HIPAA Guidelines for Marriage and Family Therapists (MFTs): Compliance Requirements and Best Practices

HIPAA Applicability to MFTs

HIPAA applies to you if you handle Protected Health Information (PHI) as a covered entity or business associate. Most solo and group MFT practices are covered entities because they transmit health information electronically for billing or insurance eligibility. If you provide services for another practice or platform that controls PHI, you may function as a business associate.

PHI includes any information that identifies a client and relates to their health, care, or payment. Electronic PHI (ePHI) is PHI created, stored, or transmitted electronically, and it triggers HIPAA’s Security Rule obligations in addition to the Privacy Rule.

Psychotherapy notes receive heightened protection when kept separate from the clinical record; they require client authorization for most uses and are generally excluded from access requests. Decide and document who the “client” is in couple or family work and how you will manage individual disclosures within the family system.

Your policies should reflect the minimum necessary standard, limiting uses and disclosures to what is reasonably needed for treatment, payment, and healthcare operations. When state law is more protective than HIPAA, you follow the stricter rule.

HIPAA Privacy Rule

The Privacy Rule governs how you use and disclose PHI, what permissions you need, and which client rights you must honor. Provide a clear Notice of Privacy Practices, obtain authorizations when required, and apply role-based access so staff only see what they need.

Permitted uses and disclosures include treatment coordination, billing, and practice operations. For other purposes—such as marketing or most releases to third parties—you need a valid, specific authorization. Use your professional judgment when a client is present to involve family members only with permission or when it is in the client’s best interest.

Client rights include: access to records, amendments, an accounting of certain disclosures, restrictions on sharing, and confidential communication preferences. Respond to access requests within HIPAA timelines, provide records in the requested format if readily producible, and charge only a reasonable, cost-based fee.

Breach Notification Requirements apply when unsecured PHI is compromised. You must notify affected individuals without unreasonable delay and no later than 60 days after discovery; notify HHS (immediately for breaches affecting 500+ individuals, or annually for fewer than 500); and notify prominent media for large breaches in a state or jurisdiction. Maintain documentation of your assessment and notifications.

HIPAA Security Rule

The Security Rule focuses on Electronic PHI Security. You must implement Administrative Safeguards, Physical Safeguards, and Technical Safeguards that are reasonable and appropriate for your practice size, technology, and risks.

• Administrative Safeguards: documented risk analysis and risk management, policies and procedures, workforce training, sanctions, contingency planning, and vendor oversight.
• Physical Safeguards: facility access controls, workstation positioning, secure device storage, and media disposal/shredding.
• Technical Safeguards: unique user IDs, role-based access, multi-factor authentication, audit logs, integrity controls, and encryption in transit and at rest.

“Addressable” controls (such as encryption) still require action—implement them or document why an alternative provides equivalent protection. Backups, patching, endpoint protection, and secure configuration baselines reduce the likelihood and impact of incidents.

Document how you protect ePHI across laptops, phones, cloud apps, and EHRs. Use device encryption, automatic screen locks, remote wipe, and secure messaging rather than standard SMS or personal email.

Business Associate Agreements

You must have a Business Associate Agreement (BAA) with any vendor that creates, receives, maintains, or transmits PHI on your behalf—such as EHRs, billing services, teletherapy platforms, cloud storage, or transcription. A BAA allocates responsibilities and embeds security and reporting expectations.

At minimum, your BAA should specify: permitted uses and disclosures; required safeguards; prompt reporting of incidents and breaches; Breach Notification Requirements and timelines; subcontractor flow-down obligations; access, amendment, and accounting support; audit cooperation; and termination terms including return or destruction of PHI.

Prefer vendors that offer robust security controls, clear uptime and support commitments, and transparent incident response practices. Review BAAs periodically and after any service changes.

Telehealth Compliance

Choose a telehealth platform that supports encryption, access controls, and audit logging, and that will sign a BAA. Obtain client consent for telehealth, verify identity at the start of sessions, and confirm a safe location and emergency contact for each visit.

Reduce risk by using headphones, private spaces, and locked screens on both ends. Disable recording unless clinically necessary and authorized. For messaging, use secure portals; if clients insist on email or text, explain risks, document preferences, and apply safeguards such as secure links and two-factor verification.

Harden devices with updates, anti-malware, and mobile device management. Avoid public Wi‑Fi; if unavoidable, use a trusted VPN. Keep telehealth workflows aligned with your Technical Safeguards and incident response plan.

Risk Assessment Procedures

A current, documented risk analysis underpins your Security Rule compliance. Inventory all systems that store or transmit ePHI (EHR, email, backups, phones), map data flows, and identify where PHI is created, received, maintained, or transmitted.

• Identify threats and vulnerabilities (e.g., stolen devices, weak passwords, phishing, misdirected email, third‑party failures).
• Estimate likelihood and impact, assign risk levels, and prioritize remediation.
• Select and implement controls (technical, physical, administrative) and define owners and due dates.
• Document residual risk, monitor progress, and re-evaluate at least annually and whenever technology or operations change.

Maintain a risk register, incident log, and corrective action plans. Test backups and recovery, and conduct periodic technical and non-technical evaluations to verify that safeguards remain effective.

Training and Education

Train your workforce before they access PHI and refresh at regular intervals. Cover the Privacy Rule, minimum necessary, Electronic PHI Security, recognizing and reporting incidents, social engineering risks, and safe telehealth practices. Keep attendance records and policy acknowledgments.

Embed Compliance Program Development into daily operations: designate privacy and security officers (roles may be combined in small practices); maintain written policies and procedures; use security reminders and audits; apply a sanctions policy; and provide clear channels for client complaints without retaliation.

In summary, build a right-sized compliance program: understand when HIPAA applies, honor client rights, implement layered safeguards, manage vendors with BAAs, secure telehealth, and use risk assessments and training to drive continuous improvement.

FAQs.

What are the key HIPAA requirements for MFTs?

Core requirements include limiting PHI uses to treatment, payment, and operations; honoring client rights and the minimum necessary standard; providing a Notice of Privacy Practices; conducting a risk analysis; implementing Administrative, Physical, and Technical Safeguards; executing Business Associate Agreements; training your workforce; and following Breach Notification Requirements if unsecured PHI is compromised.

How should MFTs secure electronic communications?

Use secure portals or encrypted email for messaging and file exchange, enable multi-factor authentication, and restrict access with unique user IDs. Avoid standard SMS and personal email for ePHI; if a client insists, inform them of risks, obtain and document their preference, and apply safeguards such as secure links. Verify identities, double-check recipient addresses, and log disclosures as required.

What is required in a Business Associate Agreement?

A BAA must define permitted uses/disclosures of PHI; require safeguards aligned with the Security Rule; mandate incident and breach reporting with timelines; bind subcontractors to the same obligations; support access, amendment, and accounting; allow oversight or documentation of compliance; and specify termination, and return or destruction of PHI at contract end.

How do MFTs handle client access to records?

Verify identity, respond within HIPAA timelines, and provide records in the requested format if readily producible. Charge only reasonable, cost-based fees. Psychotherapy notes kept separate from the clinical record are excluded from the right of access and generally require authorization to disclose. Do not delay access because of unpaid bills, and document any denials or limitations as permitted by HIPAA.