Step-by-Step HIPAA Compliance Checklist for Marriage and Family Therapists (MFTs)

HIPAA Compliance Overview

As a Marriage and Family Therapist, you handle sensitive client information every day. HIPAA sets national standards for protecting health information, especially Electronic Protected Health Information (ePHI), and requires a practical, ongoing compliance program tailored to your solo or group practice.

This HIPAA compliance checklist shows you what to build first, how to maintain day-to-day safeguards, and how to respond if something goes wrong. Treat compliance as a routine part of clinical operations—not a one-time project.

Checklist: build your compliance foundation

• Confirm your covered entity status and the HIPAA transactions you use (claims, eligibility, remittance).
• Appoint a Privacy Officer and Security Officer (one person may serve both roles in small practices).
• Map how PHI/ePHI enters, moves through, and leaves your practice (intake, EHR, billing, telehealth, email, backups).
• Adopt written policies and procedures for the Privacy Rule, Security Rule, and Breach Notification Rule.
• Train your workforce at hire and annually; keep sign-in sheets or LMS records and confidentiality agreements.
• Publish and distribute a Notice of Privacy Practices and obtain client acknowledgments at intake.
• Maintain documentation, decisions, and logs for at least six years, and establish a sanctions policy for violations.

Privacy Rule Requirements

The Privacy Rule governs how you use and disclose PHI, communicates client rights, and defines the Minimum Necessary Standard. Your Notice of Privacy Practices explains these points in plain language and sets expectations from the first session.

Step-by-step privacy checklist

• Draft or update your Notice of Privacy Practices; provide it at intake, obtain acknowledgment, and post it in your office and online if applicable.
• Apply the Minimum Necessary Standard to routine disclosures; use role-based access and need-to-know workflows.
• Use written authorizations for non–treatment, payment, or healthcare operations disclosures; track expirations and revocations.
• Process client access requests within 30 days; offer electronic copies when requested and charge only reasonable, cost-based fees.
• Evaluate amendment requests within 60 days and document approvals or denials with rationale.
• Honor reasonable requests for confidential communications (e.g., alternate address or phone).
• Maintain an accounting of disclosures when required and verify identity before any PHI release.
• Document special situations relevant to MFTs (minors, family participation, couples therapy) with clear, consistent policies.

Security Rule Obligations

The Security Rule requires safeguards that are reasonable for your size and risk profile. Focus on preventing unauthorized access to ePHI, ensuring integrity, and keeping information available when needed.

Administrative safeguards

• Perform a formal risk analysis and implement Risk Management Procedures to reduce identified risks to reasonable levels.
• Designate a Security Official, maintain security policies, and train staff on secure handling of ePHI.
• Establish an incident response plan and audit process for access and activity review.
• Execute and manage Business Associate Agreements with all vendors that handle ePHI.

Physical safeguards

• Control facility access; secure file rooms and therapy offices.
• Harden workstations and mobile devices; use privacy screens and lock devices when unattended.
• Manage device and media: track, reuse, and dispose of hardware securely (e.g., shredding or certified wipe).

Technical safeguards

• Implement unique user IDs, strong authentication (preferably MFA), and automatic logoff.
• Encrypt ePHI in transit and at rest; enable device encryption and remote wipe on laptops and phones.
• Maintain audit logs, monitoring, and integrity controls; keep systems patched and protected with anti-malware.
• Use secure messaging/telehealth solutions and prohibit unencrypted texting of ePHI.

Breach Notification Procedures

The Breach Notification Rule requires action when unsecured PHI is impermissibly used or disclosed and the risk assessment does not show a low probability of compromise. Your response must be prompt, documented, and client-centered.

Response checklist

• Contain the incident immediately, preserve logs, and escalate to your Privacy/Security Officer.
• Complete the four-factor risk assessment: type of PHI, unauthorized recipient, whether PHI was actually viewed/acquired, and mitigation performed.
• Determine if an exception applies (e.g., good-faith, unintentional access within scope) and document your rationale.
• If a breach occurred, notify affected individuals without unreasonable delay and no later than 60 calendar days after discovery.
• For breaches affecting 500+ individuals in a state/jurisdiction, also notify prominent media and the federal authority within 60 days.
• For fewer than 500 individuals, log and submit to the federal authority no later than 60 days after the end of the calendar year.
• Issue notices that describe what happened, what information was involved, steps clients should take, your remediation, and contact information.
• Implement corrective actions: strengthen safeguards, retrain staff, and revise policies to prevent recurrence.

Business Associate Agreement Management

Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a Business Associate. Business Associate Agreements (BAAs) put your privacy and security expectations in writing and allocate breach responsibilities.

Vendor and BAA checklist

• Inventory vendors handling PHI/ePHI (EHR, billing, cloud storage, email, telehealth, IT support, shredding, transcription).
• Execute BAAs before sharing PHI; include safeguards, Minimum Necessary Standard, breach reporting timelines, and subcontractor flow-downs.
• Assess vendor security (risk program, encryption, access controls); record your due diligence.
• Track effective dates, renewals, and key contacts; centralize signed BAAs and keep them at least six years.
• Offboard vendors with documented return or destruction of PHI and access termination.

Psychotherapy Notes Handling

Psychotherapy notes are the therapist’s personal notes analyzing a counseling session and are distinct from progress notes and the general record. Psychotherapy Notes Protection is stronger under HIPAA: most uses or disclosures require a specific client authorization.

Psychotherapy notes checklist

• Keep psychotherapy notes separate from the clinical record—physically and within your EHR—so they are not automatically disclosed.
• Obtain specific authorization to use or disclose psychotherapy notes, except for limited exceptions (e.g., your own training, defense in legal actions, or when required by law).
• Do not share psychotherapy notes with insurers or family members without authorization; disclose only the Minimum Necessary information from the regular record.
• Limit access to a small set of authorized staff; enable audit logging and encryption for storage and backups.
• Clarify in your policies that clients generally do not have a right to access psychotherapy notes, while they may access the rest of their record.

Risk Assessment and Administrative Safeguards

Effective Risk Management Procedures make compliance sustainable. By repeating a cycle of assess, mitigate, monitor, and improve, you keep safeguards aligned with your evolving practice and technology.

Risk assessment workflow

• Identify assets and data flows (EHR, email, telehealth, mobile devices, backup services, paper charts).
• List threats and vulnerabilities (loss/theft, phishing, misdirected email, misconfiguration, natural disasters).
• Rate likelihood and impact; assign risk levels and owners; document chosen controls and rationale.
• Implement controls (technical, physical, administrative); test and validate effectiveness.
• Review at least annually and upon major changes (new EHR, telehealth platform, office move).

Administrative safeguards checklist

• Role-based access aligned to job duties; workforce clearance and termination procedures.
• Policies for passwords, mobile/BYOD, remote access, and acceptable use; regular security awareness training.
• Contingency planning: data backups, disaster recovery, and emergency-mode operations with periodic restore testing.
• Ongoing monitoring: audit log review, periodic vulnerability scans or security checkups, and sanctions for violations.
• Documentation discipline: keep policies, risk analyses, decisions, BAAs, training logs, and incident records current.

Conclusion

Build your HIPAA compliance checklist into everyday workflow: clarify privacy practices, harden security for ePHI, prepare for breach response, manage Business Associate Agreements, give psychotherapy notes extra protection, and keep risk management continuous. Small, consistent steps create a resilient and client-trusting MFT practice.

FAQs

What are the key HIPAA requirements for Marriage and Family Therapists?

You must protect PHI privacy, secure ePHI under the Security Rule, and follow the Breach Notification Rule. Provide a Notice of Privacy Practices, honor client rights, apply the Minimum Necessary Standard, conduct risk analyses, train staff, document your program, and manage Business Associate Agreements with all PHI-handling vendors.

How should MFTs handle psychotherapy notes under HIPAA?

Keep psychotherapy notes separate from the general record, restrict internal access, and obtain specific client authorization for most uses or disclosures. Do not share these notes with insurers or family without authorization, and secure them with encryption and audit controls; clients typically cannot access psychotherapy notes, though they can access their standard records.

When must MFTs notify patients about a breach?

Notify affected individuals without unreasonable delay and no later than 60 calendar days after discovering a breach. If 500 or more individuals in a state or jurisdiction are affected, also notify prominent media and the federal authority within 60 days; for fewer than 500, report to the authority annually while still notifying individuals promptly.

What safeguards must MFTs implement to protect ePHI?

Use layered safeguards: access controls and MFA, encryption in transit and at rest, automatic logoff, audit logging, device security and remote wipe, secure messaging/telehealth, regular patches and anti-malware, workforce training, incident response, contingency backups, and documented Risk Management Procedures aligned to your practice’s size and complexity.