Industry Guide

HIPAA for Therapists: A Solo-Practice Compliance Guide

Q: Are therapists covered entities under HIPAA?

Yes, if they bill electronically. A therapist who submits any electronic claim — to an insurer, Medicare, or Medicaid — is a covered entity and subject to the full HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. A cash-only therapist who never submits an electronic claim is technically not a covered entity, though this situation is uncommon.

Q: Are psychotherapy notes protected differently under HIPAA?

Yes. HIPAA defines 'psychotherapy notes' as notes recorded by a mental health professional documenting the contents of a conversation during a counseling session — kept separate from the rest of the patient's medical record. Under 45 CFR § 164.524(a)(1)(ii), patients do not have an automatic right of access to psychotherapy notes. They also require patient authorization for most disclosures — they cannot be shared even for treatment, payment, or operations without authorization.

Q: What BAAs do therapists need?

Solo therapists need BAAs with every vendor who accesses PHI on their behalf: EHR systems (SimplePractice, TherapyNotes, Jane App), billing companies, cloud storage, IT support, answering services, and patient communication platforms. Each vendor relationship requires a separate signed BAA before sharing PHI.

Q: Do therapists need to provide patients with an NPP?

Yes, if they are covered entities. Therapists must provide a Notice of Privacy Practices at the first appointment, post it in their office, and make it available on any website where patients can request services. The NPP must be updated to the HHS Feb 2026 model to incorporate reproductive health privacy provisions.

Q: When does 42 CFR Part 2 apply to therapists?

42 CFR Part 2 applies to therapists who work at programs specifically treating substance use disorders (SUDs) — federally assisted SUD treatment programs. If a therapist at a general mental health practice incidentally treats a patient for SUD, Part 2 may not apply unless the practice holds itself out as providing SUD treatment. However, the February 2026 Final Rule aligned Part 2 with HIPAA more closely, reducing some of the practical differences.

By ComplyCreate Editorial Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026

Quick answer: If you bill electronically (including through any insurance), you are a HIPAA covered entity. You need a BAA for therapists with your EHR vendor, billing service, and any other PHI-handling vendor. You also need to provide patients with a Notice of Privacy Practices — updated to the HHS Feb 2026 model.

Are Therapists Covered Entities Under HIPAA?

A therapist — licensed clinical social worker (LCSW), licensed professional counselor (LPC), licensed marriage and family therapist (LMFT), psychologist, or psychiatrist — is a covered entity if they bill electronically for healthcare services. This includes submitting electronic claims to private insurers, Medicare, or Medicaid. Nearly every therapist who accepts insurance qualifies.

A cash-only therapist who never submits an electronic claim and accepts no insurance reimbursement is technically not a covered entity. This is increasingly rare. Even accepting a single insurance payment through an electronic system qualifies the provider.

Psychotherapy Notes: Special HIPAA Protections

Psychotherapy notes receive special protection under HIPAA that distinguishes them from general medical records. Under 45 CFR § 164.524(a)(1)(ii), patients do not have an automatic right of access to their psychotherapy notes. Additionally, most uses and disclosures of psychotherapy notes require patient authorization — even uses for treatment, payment, and operations that would be permitted for other PHI do not automatically permit disclosure of psychotherapy notes.

HIPAA defines psychotherapy notes specifically as notes recorded by a mental health professional documenting the contents of a conversation during a private counseling session — and maintained separately from the rest of the patient's record. Progress notes that record only medication prescription and monitoring, session start/stop times, frequency of treatment, and results of clinical tests are not psychotherapy notes and do not receive this enhanced protection.

Practical implication: Keep your therapy session notes in a separate section of your EHR or in a separate paper file. Never include session content in the portion of the record shared with insurers for billing.

BAAs for Therapists: Who Needs One

Solo therapists need BAAs with every vendor who handles PHI on their behalf:

EHR/practice management software: SimplePractice, TherapyNotes, Jane App, TheraNest, Luminare Health — these platforms store session notes, billing information, and client demographics (all PHI). They are business associates and must provide BAAs.
Billing companies: If you use a third-party billing service to submit insurance claims, that service is a business associate.
Telehealth platforms: Video platforms used for sessions must be HIPAA-compliant and provide a BAA. Generic consumer platforms (FaceTime, Zoom Basic) are not acceptable without a signed HIPAA BAA.
Cloud storage: Dropbox, Google Drive, iCloud — if you store session records in a cloud service, you need a BAA. Major cloud providers offer HIPAA BAAs, but you must request and sign them.
Answering service: An after-hours service that takes patient messages with PHI is a business associate.
IT support: A technician who remotely accesses your computer to troubleshoot — and that computer contains PHI — is a business associate.

Generate your therapist-specific BAA at BAAGenerator.com/baa-for-therapists.

NPP Requirements for Therapists

Every therapist who is a covered entity must provide clients with a Notice of Privacy Practices (NPP) at the first appointment. The NPP must: describe how you use and disclose PHI; explain the special status of psychotherapy notes; describe client rights (access, amendment, accounting of disclosures, restriction requests, complaint process); state your legal duties; and include an effective date. The NPP must be posted in your office waiting area and on your website if you maintain one.

The HHS released an updated model NPP in February 2026 incorporating the Reproductive Health Privacy Rule. Therapists who work with patients receiving reproductive health care should ensure their NPP reflects the updated model. Generate a therapist NPP at NPPGenerator.com/npp-for-therapists.

42 CFR Part 2: What Therapists Need to Know

42 CFR Part 2 (the Confidentiality of Substance Use Disorder Patient Records regulations) applies to federally assisted programs that provide SUD treatment. If you work at or operate such a program, Part 2 imposes stricter confidentiality requirements than HIPAA — requiring specific patient consent for most disclosures.

The February 2026 Final Rule significantly aligned Part 2 with HIPAA, allowing Part 2 programs to use a single consent for treatment, payment, and operations disclosures — similar to HIPAA's general permissions. For therapists who see SUD patients at a general mental health practice (not a dedicated SUD program), Part 2 typically does not apply. Consult a healthcare attorney if you are unsure whether your practice qualifies as a "federally assisted program" for Part 2 purposes. See our Part 2 Final Rule update for details.

State Mental Health Confidentiality Laws

Many states have enacted mental health confidentiality laws that are more protective than HIPAA. California's Lanterman-Petris-Short Act, New York's Mental Hygiene Law, and similar state statutes often impose stricter consent requirements for certain disclosures — particularly to employers, family members, and law enforcement. Apply the more stringent of HIPAA and applicable state law. See our HIPAA vs. state privacy laws guide for state-specific information.

Frequently Asked Questions

Are therapists covered entities under HIPAA?

Yes, if they bill electronically. Any therapist who submits electronic claims to insurers, Medicare, or Medicaid is a covered entity subject to HIPAA's Privacy Rule, Security Rule, and Breach Notification Rule. A cash-only therapist who never submits an electronic claim is technically not a covered entity, though this is uncommon.

Are psychotherapy notes protected differently under HIPAA?

Yes. Psychotherapy notes as defined in 45 CFR § 164.524(a)(1)(ii) do not carry an automatic patient right of access and require authorization for most disclosures — including for treatment, payment, and operations purposes that otherwise permit sharing of regular PHI without authorization. Keep session content notes separate from billing and administrative records.

What BAAs do therapists need?

Solo therapists need BAAs with: EHR/practice management software, billing companies, telehealth platforms, cloud storage services, answering services, and IT support providers who access PHI. Each is a separate business associate relationship requiring a signed BAA before sharing PHI.

Do therapists need to provide patients with an NPP?

Yes. Covered entity therapists must provide an NPP at the first appointment, post it in the office, and make it available on any website offering patient services. The NPP must be updated to the HHS Feb 2026 model to incorporate reproductive health privacy provisions added by the April 2024 Reproductive Health Privacy Rule.

When does 42 CFR Part 2 apply to therapists?

42 CFR Part 2 applies to federally assisted SUD treatment programs. If you operate or work at such a program, Part 2 applies. The February 2026 Final Rule aligned Part 2 with HIPAA significantly, simplifying the consent framework for covered programs. General mental health practitioners who are not part of a dedicated SUD program typically do not have Part 2 obligations, though they should consult a healthcare attorney if they regularly treat SUD patients.