HIPAA for Therapists: What It Requires (and What's a Myth)

A direct look at what HIPAA compliance really means for clinicians, common misconceptions, and the practical answers to the questions therapists actually ask.

Last updated: May 2026. This guide is for informational purposes only and does not constitute legal advice. Consult an attorney familiar with healthcare privacy law for advice specific to your practice.

TL;DR

HIPAA is significantly more flexible than therapists tend to believe. The law requires reasonable, documented safeguards — not a specific brand of fax machine, not a private WiFi network for every clinician, not a prohibition on emailing scheduling reminders. Many of the things therapists worry about are vendor marketing or community-passed misinformation, not HIPAA requirements. This post walks through what HIPAA actually says, the five most common misconceptions, and how to make practical compliance decisions for a small practice.

What HIPAA actually requires

HIPAA’s privacy and security rules are built around a few core principles. Once you understand them, most “is X HIPAA compliant?” questions answer themselves.

The Privacy Rule governs when and how you can use or disclose Protected Health Information (PHI). The default is that you can use PHI for treatment, payment, and healthcare operations without specific authorization. For anything else, you generally need written client authorization.

The Security Rule applies to electronic PHI (ePHI) and requires three categories of safeguards: administrative (policies, procedures, training, risk assessment), physical (locked offices, secured devices, controlled access), and technical (encryption, access controls, audit logs). The rule is deliberately flexible — it tells you what to protect against, not exactly how. A solo practitioner and a hospital system have very different setups, and both can be compliant.

The Breach Notification Rule requires you to notify affected clients (and in some cases, HHS and the media) if PHI is exposed without authorization.

The U.S. Department of Health and Human Services has detailed guidance for healthcare professionals on each of these. The single most important word in the entire framework is reasonable. HIPAA does not require perfection. It requires documented, reasonable safeguards proportional to the size and risk profile of your practice.

What HIPAA compliance actually looks like for a small therapy practice

For a solo therapist or small group practice, real HIPAA compliance is roughly this list:

Conduct and document a risk assessment. This is the non-negotiable foundation. Identify where you create, store, and transmit PHI; identify the threats to that PHI; and document the safeguards you’ve put in place. Update annually.
Have written policies and procedures. Cover client rights, breach response, employee training, business associate management, and termination procedures. These can be short — a 10-page document is fine for a solo practice. The point is that they exist in writing.
Use HIPAA-compliant tools with signed Business Associate Agreements (BAAs). Your EHR, billing system, email service, video platform, and any other vendor that touches PHI needs a BAA. No BAA, no use of the tool for PHI.
Train yourself and any staff annually. Document the training. A short online course or self-administered review is acceptable for solo practice.
Secure physical access to records and devices. Lock your office. Lock your file cabinets. Encrypt your laptop. Use strong passwords.
Encrypt PHI in transit and at rest. Use TLS for email transmission of PHI. Use full-disk encryption on devices. Use HTTPS for any web-based PHI transmission.
Provide a Notice of Privacy Practices to every client at the start of treatment and document that they received it.
Document everything. If you can’t prove you did it, HIPAA treats it as not done.

That’s most of it. Practices that do these things consistently are largely compliant. Practices that obsess over edge cases while skipping the foundational risk assessment are not.

The five most common misconceptions

Now to the part that prompted this post. These are claims I’ve seen circulating in clinician Facebook groups, Reddit threads, and even some published guidance. Each is wrong, and the wrongness has real costs: therapists making operational decisions based on misinformation, paying for unnecessary services, or worse, telling colleagues these myths are true and spreading the problem.

Myth 1: Fax is the most HIPAA-secure way to share records.

The reality: Traditional fax is not particularly secure. It has well-documented failure modes — misdialed numbers, unattended receiving machines, documents sitting on shared paper trays, no built-in audit log. The reason fax is so common in healthcare is historical inertia, not security superiority.

HIPAA-compliant email (encrypted, with a signed BAA from the email provider) is generally as secure as cloud fax services, and more secure than traditional analog fax. Properly configured email also provides better audit logs and recall options than fax does.

What HIPAA actually cares about: that PHI is encrypted in transit, that you can verify the recipient, that the transmission is documented, and that you’ve taken reasonable steps to prevent unauthorized access. Both encrypted email and properly configured cloud fax meet this standard. Standard email (Gmail without a BAA, etc.) does not.

If you’re sending PHI to another provider’s fax number because their office still uses fax, that’s fine. But you’re not required to use fax just because it’s traditional, and you’re not safer for using it. Use the most secure tool that works for the recipient.

Myth 2: You can’t email clients about scheduling or billing.

The reality: You can email clients about appointments and billing under HIPAA’s Privacy Rule. The complication is that standard unencrypted email isn’t secure — but HIPAA actually permits unsecured communication with clients if the client has been informed of the risk and prefers it.

Specifically, the HHS Office for Civil Rights has clarified that providers may communicate with patients via unencrypted email if the patient has been advised of the risks and confirms they want to receive communication that way. Document the conversation. Many practices include a clause in their intake paperwork addressing email and text communication preferences.

Even simpler: most modern EHRs (SimplePractice, TherapyNotes, etc.) have a secure client portal that handles all client communication within an encrypted, BAA-covered environment. If you use one of those, the question of “can I email about billing” mostly goes away.

What’s actually not allowed: emailing detailed clinical content or psychotherapy notes to a client via unsecured email without their informed agreement. The level of sensitivity matters. “Your appointment is Tuesday at 3” is different from “Here are my notes from our session on your trauma history.”

Myth 3: You can’t share WiFi with another therapist in the same building.

The reality: This is not a HIPAA requirement. Two therapists using the same WiFi network is fine, as long as the network is properly secured.

What HIPAA actually requires for wireless networks: WPA2 or WPA3 encryption (not the old WEP standard), a strong password that isn’t shared publicly, and that ePHI traveling over the network is itself encrypted (which is handled by HTTPS for web traffic and TLS for email — both standard in 2026). The HIPAA Security Rule discusses wireless networks under its technical safeguards but doesn’t dictate that each provider needs a separate network.

The more sophisticated setup is to have a separate guest network (for clients, visitors, family) isolated from your work network. That’s a security best practice for any small business, not unique to HIPAA. But two therapists sharing the work network in the same suite is not a violation.

Where the myth probably comes from: large hospital and clinic environments do typically use network segmentation, VLANs, and role-based access. That’s appropriate for large covered entities with hundreds of users and many systems. It’s not what HIPAA requires of two clinicians sharing an office.

Myth 4: HIPAA prohibits texting with clients.

The reality: Same framework as email. Texting with clients about appointments, scheduling, or general logistics is permitted if the client understands the risks and prefers that channel. Texting detailed clinical content is generally not appropriate regardless of HIPAA — it’s a clinical and risk management issue, not just a privacy one.

HIPAA-compliant texting platforms exist (Spruce, OhMD, Signal in some configurations, plus the secure messaging in most EHRs). They’re useful for practices that want to formalize text communication. But basic appointment reminders via standard SMS, with documented client consent, are not a HIPAA violation.

Myth 5: You can’t discuss a minor’s treatment with their parents without the minor’s consent.

The reality: This is one of the most complicated areas of HIPAA, and it’s where federal law, state law, and clinical ethics interact in ways that vary substantially. The general HIPAA rule: a parent is typically the personal representative of an unemancipated minor and can access the minor’s PHI. There are important exceptions — most notably for services where state law allows the minor to consent independently (often including reproductive health, substance abuse treatment, and mental health treatment for older minors).

Vermont, for example, allows minors 14 and older to consent to mental health treatment independently in many circumstances. In those cases, the parent’s right to access records can be limited. Other states have different age thresholds and different categories of independently consentable care.

The practical guidance: your state law usually governs more than HIPAA on this question. HIPAA explicitly defers to state law where state law is more protective or specifically addresses the minor’s access. Before assuming you can or can’t share information with parents, consult your state’s minor consent laws and your professional ethics code. The honest answer is that there’s no universal rule — there’s a specific rule that depends on the state, the age, and the type of treatment.

The questions therapists actually ask

Beyond the major myths, here are direct answers to specific situations that come up regularly.

“Can I use my personal phone for client calls?”

Yes, if you take reasonable precautions: a passcode on the phone, no PHI stored in standard text messages, no PHI shared via standard SMS without client consent. Many therapists use a second phone line app (Google Voice with a BAA isn’t HIPAA-compliant; Spruce, OpenPhone with proper configuration, and a few others are) to separate work and personal use.

“Can I use Google Workspace for my practice?”

Google offers a HIPAA-eligible Google Workspace plan with a BAA. Google Workspace Individual and free Gmail are not HIPAA-compliant for PHI — there’s no BAA. If you’re using Google for any PHI, you need to be on a paid Workspace plan with a signed BAA, and you need to use the products in ways compatible with HIPAA (which excludes some integrations and add-ons).

“Can I store records in Dropbox?”

Dropbox Business with a signed BAA is HIPAA-compliant. Personal Dropbox is not. Same pattern as Google Workspace: the paid business tier with a BAA is the only compliant option.

“Do I need to encrypt my laptop?”

Yes. Full-disk encryption (FileVault on Mac, BitLocker on Windows) is one of the easiest and most defensible HIPAA safeguards. If a device is encrypted and lost or stolen, the loss generally does not constitute a reportable breach under HIPAA’s safe harbor provision. If it’s not encrypted, the same loss is a breach.

“What about my session notes — does HIPAA apply differently?”

Yes. Psychotherapy notes (as HIPAA defines them — the therapist’s personal process notes, kept separately from the rest of the record) have special protection. They generally cannot be disclosed without specific authorization, even for treatment, payment, or operations. But progress notes — the standard documentation of session content, interventions, and clinical reasoning — are part of the regular medical record and follow standard HIPAA rules.

Many therapists conflate “session notes” with “psychotherapy notes.” They’re not the same. Psychotherapy notes are the protected category and require separate storage. Standard progress notes don’t.

“What about supervision and consultation?”

You can discuss cases in supervision and consultation under HIPAA’s treatment exception, as long as you share the minimum necessary information and the consultation is for the purpose of treatment, payment, or operations. Group consultations and peer supervision are also permitted under the same framework. Best practice: de-identify when possible, and document the consultation in the client’s record if it influenced clinical decisions.

What to actually do

If you’re a therapist trying to figure out whether you’re compliant, work through this sequence:

Conduct a written risk assessment. If you haven’t done one, do one now. Templates are widely available. The HHS Office for the National Coordinator publishes a free security risk assessment tool that’s appropriate for small practices.
Inventory your tools and verify BAAs. For every service that touches PHI — EHR, email, video, billing, storage — confirm you have a signed BAA on file. If you don’t, either obtain one or stop using the service for PHI.
Encrypt your devices. Enable full-disk encryption on every computer that stores or accesses PHI.
Write basic policies. A short document covering breach response, client rights, training, and BAA management. It does not need to be elaborate. It needs to exist.
Document client communication preferences. Get written consent for email and text communication, with appropriate risk disclosure.
Schedule annual training and assessment review. Build the reminder into your calendar now.
When in doubt, document. If you make a judgment call about a specific situation, document your reasoning. HIPAA enforcement looks for good-faith effort and reasonable judgment, not perfection.

None of this requires becoming a privacy law expert. It requires understanding the framework, applying reasonable judgment, and documenting what you do.

The bottom line

HIPAA is widely misunderstood in the therapy community. The misunderstanding has real costs: therapists buy services they don’t need, refuse to use perfectly reasonable communication tools, and pass on bad information to colleagues. The legal framework is more flexible than the rumor mill suggests, but it does require something many therapists skip — a written risk assessment, documented policies, and signed BAAs with every vendor.

If you’ve been operating on a vague sense that “you should probably worry about HIPAA” without having done the foundational work, the right move is not to add more anxiety. It’s to spend a focused afternoon doing the risk assessment, inventorying your tools, and writing the basic policies. That single afternoon will put you ahead of most solo and small-group practices.

And the next time someone in a Facebook group says you can’t share WiFi with another therapist — gently correct them, point them to the actual HHS guidance, and consider sharing this post.

For more on the compliance considerations that intersect with HIPAA — particularly around cash-pay practice and cross-state telehealth — see our guides on compliance for cash-pay therapists and telehealth across state lines.