HIPAA Compliance Checklist for Therapists: Step-by-Step Guide to Staying Compliant and Protecting PHI

Conduct Risk Assessments and Manage Vulnerabilities

Core actions

• Map where Protected Health Information (PHI) is created, received, maintained, and transmitted across your practice, including EHRs, email, texting tools, billing platforms, backups, and portable media.
• Perform a formal Risk Assessment aligned to the HIPAA Security Rule: identify threats, evaluate likelihood and impact, and assign risk ratings to systems and processes.
• Prioritize vulnerabilities with a remediation plan that includes owners, deadlines, and measurable outcomes.
• Address vendor and telehealth risks by evaluating platforms before adoption and documenting security controls and data flows.
• Repeat the assessment at least annually and whenever you introduce new technology, change workflows, or experience an incident.

What to document

• A complete asset inventory (devices, applications, cloud services) holding PHI.
• Threat–vulnerability pairings with risk ratings, planned safeguards, and residual risk after mitigation.
• Evidence of implementation: screenshots, policies, tickets, training logs, and test results.

Common pitfalls to avoid

• Equating a checklist with a true analysis—ensure you evaluate likelihood/impact, not just presence/absence of controls.
• Ignoring paper records, voicemail, or backups during scoping.
• Failing to tie risks to concrete corrective actions and timelines.

Implement Security Measures for Electronic Records

Access control and identity management

• Assign unique user IDs, enable multi-factor authentication, and apply least-privilege, role-based access to PHI.
• Use automatic logoff and session timeouts; disable accounts immediately when roles change or staff depart.
• Implement strong password standards and a secure password manager.

Encryption and data integrity

• Apply Encryption Standards for PHI in transit (TLS 1.2+ or equivalent) and at rest (AES-256 or equivalent) on servers, laptops, and mobile devices.
• Enable device-level encryption on phones and laptops; restrict local downloads where feasible.
• Use integrity controls (hashing, checksums) to detect unauthorized alteration of electronic records.

Monitoring, logging, and alerts

• Turn on audit controls in EHR and billing systems; log access, creation, editing, exporting, and deletion of PHI.
• Review logs regularly for anomalous activity; set alerts for mass exports, off-hours access, or failed logins.

Endpoint, network, and data lifecycle

• Keep systems patched; run reputable anti-malware; restrict admin rights; use mobile device management for BYOD.
• Segment Wi‑Fi; isolate guest networks; use a firewall with secure configurations and VPN for remote access.
• Back up systems using the 3‑2‑1 rule (three copies, two media types, one offsite); test restoration regularly.
• Define retention and secure disposal for data you no longer need; minimize PHI collection where possible.

Telehealth and secure communications

• Select platforms that support encryption, access controls, and Business Associate Agreements.
• Use secure patient portals or encrypted messaging rather than standard email or SMS for PHI whenever feasible.

Establish Physical Security Protocols

Facility and workstation safeguards

• Control building and room access with keys, badges, or codes; maintain visitor logs and escort procedures.
• Position screens to prevent shoulder surfing; use privacy filters in shared spaces and auto-lock when idle.
• Adopt clean‑desk practices; keep paper PHI in locked cabinets when not in use.

Device and media protection

• Secure laptops and tablets with cable locks in offices and trunks when transporting; never leave devices unattended.
• Store and transport paper records in sealed, labeled containers with chain‑of‑custody documentation.
• Shred paper and destroy media (degauss or physically shred drives) per documented procedures.

Contingency and emergency readiness

• Document an emergency access plan for PHI during power loss, natural disasters, or system outages.
• Keep backup copies offsite or in geo‑redundant cloud storage to support continuity of care.

Execute Business Associate Agreements

Who qualifies as a Business Associate

• Any vendor that creates, receives, maintains, or transmits PHI on your behalf, such as EHR providers, billing services, telehealth platforms, cloud storage, transcriptionists, IT support, and secure messaging tools.
• Subcontractors of your vendors who handle PHI must also meet HIPAA obligations through downstream agreements.

What to include in Business Associate Agreements

• Permitted uses/disclosures; minimum necessary standards; required administrative, physical, and technical safeguards under the HIPAA Security Rule.
• Breach Notification Rule duties and timelines; incident cooperation; documentation and access for audits.
• Subcontractor flow‑down requirements; termination assistance; return or destruction of PHI at contract end.
• Reporting of security incidents; restrictions on marketing or sale of PHI; allocation of responsibilities for encryption and backups.

How to manage BAAs operationally

• Inventory all vendors; verify whether they interact with PHI; obtain signed agreements before sharing any PHI.
• Keep a centralized repository with effective dates and points of contact; review agreements annually or upon service changes.
• Validate vendor controls periodically (e.g., security summaries, penetration test attestations, or SOC reports when available).

Provide Notice of Privacy Practices

What your Notice must cover

• How you use/disclose PHI for treatment, payment, and operations; other uses requiring authorization.
• Client rights: access, amendments, restrictions, confidential communications, accounting of disclosures, and complaint avenues.
• Your duties to safeguard PHI, maintain Privacy Practices, and notify affected individuals of breaches.
• How to contact your privacy officer and the effective date of the Notice.

Delivery, acknowledgment, and retention

• Provide the Notice at the first service encounter and make it readily available in your office and through your practice’s standard distribution channels.
• Make a good‑faith effort to obtain written acknowledgment of receipt; document refusals.
• Retain current and prior versions for at least six years along with acknowledgment records.

Keep it current

• Review annually and update when practices change; redistribute and post the updated Notice with a new effective date.

Develop Breach Notification Procedures

Know what counts as a breach

• A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy unless an exception applies.
• Conduct a documented risk assessment considering the nature of PHI, unauthorized person, whether PHI was actually acquired/viewed, and mitigation steps.

Immediate response steps

• Contain the incident (disable accounts, retrieve misdirected messages, isolate affected systems) and preserve evidence.
• Notify your privacy/security officer and leadership; engage applicable vendors per your Business Associate Agreements.
• Document decisions and timelines from discovery through resolution.

Notification timelines and content

• Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches involving 500 or more residents of a state or jurisdiction, notify the appropriate authorities and required public outlets; for fewer than 500, maintain a log and submit annually as required.
• Include what happened, the types of PHI involved, steps individuals should take, what you are doing to mitigate harm, and how to contact your practice.

Post‑incident improvements

• Offer mitigation (e.g., credential resets, identity monitoring if sensitive identifiers were exposed) based on risk.
• Address root causes through policy updates, added controls, and targeted staff training.

Train Staff on HIPAA Regulations

Training cadence and scope

• Provide training at onboarding, at least annually, and when policies, systems, or roles change.
• Tailor modules for therapists, administrative staff, billing teams, and telehealth personnel.

Core topics to cover

• Privacy Practices and client rights; minimum necessary standard; secure communication and documentation.
• Recognizing and reporting incidents; phishing awareness; secure telehealth etiquette; working remotely with PHI.
• Policies for personal devices, social media, photography, and release of information.

Measure, document, and reinforce

• Use short assessments to verify comprehension; require sign‑offs on policies and procedures.
• Maintain training records (dates, materials, attendees, results) for at least six years.
• Apply a sanction policy consistently for violations and celebrate good security behaviors to build a strong culture.

Conclusion

Consistent, documented execution of this HIPAA Compliance Checklist—Risk Assessment, strong technical and physical safeguards, solid Business Associate Agreements, clear Privacy Practices, tested breach procedures, and ongoing training—creates a defensible, client‑centric program that protects PHI and supports high‑quality care.

FAQs

What steps must therapists take to comply with HIPAA?

Start with a formal Risk Assessment to identify threats to PHI and prioritize fixes. Implement access controls, encryption, logging, secure backups, and physical protections. Maintain current policies (privacy, security, incident response), execute Business Associate Agreements before sharing PHI with vendors, provide a clear Notice of Privacy Practices, test breach procedures, and train staff at onboarding and annually with records of completion.

How should therapists handle Business Associate Agreements?

List all vendors that create, receive, maintain, or transmit PHI; confirm which are Business Associates; and obtain signed agreements before sharing any PHI. Ensure agreements specify permitted uses, HIPAA Security Rule safeguards, Breach Notification Rule duties and timelines, subcontractor flow‑down, termination/return or destruction of PHI, and incident cooperation. Review BAAs yearly and whenever services change.

What are the requirements for breach notification?

If unsecured PHI is compromised, assess risk promptly and, when notification is required, inform affected individuals without unreasonable delay and no later than 60 days from discovery. Provide details of the incident, the PHI involved, protective steps individuals should take, your mitigation actions, and contact information. Record all decisions, notify appropriate authorities for large incidents, and log smaller breaches for annual reporting as required.

How often should HIPAA training be conducted for staff?

Provide training at onboarding, at least annually, and whenever policies, systems, or roles change. Reinforce learning with brief refreshers, phishing simulations, and scenario‑based exercises. Keep detailed records—dates, materials, attendees, and results—for regulatory defensibility and quality improvement.