HIPAA for Therapists

Posted By Steve Alder on Jan 19, 2026

When discussing HIPAA for therapists, it is important to be aware that a therapist can be a solo covered entity, a hybrid covered entity, part of an affiliated covered entity, part of an Organized Health Care Arrangement, a business associate to a covered entity, or an employee of any of the above. Even when none of these options apply, therapists may still need to comply with HIPAA-style privacy, security, and breach notification requirements mandated by state legislation.

When is a Therapist a Solo Covered Entity?

A therapist is a solo covered entity under HIPAA when they work independently of other healthcare providers and conduct transactions electronically for which the Department of Health and Human Services (HHS) has adopted standards. The standards can be found in Part 162 of the HIPAA Administrative Simplification Regulations and relate to processes such as eligibility checks for treatment, authorizations for treatment, and billing for treatment when payment is made by a health plan.

A therapist qualifies as a solo covered entity whether or not they conduct the transactions themselves or subcontract the processes to a third party. However, HHS does not consider certain transmissions to be electronic (i.e., PSTN telephone, paper-to-paper faxes, etc.) if the information being transmitted did not exist in electronic form before being transmitted. Therefore, if a therapist conducts “covered transactions” by fax, they do not qualify as a covered entity under HIPAA.

What is a Hybrid Covered Entity?

HHS defines a hybrid covered entity as “a single legal entity that performs both covered and non-covered functions”. In the context of HIPAA for therapists, an example of this definition would be a therapist who bills some clients directly for treatment, and others via their health plan. In these circumstances, information relating to clients billed directly would have to be maintained separately from “Protected Health Information” subject to the HIPAA Privacy, Security, and Breach Notification Rules.

There is little benefit to maintaining information separately as a hybrid covered entity because state privacy and security laws will likely require similar safeguards to HIPAA. However, a therapist will qualify as a hybrid covered entity if they provide therapy services to a school as well as maintain a covered practice. This is because students’ medical records are considered to be part of their education records under the Family Educational Rights and Privacy Act and are not subject to HIPAA.

Affiliated Entities and Organized Health Care Arrangements

Affiliated covered entities are legally separate covered entities under common ownership or control that designate themselves as a single covered entity for the purposes of complying with HIPAA. This arrangement makes it easier to share Protected Health Information between healthcare providers, but it does mean that if one healthcare provider violates HIPAA, all the healthcare providers in the affiliated group could share the liability – and the penalties for violating HIPAA.

By comparison, an Organized Health Care Arrangement is a system in which covered entities under different ownership or control operate as one entity for the purpose of complying with HIPAA. This type of arrangement makes it easier to comply with HIPAA for therapists because some requirements – such as HIPAA Notices of Privacy Practices and facility access controls – can be shared. However, each covered entity within the group is individually liable for HIPAA violations.

HIPAA for Therapists Who Are Business Associates

Therapists who do not qualify as a solo, hybrid, or affiliated covered entity may still be subject to partial HIPAA compliance if they provide a service to or on behalf of a covered entity as a business associate.  The most likely circumstance for this scenario is if a therapist operates a non-qualifying practice and accepts clients referred by a covered entity on a direct-payment basis if the covered entity discloses Protected Health Information to the therapist to assist with the client’s treatment.

The requirement to comply with HIPAA for therapists who are business associates is usually limited to HIPAA Security Rule compliance and HIPAA Breach Notification compliance. However, depending on the nature of the therapy being provided to the client, compliance with some HIPAA Privacy Rule and 42 CFR Part 2 standards may also be necessary. In such cases, which standards the therapist is required to comply with should be written into the Business Associate Agreement executed between the therapist and the covered entity.

HIPAA for Therapists Employed by a Covered Entity

Therapists employed by a covered entity are required to comply with HIPAA to the extent that their employer is responsible for developing HIPAA-compliant policies and procedures, and therapists are required to comply with the policies and procedures. Covered employers are also responsible for training therapists on the policies and procedures, monitoring compliance, and imposing sanctions if therapists violate HIPAA or any other organizational policy for which training has been provided.

It is rarely the case, but conceivable, that a therapist would be employed by a business associate (i.e. the business offers therapy services but does not qualify as a covered entity). In this scenario, the therapist’s employer would be responsible for implementing HIPAA Security Rule safeguards and having procedures in place to notify a covered entity of a security incident. Any other compliance requirements would be subject to the content of a Business Associate Agreement.

HIPAA Training for Therapists

HIPAA training for therapists helps protect patient information by teaching practical privacy, security, and breach response requirements that apply to everyday therapy services. Strong training should focus on real therapy workflows such as confirming identity before sharing information, applying the minimum necessary standard when coordinating care, responding appropriately to requests from family members or other third parties, managing patient record requests, and preventing incidental disclosures in reception areas, phone calls, and digital communications. Security awareness training is also essential because therapy documentation is commonly handled through EHRs, telehealth platforms, patient portals, email, and mobile devices, which increases exposure to phishing, misdirected messages, and improper access. Annual HIPAA training is an industry best practice for therapy practices, and it supports consistent compliance by reinforcing safe habits, clear incident reporting steps, and defensible documentation of completion.

HIPAA Certification for Therapists

HIPAA certification for therapists provides documented proof of completed HIPAA training and is most valuable when it is issued by a reputable provider through a structured, self-paced program with knowledge checks and an immediately issued completion certificate. Alongside practice-level training, individual therapists, including those in solo practice, benefit from completing HIPAA certification training to demonstrate competency, strengthen professional credibility, and keep privacy and security requirements top of mind as workflows and technologies evolve.

HIPAA Status Should Not be the Only Consideration

If a therapist does not fall into any of the categories above, they are not required to comply with HIPAA. However, many states have passed legislation with privacy, security, and breach notification provisions which individuals and organizations that do not qualify as covered entities have to comply with. Most states have HIPAA-style requirements, which is why covered entities and business associates are often exempted from state privacy legislation.

Therefore, unless you are employed by a covered entity with the responsibility for complying with HIPAA, you should protect the privacy of individually identifiable health information using measures similar to – if not more stringent than – those published in the HIPAA Privacy, Security, and Breach Notification Rules. For further information about these Rules, review our HIPAA compliance checklist, or seek advice from a HIPAA compliance professional.