HIPAA Checklist for Psychologists: A Step-by-Step Compliance Guide

Develop Privacy Policies and Procedures

You work with Protected Health Information (PHI) every day. Robust, written policies translate HIPAA’s Privacy Rule Compliance into clear rules your team can follow, reduce risk, and set expectations for patients about how their information is used and protected.

Core elements to include

• Notice of Privacy Practices (NPP): explain permitted uses/disclosures, patient rights, and how to file a complaint; provide at intake and post prominently.
• Minimum necessary standard: define role-based access so staff see only what they need to perform their duties.
• Permitted uses: treatment, payment, and health care operations (TPO) without authorization; all other uses need a valid, revocable authorization.
• Psychotherapy notes: handle separately with heightened restrictions and limited access.
• Patient rights: access, amendments, restrictions, confidential communications, and an accounting of disclosures.
• Safeguards and sanctions: set expectations for privacy practices and consequences for violations.
• Complaint handling: document how patients can raise concerns and how you will respond.
• Designated roles: assign a Privacy Officer responsible for oversight and updates.

Action steps

• Map PHI flows across intake, scheduling, therapy, billing, telehealth, and records release.
• Draft and adopt policies covering authorizations, release of records, marketing, fundraising, and disclosures required by law.
• Standardize forms and scripts for verifying identity and responding to requests for access or amendments.
• Create a version-controlled policy manual; review at least annually and whenever workflows or laws change.
• Retain all privacy policies and related records for at least six years from their last effective date.

Conduct Security Risk Analysis

A Security Risk Analysis (SRA) is the foundation of the HIPAA Security Rule. It identifies where electronic PHI (ePHI) resides, the threats and vulnerabilities it faces, and the Administrative Safeguards, Technical Safeguards, and physical controls needed to reduce risk to a reasonable and appropriate level.

How to perform an effective SRA

• Define scope: include EHRs, email, telehealth tools, cloud storage, billing systems, mobile devices, backups, and any third-party integrations.
• Inventory assets and data flows: document where ePHI is created, received, maintained, or transmitted and who can access it.
• Identify threats and vulnerabilities: phishing, lost/stolen devices, weak passwords, misconfigurations, insider misuse, and vendor failures.
• Assess likelihood and impact: score risks, then prioritize by overall risk level.
• Select and document controls: choose safeguards that reasonably mitigate priority risks.
• Create a risk management plan: specify owners, milestones, budgets, and acceptance criteria.
• Test and validate: perform vulnerability scanning, patching, and tabletop exercises for incidents and downtime scenarios.
• Review and update: repeat at least annually and after significant changes (new EHR, relocation, major vendor change).

Evidence to retain

• SRA methodology, worksheets, and results.
• Risk management plan and proof of completion for each task.
• System inventories, network diagrams, and data-flow maps.
• Security metrics (patch status, failed logins, audit logs) and meeting notes.

Implement Physical and Technical Safeguards

Translate your SRA into concrete protections. Blend physical measures with robust Technical Safeguards to prevent, detect, and contain threats without disrupting clinical care.

Physical safeguards

• Facility access controls: lock offices, maintain visitor logs, and restrict server/network closets.
• Workstation security: position screens away from public view and use privacy filters in shared areas.
• Device and media controls: asset-tag laptops and phones, enable remote wipe, and securely dispose of paper and drives.
• Environmental protections: use surge protection and maintain climate controls for equipment rooms.

Technical safeguards

• Access control: unique user IDs, strong passwords, and multi-factor authentication wherever available.
• Role-based permissions: least-privilege access aligned to job duties; review access when roles change.
• Automatic logoff and session timeouts on EHRs, telehealth, and email.
• Encryption: protect ePHI in transit (TLS) and at rest (device and database encryption).
• Audit controls: enable logging on EHRs and critical systems; review alerts for anomalous access.
• Integrity and transmission security: use secure messaging; prohibit consumer texting apps for PHI.
• Endpoint protection and patching: anti-malware, mobile device management (MDM), and timely updates.
• Backups and recovery: tested, offsite backups and documented restoration procedures.

Execute Business Associate Agreements

A Business Associate Agreement (BAA) is required when a vendor creates, receives, maintains, or transmits PHI on your behalf. Common business associates include EHR vendors, clearinghouses, billing services, telehealth platforms, cloud storage providers, transcriptionists, IT support, and shredding companies.

What your BAA should cover

• Permitted and required uses/disclosures of PHI and the minimum necessary standard.
• Safeguards the vendor must implement, including Administrative Safeguards and Technical Safeguards.
• Breach Notification Rule obligations, reporting timeframes, and incident cooperation.
• Subcontractor flow-down: require subcontractors to sign equivalent agreements.
• Termination, return, or destruction of PHI and ongoing protections where destruction is infeasible.
• Right to audit or receive assurances, plus indemnification as appropriate.

Practical workflow

• Identify vendors that touch PHI; do not share PHI until a BAA is executed.
• Perform due diligence (security questionnaires, certifications, references) before contracting.
• Maintain a centralized BAA inventory with effective dates, versions, and contacts.
• Review BAAs when services, regulations, or your risk posture change.

Provide Workforce HIPAA Training

Everyone under your direct control—employees, trainees, volunteers, and certain contractors—must understand how to protect PHI. Training operationalizes Privacy Rule Compliance, Security Risk Analysis outcomes, and breach response.

Who, when, and how often

• Before accessing PHI and at regular intervals thereafter (e.g., annually or when roles change).
• Whenever policies, technologies, or laws change in ways that affect job duties.
• Document attendance, materials, dates, and comprehension checks.

Training essentials

• Privacy Rule basics: uses/disclosures, minimum necessary, and patient rights.
• Security Rule practices: passwords, MFA, device security, and reporting suspicious activity.
• Breach Notification Rule: recognizing and reporting incidents immediately.
• Real-world scenarios: front desk verification, telehealth etiquette, and records requests.
• Sanctions and accountability for noncompliance.

Reinforcement

• Short refreshers, simulated phishing, and tabletop drills for incident response and downtime.
• Job-specific micro-trainings for clinicians, billing, and administrative staff.

Establish Breach Notification Procedures

Even strong programs face incidents. Clear procedures aligned to the Breach Notification Rule help you determine if an event is a reportable breach and ensure timely, accurate notifications.

Triage and assess

• Define “security incident” vs. “breach of unsecured PHI.” Consider the four risk assessment factors: nature/extent of PHI, the unauthorized person, whether PHI was actually acquired/viewed, and mitigation performed.
• Remember exceptions: good-faith, unintentional access by authorized personnel; inadvertent internal disclosures; or incidents where the recipient could not reasonably retain the data.
• Leverage encryption: if PHI was properly encrypted and keys were not compromised, the event may not be a reportable breach.

Notifications and timelines

• Notify affected individuals without unreasonable delay and no later than 60 days after discovery.
• For breaches involving 500 or more residents of a state or jurisdiction, notify prominent media and report to HHS within 60 days.
• For fewer than 500 individuals, log and report to HHS within 60 days after the end of the calendar year.
• Content of notices: what happened, what information was involved, steps individuals should take, what you are doing, and contact information.
• Use first-class mail or email (if agreed); provide substitute notice if contact information is insufficient.

After-action

• Contain the incident, reset credentials, and remediate root causes.
• Update policies, training, and Technical Safeguards based on lessons learned.
• Document your assessment, decisions, and notifications for audit readiness.

Document Compliance Activities

Good documentation proves you did the right things at the right times. Maintain organized, current records to demonstrate compliance and guide continuous improvement.

Maintain these records

• Privacy and security policies, the NPP, and all prior versions.
• Security Risk Analysis reports, risk management plans, and completion evidence.
• Access control records, audit log reviews, and system configurations.
• Training plans, rosters, quizzes, and sanctions imposed when applicable.
• Business Associate Agreements and vendor due-diligence artifacts.
• Incident and breach logs, assessments, notices, and remediation steps.
• Retention: keep required documentation for at least six years from creation or last effective date.

Governance and review

• Designate a Privacy Officer and a Security Officer; define responsibilities and authority.
• Hold periodic compliance meetings; track action items and deadlines.
• Conduct internal audits and spot checks; correct findings promptly.
• Use metrics (e.g., time-to-fulfill access requests, patch cadence, incident response times) to drive improvement.

Conclusion

This HIPAA checklist helps you build a practical, defensible program: write clear privacy policies, perform a rigorous Security Risk Analysis, implement layered safeguards, bind vendors with a strong Business Associate Agreement, train your workforce, prepare for breaches, and document everything. Applied consistently, these steps protect your patients and your practice.

FAQs.

What are the key HIPAA privacy requirements for psychologists?

You must provide a clear Notice of Privacy Practices, limit PHI access to the minimum necessary, obtain authorizations for non-TPO uses, protect psychotherapy notes with added restrictions, honor patient rights (access, amendments, restrictions, confidential communications, accounting of disclosures), maintain safeguards and sanctions, and keep policies current and documented.

How should psychologists conduct a HIPAA security risk analysis?

Inventory where ePHI lives and flows, identify threats and vulnerabilities, rate likelihood and impact, select reasonable controls, and document a risk management plan with owners and timelines. Validate with testing (e.g., vulnerability scans), update at least annually or after major changes, and retain all artifacts for audit readiness.

What constitutes a breach under HIPAA rules?

A breach is an impermissible use or disclosure of unsecured PHI that compromises privacy or security, unless a documented risk assessment shows a low probability of compromise or an exception applies. If PHI was properly encrypted and keys were not compromised, the event may not be a reportable breach.

When is a business associate agreement required?

You need a Business Associate Agreement before a vendor creates, receives, maintains, or transmits PHI for your practice—such as EHR providers, billing services, telehealth platforms, cloud storage, IT support, or shredding vendors. The BAA must define permitted uses, safeguards, breach reporting duties, subcontractor obligations, and termination terms.