HIPAA Compliance Checklist for Therapy Practices

• Signed Business Associate Agreement (BAA) before production PHI
• Encryption in transit (TLS) for all connections
• Clinic tenant isolation — your data separated from other practices
• Role-based access control for clinicians, admins, and billers
• Audit logging for access to sensitive records
• Documented subprocessors (hosting, email, video, backups)
• Data export path if you leave the platform

PsycSuit provides a BAA overview and full Trust center for US practices.

Workforce

Individual staff logins — no shared passwords. Terminate access promptly when someone leaves. Train staff on phishing, device security, and minimum necessary access.

Devices

Screen locks, disk encryption on laptops, and no PHI in personal text messages or unauthorized apps.

Client communication

Use the practice portal or approved channels — not personal email for clinical content.

• Automatic session timeout on staff accounts
• Optional multi-factor authentication for staff
• Portal authentication separate from staff credentials
• Soft-delete and audit trail on clinical records (not silent hard deletes)
• Consent tracking for telehealth and sensitive workflows

• Storing real client data before the BAA is executed
• Letting interns use a supervisor’s login instead of their own account
• Downloading client lists to unencrypted personal spreadsheets
• Assuming HIPAA is “handled” entirely by the vendor
• Skipping a risk assessment because the practice is small

EU and UK clinics typically need a Data Processing Agreement (DPA) under GDPR rather than a HIPAA BAA. Asia-Pacific practices should align with local frameworks (APPs, PDPA, etc.). PsycSuit signs region-appropriate agreements at activation — your counsel confirms local rules.