Does HIPAA apply to private practice therapists?

Technically HIPAA applies to providers who transmit health information electronically for insurance billing. Cash-only therapists may be outside its strict scope, but state laws, ethics codes, and client expectations mean HIPAA-equivalent practices are expected regardless.

What is a Business Associate Agreement for therapists?

A BAA is a contract with any software vendor that accesses or stores your clients' protected health information, required under HIPAA. Video platforms, EHRs, scheduling tools, and documentation software that handle client data all require a BAA.

HIPAA for Online Therapists: What Actually Applies to Your Practice

HIPAA is widely invoked but often misunderstood by private practice therapists. Here's what actually applies, what's a common myth, and what you genuinely need to do.

HIPAA — the US Health Insurance Portability and Accountability Act — applies to covered entities and their business associates. Whether it applies to your practice depends on how you bill. Most solo private practice therapists who don't bill insurance electronically are technically not HIPAA "covered entities" in the strict legal sense — but this is more nuanced (and more relevant) than it sounds, and many professional bodies expect HIPAA-equivalent standards regardless.

Who HIPAA actually covers

HIPAA applies to three types of covered entities:

Health plans (insurance companies)
Healthcare clearinghouses
Healthcare providers who transmit health information electronically for standard transactions (primarily insurance billing)

If you're a cash-only practice that never transmits health information for insurance billing, you may technically fall outside HIPAA's strict scope. However:

State laws often impose similar or stricter privacy requirements
Professional ethics codes (APA, NASW, etc.) expect HIPAA-equivalent practices
Any software vendor you use that handles PHI will require you to sign a BAA — which implicitly acknowledges HIPAA obligations
Clients reasonably expect HIPAA-level protection

In practice: treat HIPAA as applying to your practice regardless. It's the standard your clients expect and your professional body endorses.

What HIPAA actually requires

HIPAA has three main rules:

Rule	What it covers

|---|---|

Privacy Rule	Patients' rights over their health information; when you can use/disclose PHI
Breach Notification Rule	What to do if PHI is compromised

For solo therapists, the practical requirements are:

A Notice of Privacy Practices given to patients at intake
A Business Associate Agreement (BAA) with any vendor who handles PHI (your EHR, video platform, scheduling software)
Minimum necessary access to PHI (don't share more than needed)
Reasonable security for electronic records (encryption, access controls)

Business Associate Agreements: the practical checklist

Any software service that accesses, stores, or transmits your clients' protected health information is a Business Associate. They must sign a BAA before you use them. Common services requiring a BAA:

Video platforms (Zoom for Healthcare, Doxy.me — standard consumer Zoom does NOT provide a BAA)
EHR/documentation tools
Scheduling software that stores client data
Email services if used for clinical communication

HIPAA vs GDPR for international therapists

HIPAA covers US residents' health data. GDPR covers EU residents' personal data. If you serve both populations, you need to meet both standards — they overlap significantly but are not identical. See GDPR for Therapists: Storing Notes Abroad.