Compliance
HIPAA Compliance for Therapy Practice Software
What HIPAA requires from your practice management software — BAA, encryption, audit logs, access controls, HITECH breach notification, and six things to check before choosing a platform.
Updated June 27, 2026 · 8 min read
HIPAA compliance is not optional for US-based outpatient mental health practices. If you store, transmit, or process protected health information (PHI) — which includes almost everything from appointment notes to invoices — you are a Covered Entity under HIPAA. Your practice management software is therefore a Business Associate, and you need a signed Business Associate Agreement (BAA) before you put a single client record into it.
This guide explains exactly what HIPAA requires from your software, what a BAA covers, and what to check before choosing a platform.
What HIPAA requires from your practice management software
The HIPAA Security Rule requires administrative, physical, and technical safeguards for electronic PHI (ePHI). For software, the technical safeguards that matter most are:
- Access controls — only authorised users can see PHI. Role-based access (clinician, admin, front desk) limits exposure.
- Audit controls — the software must record who accessed what PHI and when. Logs must be retained.
- Integrity controls — ePHI must not be altered or destroyed without detection.
- Transmission security — all ePHI transmitted over networks must be encrypted (TLS 1.2+ minimum).
- Encryption at rest — databases and file storage holding ePHI should be encrypted (AES-256 is standard).
The Privacy Rule adds requirements around minimum necessary access — staff should only see the PHI they need to do their job, not every record in the system.
What is a BAA and why it matters
A Business Associate Agreement is a contract between your practice (the Covered Entity) and any vendor that handles your PHI (the Business Associate). Without a BAA in place, you are in violation of HIPAA even if the vendor's security is technically sound.
A BAA must specify:
- What PHI the Business Associate will handle and for what purpose
- That the Business Associate will not use PHI for any purpose not permitted by HIPAA
- Breach notification obligations (within 60 days of discovery under HITECH)
- The process for returning or destroying PHI if the relationship ends
- That sub-contractors who touch PHI are also bound by equivalent terms
A BAA signed at the time of activation — not available on request after the fact — means you are covered from day one. PsycSuit signs the BAA automatically when your clinic activates. No forms to chase, no back-and-forth with a compliance team.
HITECH and breach notification
The Health Information Technology for Economic and Clinical Health (HITECH) Act extended HIPAA's breach notification requirements. If a breach of unsecured PHI occurs:
- Affected individuals must be notified within 60 days of discovery
- The US Department of Health and Human Services (HHS) must be notified
- If more than 500 individuals in a state are affected, prominent media notice is required
Your Business Associate must notify you of a breach promptly so you can fulfil your obligations within the 60-day window.
Six things to check in any practice software
- Is a BAA available — and when is it signed? Available on request is not good enough. It should be signed as part of onboarding.
- Is data encrypted in transit and at rest? Ask specifically for TLS version and encryption standard for stored data.
- Is there a full audit log? You need to be able to demonstrate who accessed what PHI, when. This is essential for breach investigations.
- Is access role-based? Front desk staff should not be able to open clinical notes. Clinicians should not see other clinicians' billing unless authorised.
- Where is data hosted? For US practices, US-based infrastructure is simplest. Cross-border data transfers add compliance complexity.
- What is the breach notification SLA? Your vendor should tell you within 24 hours of confirmed breach so you have time to act within the 60-day window.
HIPAA and telehealth
Video sessions transmit PHI in real time. Your video platform must be covered by your BAA — generic consumer video tools (FaceTime, Zoom free tier, Google Meet) are not HIPAA-compliant for clinical use without a BAA in place. An integrated telehealth tool covered under your practice management BAA is the simplest approach.
HIPAA and the client portal
Client portals exchange PHI — intake forms, appointment details, progress notes shared with clients, secure messages. The portal must be authenticated (clients log in, not open links), and all data transmission must be encrypted. A portal that sends PHI via plain email falls outside HIPAA-compliant workflows.
Common HIPAA mistakes in small practices
- Using personal email to send session summaries or invoices to clients
- Storing client lists in unencrypted spreadsheets on a shared drive
- Not having a BAA with every vendor that touches PHI (including cloud storage, e-fax, and scheduling tools)
- Sharing login credentials between staff members
- Not training new staff on HIPAA before they access the system
Software alone cannot make your practice HIPAA compliant — policies, training, and physical safeguards are also required. But choosing a platform that handles the technical safeguards correctly removes the largest attack surface.
FAQ
- Does therapy practice software need to be HIPAA compliant?
- Yes — any US software that stores, transmits, or processes protected health information (PHI) must meet HIPAA Security Rule requirements and sign a BAA with your practice.
- What is a Business Associate Agreement (BAA)?
- A BAA is a contract between your practice and a vendor that handles your PHI. It is required by HIPAA before any client data enters the system.
- When should a BAA be signed?
- At activation — not on request after months of live client data. A BAA signed retroactively does not cover the period before it was in place.
Try PsycSuit in your practice
Scheduling, clinical notes, PHQ-9 & GAD-7, billing, client portal, and telehealth in one Practice OS. 1-month free trial starts when you activate your clinic — no card required to sign up.