, and maintain a disaster recovery and continuity plan.

Physical safeguards (Security Rule)

• Secure facilities and workstations; use screen privacy measures and locked storage.
• Control and inventory devices; wipe or destroy media before disposal or reuse.

Privacy Rule operations

• Publish a clear Notice of Privacy Practices; manage authorizations and client rights requests.
• Apply minimum necessary standards and verify identity before disclosures.
• Separate psychotherapy notes from the general record and strictly restrict access.

Incident response and breach notification

• Establish procedures to investigate, document, and mitigate suspected breaches.
• Notify affected individuals and authorities when required; retain all documentation.

Assessing Compliance Next Steps

1. Decide if you meet the Covered Entity Definition by reviewing your use of Administrative Transaction Standards.
2. Map data flows for PHI/ePHI across people, systems, and vendors.
3. Sign Business Associate Agreements with any vendor that touches ePHI.
4. Complete a risk analysis; prioritize fixes for high-risk gaps.
5. Adopt concise, workable HIPAA policies and procedures; issue a Notice of Privacy Practices.
6. Implement administrative, technical, and physical safeguards and document configurations.
7. Train all staff on the HIPAA Privacy Rule, HIPAA Security Rule, and incident reporting.
8. Harden psychotherapy notes controls: separate storage, limited access, and specific authorization workflows.
9. Align with State Privacy Laws and licensing board rules (e.g., retention, minors, telehealth).
10. Schedule annual reviews, test backups, audit access logs, and update policies as your practice evolves.

FAQs.

What determines if a therapist is a covered entity under HIPAA?

You are a covered entity if, as a health care provider, you electronically transmit health information in connection with a HIPAA-covered transaction defined by the Administrative Transaction Standards (such as electronic claims, eligibility checks, or remittance). Using a clearinghouse or billing software to send or receive these transactions typically qualifies you; purely paper or cash-only arrangements generally do not.

Are psychotherapy notes protected differently under HIPAA?

Yes. Psychotherapy notes—your separate process notes about session content—receive special protection under the HIPAA Privacy Rule. They usually require a specific authorization for use or disclosure, are kept apart from the general record, and are excluded from a client’s HIPAA right of access. Routine progress notes and treatment summaries are not psychotherapy notes and remain part of the accessible record.

Can therapists be exempt from HIPAA compliance?

If you are not a covered entity (you do not conduct HIPAA-standard electronic transactions) and you are not a business associate to a covered entity, HIPAA may not directly apply to your practice. Still, you must follow ethical duties and comply with other laws—especially state confidentiality, security, and breach-notification requirements.

What state regulations affect therapist privacy requirements?

State Privacy Laws and professional practice acts often set rules on record retention, client access rights, minors’ confidentiality, mandated reporting, telehealth, and breach notification. When state law is more protective than HIPAA, you must follow the stricter state requirements in addition to HIPAA.