HIPAA Guidelines for Counselors: A Practical Compliance Checklist for Therapists

HIPAA Overview for Counselors

HIPAA sets national standards for how you handle Protected Health Information (PHI) in any format—paper, verbal, or electronic. If you’re a counselor who transmits health information electronically for standard transactions, you are a covered entity and must comply.

Three core rules drive your obligations: the Privacy Rule (who may access and share PHI), the Security Rule (how you safeguard electronic PHI), and the Breach Notification Rule (what to do if unsecured PHI is compromised). Business associates—such as EHR vendors, telehealth platforms, and billing services—must also protect PHI via written agreements.

Psychotherapy notes receive special treatment. When kept separate from the rest of the designated record set, they generally require an Authorization for Disclosure before release and are excluded from most access requests. Progress notes and treatment summaries in the Electronic Health Record are PHI and follow standard rules.

For small practices, compliance hinges on documented policies, risk analysis, and consistent training. Telehealth and mobile workflows expand your risk surface, making access control, encryption, and vendor management central to day‑to‑day compliance.

Implementing Privacy Rule Requirements

Use and disclosure are permitted without patient authorization for treatment, payment, and health care operations. Apply the minimum necessary standard to non-treatment disclosures by limiting information to what is needed to achieve the purpose.

When a use falls outside those purposes—such as most marketing, sharing with third parties not involved in care, or releasing psychotherapy notes—obtain a HIPAA‑compliant Authorization for Disclosure. Authorizations must be specific, time‑limited, and revocable in writing.

Meet Privacy Notice Requirements by providing a clear Notice of Privacy Practices at the first service or before telehealth begins, posting it prominently, and giving copies on request. Document good‑faith acknowledgment of receipt and update the notice when your practices change.

Maintain written policies for requests to restrict disclosures, confidential communications (for example, contacting a patient at a private number), and handling subpoenas or public‑health reporting. Execute and maintain Business Associate Agreements with all vendors that create, receive, maintain, or transmit PHI on your behalf.

Applying Security Rule Safeguards

Start with Administrative Safeguards: conduct a risk analysis, implement risk management plans, assign a security official, train your workforce, and enforce sanctions for violations. Maintain incident response and contingency plans, including data backup and disaster recovery procedures.

Apply Physical Safeguards by controlling facility and room access, securing workstations, and governing device and media handling. Use clean‑desk practices, locked storage for paper, and documented procedures for disposal and reuse of devices that store ePHI.

Strengthen Technical Safeguards with unique user IDs, role‑based access, automatic logoff, and audit logging. Prioritize Electronic Health Record Security with strong passwords, multi‑factor authentication, patching, and encryption of ePHI at rest and in transit. Protect email and messaging with secure portals or encrypted channels when exchanging PHI.

Classify encryption as “addressable” but treat it as essential. Limit remote access, configure mobile‑device management, and disable local downloads when feasible. Review access logs routinely and investigate anomalies promptly.

Developing a Compliance Checklist

• Designate a privacy and a security officer; document roles and decision authority.
• Complete and document a HIPAA risk analysis; update after major changes and at least annually.
• Adopt written policies for the Privacy Rule, Security Rule, and Breach Notification Rule.
• Issue the Notice of Privacy Practices and track acknowledgments.
• Standardize your Authorization for Disclosure and release‑of‑information workflow.
• Execute and inventory Business Associate Agreements for all vendors.
• Configure EHR access controls, audit logs, and encryption; review logs on a set schedule.
• Implement device, email, telehealth, and texting safeguards; prohibit unsecured storage.
• Train all staff at hire and annually; document attendance and competency.
• Test backups and disaster recovery; keep offline or immutable backups of critical data.
• Prepare a breach response playbook with contacts, templates, and evidence‑preservation steps.
• Maintain compliance documentation for at least six years and calendar periodic reviews.

Maintaining Accurate Record Keeping

Separate clinical records from compliance documentation. HIPAA requires you to retain policies, notices, authorizations, training records, and related documentation for at least six years from creation or last effective date. State law typically governs how long you keep clinical records, which may be longer.

Track disclosures that require accounting, and keep a release log tied to each Authorization for Disclosure. Record requests for confidential communications and restrictions, including whether you granted or denied them and your rationale.

Implement a clear Patient Record Amendment process. Acknowledge requests promptly, act within 60 days (with one 30‑day extension if needed), and either append the amendment or provide a written denial that explains the basis and how the patient may submit a statement of disagreement.

Leverage EHR audit trails to demonstrate integrity and access history. Use version control for policies and forms, and document secure destruction of paper and media when retention periods end.

Managing Breach Notification Procedures

A breach is an impermissible use or disclosure of unsecured PHI that compromises its security or privacy. Perform a documented risk assessment considering the nature of the PHI, who received it, whether it was actually viewed, and the extent of mitigation. Properly encrypted data generally falls outside the definition of “unsecured.”

Contain the incident, preserve evidence, and notify leadership immediately. If a business associate is involved, require prompt reporting per your agreement and coordinate investigation and response.

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery. Use first‑class mail (or email if the patient has agreed), and include what happened, what information was involved, steps the individual can take, what you are doing to mitigate harm, and how to contact you.

Report breaches affecting 500 or more individuals to HHS and relevant media without unreasonable delay (no later than 60 days). For fewer than 500, log the event and submit the annual report to HHS within the required timeframe. Keep full documentation of your analysis, notifications, and remediation.

Upholding Patient Rights

Patients have the right to access, inspect, and obtain a copy of their PHI in the form and format requested if readily producible, including an electronic copy when records are electronic. Fulfill requests within 30 days, with one documented 30‑day extension if necessary, and charge only a reasonable, cost‑based fee.

Honor Patient Record Amendment requests within 60 days as described above. If you accept an amendment, append it to the designated record set and notify relevant parties. If you deny it, explain why and let the patient submit a statement of disagreement, which you must include with future disclosures.

Support additional rights: request restrictions on disclosures, receive confidential communications, obtain an accounting of certain disclosures for the prior six years, and receive your Notice of Privacy Practices. Psychotherapy notes are excluded from access and usually require an Authorization for Disclosure to release.

In practice, strong policies, routine training, and disciplined logging across the Privacy Rule, Security Rule, and Breach Notification Rule create reliable, everyday compliance for counseling workflows.

FAQs

What are the main HIPAA requirements for counselors?

You must follow the Privacy Rule, Security Rule, and Breach Notification Rule. That means limiting uses to treatment, payment, and operations unless you have a valid Authorization for Disclosure; providing a compliant Notice of Privacy Practices; executing Business Associate Agreements; conducting risk analysis and applying administrative, physical, and technical safeguards; training staff; maintaining required documentation for six years; and following breach assessment and notification procedures.

How should counselors handle patient consent under HIPAA?

HIPAA does not require patient consent for treatment, payment, and health care operations. For most other disclosures, you need a written Authorization for Disclosure that is specific, time‑limited, and revocable. Psychotherapy notes typically require authorization even when other PHI would not. Always document the request, your minimum‑necessary review, and the final disclosure.

What steps must be taken after a breach of unsecured PHI?

Immediately contain and investigate, perform the four‑factor risk assessment, and document your findings. Notify affected individuals without unreasonable delay and no later than 60 days, include all required content, and offer mitigation guidance. Report to HHS and, for incidents affecting 500 or more individuals, notify relevant media. Preserve evidence, implement corrective actions, retrain staff as needed, and maintain a breach log and full records of the event.