HIPAA for Therapists: A Small Practice Quick Guide to Compliance

Estimated reading time: 13 minutes

You're wrapping up a busy day of sessions when a client texts to reschedule. You quickly reply, "Sure, how about Thursday at 2?" Then you pause and wonder: "Wait... was that HIPAA compliant?"

Or you've gotten an urgent email from a client's spouse expressing concerns about their partner's well-being. You want to respond, but you're not quite sure what you can safely say.

If you've ever felt that knot in your stomach about whether you're "doing HIPAA right," especially when it comes to situations like:

• Using email to confirm appointments (Is Gmail okay?)
• Texting clients about schedule changes (Should you?)
• Talking to concerned family members (What can you say?)
• Managing crises (When can you break confidentiality?)

This guide is here to help. We’ll cover everything you need to know about staying HIPAA-compliant while running a private practice confidently and effectively.

Understanding HIPAA Basics

What Are the Fundamental HIPAA Rules for Therapists?

HIPAA establishes strict guidelines for protecting the privacy and security of client information. The three key rules you need to know are:

Privacy Rule

This rule governs how and when you can use and disclose protected health information (PHI), as well as individuals’ rights regarding their PHI. As a therapist, you may share PHI in the following circumstances:

• With your client’s written authorization
• With other healthcare providers involved in your client’s care
• To prevent or reduce a serious and imminent threat of harm
• When required by law
• With Business Associates where you have a signed Business Associate Agreement (BAA), even if they are not directly involved in client care
• To obtain payment for services, such as submitting claims to an insurance company
• When the information has been anonymized and no longer contains identifiable details that could be traced back to an individual

Security Rule

This rule focuses specifically on protecting your clients' electronic health information (ePHI) — emails, digital records, and any health data you store or send electronically. Among other things, it requires you to:

• Control access: Only those who are authorized should be able to see your clients' ePHI.
• Track activity: Keep an eye on who's looking at what so you can spot any suspicious behavior.
• Prevent changes: Make sure no one can tamper with or delete your clients' information without permission.
• Secure transmission: Ensure sensitive information goes directly and securely to the intended recipient.

Breach Notification Rule

If a breach of PHI occurs, you are required to notify affected clients, the Department of Health and Human Services (HHS), and, in some cases, the media. It also requires:

• Documenting what happened
• Taking steps to fix the problem

🤓 Pro Tip: For more HIPAA Basics, read or bookmark HIPAA Questions and Answers: A Guide for Small Healthcare Practices

What Qualifies as PHI in Therapy?

PHI is any information that could identify your client and relates to their past, present, or future healthcare. This includes:

• Names and contact details
• Appointment schedules
• Payment records
• Treatment plans
• Communications about therapy (e.g., emails and texts)

Is Mental Health Information Treated Differently Under HIPAA?

Generally, mental health information follows the same rules as other health information, with the following exceptions:

• Psychotherapy notes (which get special protection)
• Substance Use Disorder (SUD) information (which follows stricter federal rules)
• State-specific mental health privacy laws, when these laws provide stricter privacy protections than HIPAA

Psychotherapy Notes

These are your personal notes and are separate from the other medical records. They are recorded during counseling and/or therapy sessions. They have extra protections and are rarely shared.

These are not psychotherapy notes:

• Medication prescription and monitoring information
• Counseling session start and stop times
• The modalities and frequencies of treatment furnished
• Results of clinical tests
• Summaries of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date
• Any information that is maintained in a client’s medical record

Substance Use Disorder (SUD) Records

Handling SUD records requires compliance with HIPAA and additional federal regulations under 42 CFR Part 2, which impose stricter safeguards than HIPAA. SUD records are given extra protection under federal law to encourage individuals to seek treatment without fear of stigma or legal consequences. These stricter rules aim to safeguard patient privacy and ensure confidentiality.

When You Can Share Information

If you need to disclose SUD records, you must obtain written consent from the client. Under 42 CFR § 2.31, the written consent must include:

• The name of the client
• What information can be shared
• Who can receive the information
• The purpose of the disclosure
• The client’s right to revoke the consent in writing
• An expiration date or expiration event related to the individual client or purpose of disclosure
• The client’s signature or that of an authorized representative (electronic signatures are permitted)
• The date on which the consent is signed

Healthcare providers can share SUD treatment information without client consent in certain situations:

• Medical emergencies: When consent cannot be obtained and disclosure is necessary to save a life or prevent serious and imminent harm.
• Reporting incidents of child abuse or neglect: As required by law.
• Court orders: When explicitly authorizing the release of SUD information.

Handling Communication in a HIPAA-Compliant Practice

Ensuring HIPAA compliance in communication is essential for protecting client privacy and safeguarding your practice. Here's what you need to know about using email and text messages effectively and securely.

Email Communications

Free personal email services like Gmail don’t offer a Business Associate Agreement (BAA), which is essential for HIPAA compliance. Under HIPAA, any communication that reveals someone is your therapy client counts as PHI.

Instead, if you are emailing appointment reminders, client communications, client records, etc., you must use a HIPAA-compliant email service that is willing to sign a BAA.

Note that email disclaimers alone don't make regular email HIPAA-compliant. Think of it as putting a "Private" sticker on a postcard - it doesn't actually protect the information.

Text Messaging

Texting can be a convenient communication tool in healthcare practices, but standard SMS and in-app messaging are not inherently HIPAA compliant due to the lack of necessary safeguards. To use texting in compliance with HIPAA regulations, consider the following steps:

1. Obtain Patient Consent: Secure written consent from clients who prefer non-secure communication, acknowledging the associated risks.
2. Use HIPAA-Compliant Texting Services: Employ messaging platforms with safeguards like encryption, access and audit controls, and provide a Business Associate Agreement (BAA).
3. Limit Shared Information: Share only the minimum necessary PHI to accomplish the intended purpose.

Additionally, integrating secure email solutions alongside texting could enhance compliance. For instance, sending appointment reminders via text while transmitting detailed medical information through secure email ensures efficiency and privacy. Implementing these practices allows healthcare providers to communicate effectively with patients without compromising HIPAA compliance.

Documentation: Protecting Your Practice and Clients

Documentation is essential for maintaining HIPAA compliance. It protects your clients and practice, ensuring accountability and transparency in handling sensitive information.

Maintaining thorough documentation in your mental health practice serves multiple critical purposes beyond basic recordkeeping:

• Compliance Evidence: Proper records demonstrate adherence to your practice’s policies and HIPAA regulations during audits or disputes.
• Risk Management: Detailed documentation provides clarity in decision-making, especially during emergencies or when responding to requests for information.
• Professional Integrity: Transparent recordkeeping fosters client trust and ensures your practice operates ethically and lawfully.

What to Document

To meet HIPAA requirements and protect your practice, it's essential to document key aspects of client care, security, and compliance. While this is not an exhaustive list, here are some critical areas to consider:

1) Client & PHI-Related Documentation

• Client consent: Maintain signed consent forms for communication (email, text), treatment, and billing.
• Authorization for PHI disclosure: Document your client’s written authorization allowing PHI to be shared beyond treatment, payment, or healthcare operations.
• Disclosures of PHI: Track who received PHI, when, why, and what you disclosed.
• Client requests and restrictions: Record requests for access, amendments, or restrictions on sharing their information.
• Emergency disclosures: Document the justification and steps taken if you disclose PHI without consent in a crisis.

2) HIPAA Compliance & Security Documentation

• Business Associate Agreements (BAAs): Keep signed agreements with third-party vendors handling PHI.
• Risk assessments: Regularly evaluate security vulnerabilities and document corrective actions.
• Access and audit logs: Track who accessed PHI and regularly review system activity for compliance.
• Staff training: Maintain logs of HIPAA training for all employees.
• Incident response and breach notification: Document security incidents, mitigation steps, and breach notifications.

3) Regulatory & Administrative Documentation

• HIPAA policies and procedures: Keep documentation of your practice's compliance policies updated.
• Complaint records and resolutions: Track HIPAA-related complaints and their resolutions.
• Sanction and disciplinary actions: Document any actions taken for HIPAA policy violations.
• Data backup and disaster recovery plans: Ensure PHI is protected in case of system failures and establish procedures that must be followed to restore access to the PHI.
• Vendor IT security assessments: Document security evaluations of third-party vendors handling PHI.

Maintaining accurate documentation in these areas strengthens your compliance and reduces legal and security risks.

Documentation Best Practices

• Be Thorough: Include all relevant details for each disclosure or decision, ensuring that records can withstand legal or regulatory scrutiny.
• Use Standardized Templates: Streamline documentation with consistent forms for consent, disclosures, and crises.
• Protect Records: Store all documentation securely and limit access to authorized personnel only.
• Regular Reviews: Periodically audit your records and processes to ensure compliance and identify areas for improvement.

Navigating Sensitive Information

Managing sensitive information requires adhering to HIPAA compliance and ethical considerations, especially when working with minors, handling medical emergencies, or communicating with family members.

Working with Minors

Generally, HIPAA allows parents to access their child's health information as their "personal representative." However, there are three key exceptions where a parent is not their child's personal representative:

• When the minor consents to therapy and parental consent isn't required by state law.
• When someone other than the parent is authorized by law to consent to the provision of a particular health service to a minor and provides such consent.
• When the parent agrees to a confidential relationship between you and the minor.

State Law Considerations

When state laws provide stricter privacy protections than HIPAA, those laws take precedence. Always verify local regulations before disclosing PHI.

• If state law explicitly grants parents the right to access their child’s records, you must provide access.
• If state law explicitly denies parental access to a child’s records, you must not provide access.
• If state law does not address parental access, you can use your professional judgment to decide.

Medical Emergencies

HIPAA allows for flexibility in emergencies to ensure the safety of clients or others:

When you can share information under HIPAA:

• A serious and imminent threat to the client's or another person's health or safety.
• Sharing with individuals who can prevent or lessen this harm, such as family members, law enforcement, or emergency responders.

Examples include disclosing suicidal intent to a family member or alerting authorities in the event of a crisis.

Communicating with Family Members

HIPAA sets clear guidelines for sharing information with family members, requiring client consent in most situations:

When you can share:

• The client has provided explicit written permission.
• The client is present and does not object to the disclosure.
• The client is incapacitated, and you determine that sharing is in your client’s best interest.
• A family member is directly involved in the client’s care or payment for healthcare, and the client has not objected.
• In emergencies, when sharing is necessary to prevent serious and imminent harm.

When you cannot share:

• The client explicitly prohibits sharing with specific individuals.
• State or other federal laws prohibit disclosure.
• There is no documented permission or a clear emergency situation.

Best Practices:

• Obtain written authorization specifying what information can be shared and with whom.
• Use secure communication methods to share information, such as HIPAA-compliant email or encrypted messaging platforms.
• If unsure, consult a legal professional.

Tools and Templates to Simplify Compliance

Now, let's get your paperwork organized! Use these forms and templates to keep your practice HIPAA-compliant:

Notice of Privacy Practices (NPP)

Your NPP tells clients:

• How you'll use and disclose their information
• Their privacy rights
• Your obligations under HIPAA to protect their PHI
• Who to contact with questions or to file a complaint

Client Consent Form

A client consent form documents that your client agrees to therapy and understands your practice's policies, including privacy rules and payment terms.

Communication Preference Form

This form declares how clients want to be contacted and documents any restrictions.

Emergency Contact Form

An emergency contact form lists who to contact if there's a crisis or urgent situation during therapy. It allows you to reach out to the client's trusted people and share necessary information when the client needs help.

💡 Curious about using online forms in your practice? Here’s online forms explained in the context of a small healthcare practice.

Key Takeaways for Your Practice

In summary, these are a few essential steps you can take to protect your clients’ privacy and support a compliant, ethical practice:

• Ask clients before sharing their information.
• Use secure, HIPAA-compliant tools for all client communications.
• Document all disclosures, detailing when, why, and how client information is shared.
• Store your personal session or psychotherapy notes separately from medical records.
• When your state law provides stronger privacy protections than HIPAA, follow whichever is stricter.
• Establish clear policies for handling emergencies, family communications, and client disclosures.
• Regularly review your policies, procedures, forms, and documentation to ensure they are up-to-date and compliant.

Hushmail for Healthcare Takes Care of All Your Practice's Needs in One Place

Hushmail for Healthcare provides a complete, HIPAA-compliant solution for your practice's communication needs.

You get a secure email that's actually HIPAA-compliant, plus online forms all under the same BAA (Business Associate Agreement).

Yes, you read that right—one BAA covers both your email and online forms! You can safely communicate with clients, collect signatures, and manage intake paperwork online.

Create a Hushmail for Healthcare account in minutes and try it out. All healthcare plans come with a 14-day free trial.

Learn more about Hushmail for Healthcare