How to start a HIPAA compliant private therapy practice

According to data from the American Psychological Association Insurance Trust, licensing board complaints against psychologists now occur at four times the rate of malpractice suits. Inadequate record keeping, breaches of confidentiality, and practicing outside areas of competence rank among the most common infractions. For therapists building a practice from scratch, understanding HIPAA isn’t optional but a requirement for ethical care and professional standing. As research published in Current Opinion in Psychology puts it, “Without privacy and confidentiality, therapy may not be effective.”

Step 1: Confirm your compliance obligations

Before building systems, determine whether HIPAA applies to your practice. The regulations govern “covered entities,” healthcare providers who transmit information electronically in connection with specific transactions like insurance claims, eligibility verification, or payment processing. 

If you plan to bill insurance or verify coverage electronically, you’re a covered entity. If you’re building a cash only practice with no electronic insurance transactions, HIPAA may not technically apply, although state licensing boards and professional ethics codes usually impose equivalent confidentiality standards.

The goal should be to build your systems as though HIPAA applies regardless. The infrastructure protects your clients and your license, whether federal enforcement reaches you or not.

Step 2: Establish your documentation system before seeing clients

Documentation serves purposes beyond regulatory compliance. It demonstrates your clinical reasoning, facilitates communication with other providers, and protects you if your decisions ever face scrutiny.

The APA Insurance Trust identifies documentation as one of three foundational risk management elements. Their guidance emphasizes what they call the “ninth-grade algebra teacher” rule, where you get credit for showing your work, not just reaching the correct answer. Records should reflect your thinking process, the options you considered, the information you weighed, and the rationale behind your decisions.

Below are some practical recommendations for new practices:

• Structure records to include identifying information: Presenting problems, diagnosis, treatment goals, and session notes that connect interventions to those goals
• Document consent: The APA Ethics Code requires it. A signed informed consent form satisfies this, but document verbal discussions in your notes if forms aren’t used.
• Write with the expectation that clients will read their records: This encourages precision and professionalism.
• Indicate information sources: “Client reports husband drinks excessively” differs from “husband is alcoholic,” which is something that would need to be verified through it’s own separate assessment.
• Increase documentation quality as risk increases: High-risk cases demand more detailed reasoning, including what you chose to do and why

Step 3: Design informed consent as an ongoing process

Informed consent isn’t a form that clients sign and forget. The APA Insurance Trust frames it as “an ongoing interactive process” that promotes client participation in treatment decisions while reducing misunderstandings that breed complaints.

At minimum, your informed process should cover the nature of therapy, confidentiality and its limits, fees and billing practices, cancellation policies, and how to reach you in emergencies. State licensing boards and HIPAA’s Privacy Rule may impose additional requirements; verify what applies in your jurisdiction. 

Beyond the minimum, tailor the process to your practice context. If you treat families navigating custody disputes, emphasize policies on court involvement and information release. If you conduct evaluations with career consequences, clarify your role and reporting obligations. If you work with high-risk populations, address safety planning and emergency protocols.

The APA Insurance Trust warns against a common mistake of being “overly nice and lenient about enforcing basic rules” early in treatment to build rapport, then struggling to enforce boundaries when problems emerge. Set expectations clearly from the start. Clients who understand the parameters of treatment are less likely to feel betrayed when you hold those boundaries. 

Step 4: Select technology with compliance built in

The platforms you choose for telehealth, communication, scheduling, and record-keeping should support confidentiality. The main requirement is that any vendor that processes, stores, or transmits protected health information (PHI) on your behalf must sign a business associate agreement. This contract obligates them to implement HIPAA required safeguards and accept liability for protecting client data.

As John Torous, M.D., chair of the APA Committee on Mental Health IT, explained, “Often you can use the same product (such as Zoom) without a BAA, but make it HIPAA compliant, a psychiatrist needs to use the version of Zoom that requires the signature of a BAA.” The same platform can be compliant or non-compliant depending on the tier you purchase and the agreements you execute.

Before committing to any system, verify:

• Does the vendor offer a BAA? If not, the platform isn’t appropriate for client-related use, regardless of other features
• Is the data encrypted in transit and at rest? Standard email and text messaging usually fail that test
• What access controls exist? Unique user identification, automatic logoff, and audit trails matter
• Where is data stored? Cloud storage adds convenience but requires the same BAAA and security considerations

Standard consumer platforms create risk. The research published in Current Opinion in Psychology found that with email, “Providers maintain less control over the third-party systems that send and maintain email, which affects their ability to ensure confidentiality.”

Compliant alternatives exist for every function. Invest the time to identify them before you need them.

Read more: 

• What is the purpose of a business associate agreement?
• Encryption at rest: what you need to know
• A guide to HIPAA and access controls
• The role of cloud technology in HIPAA compliance

Step 5: Build consultation into your practice from day one

Consultation is the third pillar of the APA Insurance Trust’s risk management framework, alongside documentation and informed consent. It serves the purpose of ensuring clinical competence and providing emotional support through difficult cases.

The guidance states, “Never treat life-endangering patients alone. Always consult with others.” This applies broadly to high-risk situations, clients with suicidal ideation, potential harm to others, complex trauma, or treatment-resistant presentations, all warrant outside input.

This can be achieved through:

• Peer consultation groups – regular meetings with colleagues who review cases, offer feedback, and provide accountability
• Individual consultants – practitioners with specialized expertise you can contact for case-specific guidance
• Prescriber relationships – psychiatrists or prescribing psychologists who can evaluate medication needs and coordinate care

The Insurance Trust warns against seeking “self-validation from close friends or those who have reasons not to be critical.” The purpose isn’t confirmation that you’re doing fine, it’s high-quality care that improves care and catches blind spots.

When seeking consultation, clarify your specific question. Experienced practitioners “clarify the ‘ask’ or the nature of their request” rather than issuing a general cry for help. Are you uncertain about diagnosis? Questioning your treatment approach? Navigating a boundary issue? Managing countertransference? The more precisely you frame the dilemma, the more useful the response.

Document consultations in your records. Note who you consulted, when, what you discussed, and what recommendations emerged. This demonstrates thoughtful clinical reasoning if your decisions ever face review.

Data cited by the APA Insurance Trust found that “psychologists who did not belong to a state psychological association had three times the frequency of being disciplined by licensing boards than did those who belonged to state associations.” Connection protects both clients and practitioners.

Step 6: Train everyone who touches client information 

HIPAA requires workforce training, but “workforce” may be just you in a solo practice. That doesn’t eliminate the obligation to understand the regulations you’re implementing.

At the least, familiarize yourself with the Privacy Rule (governing all PHI regardless of format), the Security Rule (governing electronic PHI specifically), and your state’s confidentiality laws, which may impose stricter requirements than federal standards. Research on patient confidentiality notes that “many states have their own restrictive rules on the privacy of PHI, which may be far more stringent than HIPAA, particularly when the information concerns patients with infectious diseases like HIV, mental health problems, certain genetic disorders, and substance abuse.”

If you employ administrative staff, bring on contractors, or share office space with colleagues, training extends to anyone who might encounter client information. Front desk staff who schedule appointments, billing services that process claims, and cleaning crews with access to your office all present potential exposure points. The research on patient confidentiality further notes that HIPAA policies "apply to any interns and volunteers who work under supervision at a health clinic or hospital, third-party contractors, or business associates."

Document your training efforts. If your compliance ever faces scrutiny, demonstrating that you understood your obligations and educated your workforce supports your position.

Step 7: Prepare for the possibility that something goes wrong

Even careful practitioners face complaints. The APA Insurance Trust data shows that approximately one percent of psychologists encounter a licensing board complaint or malpractice action annually.

Preparation means several things. First, secure professional liability insurance before seeing clients. Coverage provides legal defense resources and creates access to risk management consultation when difficult situations arise.

Second, establish breach notification procedures. Under HITECH Act amendments to HIPAA, covered entities must notify affected individuals within 60 days of discovering a breach of unsecured PHI. Breaches affecting more than 500 individuals require media notification and reporting to the Department of Health and Human Services. Smaller breaches must be logged and reported annually.

Third, know what to do if accused of misconduct. The APA Insurance Trust's guidance states, "Contact your professional liability insurance company immediately." Do not attempt to resolve matters directly with the complainant. Do not alter or destroy records. Conversations with your attorney are privileged; conversations with others are not.

The emotional toll of complaints deserves acknowledgment. Even practitioners eventually cleared of wrongdoing experience "prolonged stress, social embarrassment, self-doubt, anxiety, and depression," according to the Insurance Trust. Building consultation relationships and a professional community before a crisis hits provides support when you need it most.

Go deeper: What are the notification requirements after a breach?

FAQs

What does the minimum necessary standard mean?

When using or disclosing PHI, covered entities must limit the information shared to only what is necessary to accomplish the intended purpose. This applies to disclosures between providers, to insurers, and to other permitted recipients, with narrow exceptions for treatment purposes and client-authorized releases.

What is the difference between the Privacy Rule and the Security Rule?

The Privacy Rule governs all PHI regardless of format, electronic, paper, or oral, establishing when and how health information can be used or disclosed. The Security Rule specifically addresses electronic PHI, requiring administrative, physical, and technical safeguards like encryption, access controls, and audit logs.

What's the difference between consultation and supervision?

In consultation, you retain independent decision-making authority, the consultant offers input, but clinical responsibility remains yours. In supervision, the supervisor directs the treatment of someone (typically an unlicensed trainee) who lacks legal authority to practice independently. Supervisors bear liability for supervisees' actions in ways consultants do not.