hippa act

A Therapist’s Guide to HIPAA Compliance

23 June 2022

June 23, 2022

In: Therapy Billing

hipaa 1996


  • The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed in 1996. Several updates have been issued since then.
  • All therapists must understand HIPAA guidelines, as penalties for breaches can be severe.
  • The same rules apply to therapists as to all other healthcare professionals. 
  • Mental health therapists should understand that the HIPAA Privacy Rule allows for the disclosure of protected health information (PHI) in situations where a patient represents a danger to themselves or others. 
  • There are six things you can do to protect your practice from HIPAA violations.

The Healthcare Insurance Portability and Accountability Act (HIPAA) was passed more than 15 years ago, but the education process is continuous. Fourteen penalties were handed out in 2021, totaling more than $15 million in fines.  

The ever-changing regulations for privacy and security are complicated, and not knowing the rules is no excuse in the eyes of the Office for Civil Rights (OCR) of the U.S. Department of Health and Human Services (HHS).  

Here’s what you need to know about HIPAA in 2022, and your up-to-date compliance checklist.  

View this article as an infographic here

The HIPAA Timeline 

Here’s a recap of healthcare IT laws and updates that began on August 21, 1996, when HIPAA was signed into law.  

April 14, 2003: HIPAA Privacy Rule — Following the passage of HIPAA, lawmakers set out to determine privacy and security rules. This rule set privacy standards on health information for health plans, health care clearinghouses, and healthcare providers. 

April 21, 2005: HIPAA Security Rule — The security rule established three levels of protection for electronic private health information (ePHI): administrative, physical, and technical.  

March 2006: Enforcement Rule — After widespread HIPAA negligence, the enforcement rule set the expectation that the ONC would begin fining providers for compliance violations.  

February 17, 2009: Health Information Technology for Economic and Clinical Health Act (HITECH) — HITECH created more robust laws and approved billions of investment dollars to facilitate the use of electronic health records (EHR).   

2009/2010: Meaningful Use Incentive Program — Stimulus money incentivized healthcare organizations to use EHR if they followed proper protocol for handling ePHI.  

September 23, 2009: Data Breach Notification Rule — This rule stipulated that any data breach affecting more than 500 individuals must be reported to HHS within 60 calendar days.  

March 26, 2013: HIPAA Omnibus Final Rule — This law filled in gaps of HIPAA and HITECH, for example, setting clear encryption standards for ePHI.  

January 5, 2021: HIPAA Safe Harbor Act — This update was designed to incentivize healthcare organizations to invest in robust cybersecurity technology. The act encourages the OCR to take an organization’s good-faith security measures into account when assessing penalties or enforcement actions for data breaches. 

2022 Update: OCR is expected to issue a final rule in 2022 on proposed amendments to the HIPAA Privacy Rule. No other major changes are expected in 2022. 

HIPAA Rules for Therapists 

patient health record

HIPAA rules can be especially challenging for therapists to follow, particularly those who are in private practice with small tech budgets. However, the rules that therapists must comply with are the same as for all other healthcare providers. These rules include provisions that allow mental health therapists to legally disclose PHI in situations where a patient represents a danger to himself or herself or to another individual. 

How To Protect Yourself From HIPAA Violations

In general, all therapists should do these six things to ensure compliance with HIPAA regulations:

1) Password protect and encrypt all ePHI 

Electronic Protected Health Information (ePHI) is more than test results and medical records. It’s anything that identifies a patient, including his or her name, address, phone number, birthdate, social security number, photograph, and more. Keep ALL ePHI safe and confidential to avoid fines and penalties. 

You wouldn’t leave an open file on your desk where anyone could come by and read it. Likewise, you can’t leave electronic records susceptible to snooping. Keep your ePHI strictly on systems where passwords are required and file encryption is possible. Many operating systems have encryption technology built in, such as Encrypting File System (EFS) on a Windows machine or FileVault on a Mac. 

If you’re using practice management software, make sure it’s secure. For example, ClinicSource has built-in SSL encryption, password protection, and robust security auditing so all patient data is locked down.  

2) Keep an offsite backup of electronic files 

The “physical” component of the HIPAA Security Rule mandates that all ePHI must be securely backed up off-site in case of disaster. The Data Backup and Disaster Recovery Specifications are very clear: You must securely back up “retrievable exact copies of electronic protected health information,” which must be completely recoverable. Non-compliance penalties can cost up to $1.5 million. 

Services are available that offer remote data storage and backup. Any service you choose must encrypt data before it leaves your office.   

ClinicSource handles all encryption and backup functions automatically and securely with multiple data centers where ePHI is always safe and recoverable. 

3) Have a BAA in place with all vendors that handle your ePHI 

hipaa business associate agreement

A Business Associate Agreement (BAA) is a contract between a covered entity (such as your clinic) and a business associated with it (i.e., a vendor), which safeguards protected health information in accordance with HIPAA guidelines. 

“I keep my patient records in the cloud on Google Drive. That’s okay, right?”  


Unless you have a signed BAA from Google, you are in violation. An updated Business Associate Agreement must be in place with each external party that is hosting or has access to ePHI. 

If you don’t have a BAA in place, reach out to the vendor and ask them to sign one. If your vendor is unwilling to sign a BAA for whatever reason, find a new vendor! If you don’t have a standard BAA, you can find templates online, but your safest course is to deal with vendors who know how to protect you.  

Clients who sign up with ClinicSource are provided with an executed BAA as part of their service agreement. 

4) Don’t send ePHI via regular email 

Scenario: You need to get an authorization for treatment. As part of the process, you need to send a copy of the evaluation record to the referring physician for signature. Don’t email it unless the evaluation file has been encrypted and password protected. One way to do that is to convert the file to a PDF and then password-protect the PDF.  

With ClinicSource, any patient records, including evaluations, can be securely emailed directly from the software — no PDF conversion needed.

5) Maintain an audit trail 

Without warning, the OCR could issue a HIPAA compliance audit of your ePHI policies and protocols. You will receive a request for a massive amount of data with a few days’ notice. You need to be ready, or you could face enormous financial penalties. 

You could set up your own audit policies and manually track precisely which therapists and back office personnel access or modify records and when. That is risky, cumbersome, and far from foolproof. Producing the required written reports on short notice could be a time-consuming nightmare that turns your clinic upside down. 

Designed by therapists, ClinicSource was built from the ground up with complete audit tracking and reporting capabilities, so you always know who viewed what data and when. In the event of an audit, you will have access to robust reporting with just a click or two. 

6) Use ONC–Certified Practice Management Software 

The Office of the National Coordinator for Health Information Technology (ONC) Health IT Certification Program was created to review standards, implementation, and certification criteria set by the HHS secretary.   

It launched in 2010 to provide oversight and health IT developer accountability. The purpose is to protect public health and safety while supporting providers and hospitals. 

If your clinic is ever audited, the Centers for Medicare & Medicaid Services (CMS) is going to ask what software you use and whether it is ONC certified. Furthermore, if you choose to pursue meaningful use incentives, you will need ONC-certified software to benefit from the EHR Incentive Programs.  

If you’re using an EHR/EMR, check to see if it’s ONC–certified. ClinicSource has been ONC-ACB certified since 2014. Read more about our certification here.  

Be Sure With ClinicSource 

Avoid costly fines and criminal charges by protecting ePHI with an ONC–certified practice management system like ClinicSource. Encrypt and password-protect sensitive data, keep backups offsite, handle BAAs, send secure communications, and keep an audit trail. 

Schedule a free demo to learn more about how ClinicSource can help you stay HIPAA compliant, or call (888) 215-4527.  

Let Us Show You

Your one source for therapy EMR:

Therapy Documentation

Intuitive templates make reporting quick and easy.


Therapy Scheduling

Possibly the most powerful scheduling system ever.

Dollar sign

Therapy Billing

Fully-integrated payment processing & collections.


Practice Management

Go paperless! All practice data is right at your fingertips.