HIPAA Compliance for Psychologists

Posted By Steve Alder on Feb 11, 2025

In most cases, HIPAA compliance for psychologists consists of complying with all applicable HIPAA Administrative Simplification Regulations when a psychologist is a qualifying sole practitioner or in charge of a qualifying practice, or complying with an organization’s HIPAA policies and procedures when a psychologist is a member of a HIPAA covered organization’s workforce.

However, there are scenarios in which a psychologist may qualify as a hybrid entity, or when they may work as a sole practitioner in an affiliated entity but are not solely responsible for HIPAA compliance. It may also be possible that a psychologist does not qualify as a HIPAA covered entity, but still has to comply with applicable HIPAA regulations when working for a covered organization as a business associate.

In addition, psychologists may have to comply with other federal or state regulations that preempt HIPAA. These can relate to permissible disclosures of certain types of records (i.e., substance use disorder records) or obtaining affirmative consent before collecting, processing, or sharing sensitive personal information. Note: some state regulations apply across state borders to citizens of the state wherever they are.

When Does a Psychologist Qualify as a HIPAA Covered Entity?

A psychologist qualifies as a HIPAA covered entity when they are a sole practitioner or in charge of a practice that conducts HIPAA covered transactions electronically. HIPAA covered transactions are healthcare transactions (i.e., encounter information, claims, and billing) for which the Secretary for Health and Human Services (HHS) has adopted standards in Part 162 of the HIPAA Administrative Simplification Regulations.

As a HIPAA covered entity, HIPAA compliance for psychologists consists of developing policies and procedures to comply with all applicable standards of the HIPAA Privacy, Security, and Breach Notification Rules, training members of the workforce on the policies and procedures, and providing a security awareness training program designed to protect electronic PHI against uses or disclosures not permitted by the HIPAA Privacy Rule (§164.306(a)).

HIPAA covered psychologists must develop a HIPAA Notice of Privacy Practices consistent with the practice’s policies and procedures, and – if no other individual is assigned the role of HIPAA Privacy Officer – be a point of contact for patients wishing to exercise their HIPAA rights. Psychologists must also enter into Business Associate Agreements with business partners to whom PHI is disclosed or from whom PHI is received.

HIPAA Compliance for Psychologists who are Workforce Members

HIPAA compliance for psychologists who are workforce members of a HIPAA covered organization consists of complying with the policies and procedures developed by the organization to comply with HIPAA. In addition, workforce members must comply with the HIPAA Privacy and Breach Notification Rules – even if some privacy and breach notification standards have not been covered in HIPAA training.

The reason for this second compliance requirement is that HIPAA covered organizations are required to provide HIPAA training on the policies and procedures applicable to workforce members’  functions, but are also required to apply sanctions for any failure to comply with the HIPAA Privacy and Breach Notification Rules. This is to discourage “out of function” unauthorized access to – and disclosures of – PHI.

With regards to Security Rule HIPAA compliance for psychologists who are workforce members, the Security Rule’s sanctions standard only applies to non-compliance with security policies implemented by the HIPAA covered organization – the assumption being that the organization’s security awareness training program has been designed to protect electronic PHI against uses or disclosures not permitted by the HIPAA Privacy Rule.

HIPAA Training for Psychologists

HIPAA training for psychologists helps safeguard highly sensitive mental health information by teaching practical privacy, security, and breach response requirements that apply across clinical and administrative work. Effective training should focus on real psychology workflows such as applying the minimum necessary standard in care coordination, handling requests from family members and other third parties appropriately, managing patient record access requests and disclosure documentation, and preventing incidental disclosures in waiting rooms, phone communications, and electronic messaging. Security awareness is also critical because psychological records, assessments, and appointment information are frequently stored and transmitted through EHRs, telehealth platforms, portals, email, and mobile devices, creating exposure to phishing, misdirected messages, and inappropriate access. Annual HIPAA training is an industry best practice for psychology practices, and it supports consistent compliance by reinforcing safe habits, clear incident reporting steps, and defensible completion documentation.

HIPAA Certification for Psychologists

HIPAA certification for psychologists provides credible proof of completed HIPAA training and is strongest when delivered through a structured online program with knowledge checks and an immediately issued completion certificate. Alongside practice-level training, individual psychologists, including those in solo practice, benefit from completing HIPAA certification training to demonstrate competency, improve readiness for audits and onboarding requirements, and keep privacy and security obligations consistently applied as clinical tools and communication methods change.

Other Scenarios in Which HIPAA Can Apply to Psychologists

Other scenarios in which HIPAA can apply to psychologists include when a psychologist qualifies as a “hybrid entity”. This happens when a psychologist works in a practice that qualifies as a HIPAA covered organization and in another role covered by different privacy and security regulations. The most common example of a hybrid entity is a psychologist who provides services to a school covered by FERPA.

Psychologists may also be sole practitioners or in charge of a practice and not responsible for HIPAA compliance if they – or the practice – operate as a unit in a collaborative care program. In this scenario, all the units in the program can combine as an affiliated entity with the responsibility for HIPAA compliance assigned to a single HIPAA compliance officer or an external management organization (similar to a DSO in dentistry).

Conversely, a psychologist that does not qualify as a HIPAA covered entity (because they do not conduct HIPAA covered transactions electronically) would be required to comply with HIPAA if they provided service to or on behalf of HIPAA covered psychologist as a business associate. In this scenario, the business associate is required to comply with the Security and Breach Notification Rule and all applicable standards of the HIPAA Privacy Rule.

Understanding HIPAA Compliance for Psychologists

HIPAA compliance for psychologists is not the same as HIPAA compliance for other healthcare professionals. Uses and disclosures of PHI may be subject to more stringent consent and authorization requirements, while state privacy regulations and licensing requirements can preempt HIPAA in certain circumstances – some state privacy regulations applying to all residents of a state wherever they are.

Mental health professionals who require help understanding HIPAA compliance for psychologists are advised to speak with their organization’s HIPAA compliance officer or seek advice from a professional body (APA, AACP, ABPP, etc.). Members of the public wishing to understand more about HIPAA compliance for psychologists can also review HHS’ web page providing information about mental and behavioral health.