The HIPAA Compliance Checklist Every Private Practice Therapist Needs in 2026
The exact HIPAA checklist OCR uses to audit solo therapists. 12 requirements, what each means, and how to document them.
If OCR showed up at your practice tomorrow and asked for your HIPAA compliance documentation, you would have 10 days to respond. Most private practice therapists would spend those 10 days in a panic, searching through Google Drive folders, email threads, and paper files for documents they are not sure they ever created. This checklist exists so that never happens to you. It covers every requirement OCR actually checks when auditing a solo or small group therapy practice, with specific guidance on what counts as documentation and what does not.
Why Solo Therapists Get Audited More Than You Think
The assumption most therapists make is that OCR goes after hospitals and large health systems, not a two-person counseling practice in suburban Ohio. The data says otherwise. OCR's enforcement database, known as the Wall of Shame, includes hundreds of enforcement actions against practices with fewer than 10 employees. In 2024, OCR opened 847 investigations. Many were triggered not by a massive data breach but by a single patient complaint or a routine desk audit.
Small practices are targeted for a specific reason: they are statistically less likely to have their documentation in order. That makes them easier cases. A small practice with no written Risk Assessment, no documented staff training, and no signed Business Associate Agreements is not just non-compliant. It is an easy settlement for OCR.
The minimum fine for a HIPAA violation where the covered entity did not know (and could not have known) about the violation is $100 per violation, up to $25,000 per year for identical violations. For violations due to willful neglect that are not corrected, the minimum jumps to $50,000 per violation, up to $1.9 million per year. When OCR determines that a practice had no compliance infrastructure at all, they tend to classify violations as willful neglect. That is when a $50,000 fine becomes real.
The 12-Item HIPAA Checklist for Private Practice
1. Written Privacy Policy
The HIPAA Privacy Rule requires every covered entity to have written privacy policies and procedures. For a therapy practice, this means a document that explains how you use and disclose Protected Health Information (PHI), what rights patients have over their information, and how they can exercise those rights.
A Privacy Policy must cover: permitted uses and disclosures without authorization, uses and disclosures that require patient authorization, the minimum necessary standard (you only access or share the minimum PHI needed to do your job), and patient rights including the right to access their records, request amendments, and receive an accounting of disclosures.
What counts as documentation: a written policy document with an effective date, version number, and your name as the responsible party. A verbal policy does not satisfy this requirement.
2. Written Security Policy
The Security Policy addresses how you protect electronic PHI (ePHI). This includes your EHR system, any email containing patient information, telehealth platforms, and any device storing session notes.
The policy must cover administrative safeguards (who has access to what and why), physical safeguards (who can access your office, how devices are secured), and technical safeguards (encryption, unique login credentials, automatic logoff).
Many therapists assume their EHR handles this. It does not. Your EHR is responsible for securing the data within its platform. You are responsible for documenting your organization's security practices around how you use that platform and every other system touching PHI.
3. Documented Security Risk Assessment
This is the single most important document in your HIPAA compliance program. The Security Rule requires every covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
The Risk Assessment is not a one-time checkbox. It must be reviewed and updated periodically, and whenever there is a change to your environment (new software, new staff, new office location).
What OCR specifically looks for: a written Risk Assessment document with the date it was conducted, who conducted it, what systems were evaluated, what risks were identified, and what mitigation steps were taken. A Risk Assessment that exists only in someone's memory is not a Risk Assessment.
The most common reason OCR fines small practices is a missing or inadequate Risk Assessment. In multiple enforcement actions, OCR has explicitly stated that no Risk Assessment had been conducted despite the practice being in operation for years.
4. Risk Management Plan
Finding risks is only the first step. The Security Rule also requires a risk management plan that addresses identified vulnerabilities. This means documenting what you found in your Risk Assessment and what you are doing about it, with timelines and responsible parties.
5. Breach Notification Policy
If a breach of unsecured PHI occurs, you have 72 hours to notify affected individuals and, depending on the number of people affected, notify OCR as well. Breaches affecting 500 or more individuals in a state must also be reported to prominent media outlets.
Your Breach Notification Policy documents how your practice identifies a breach, how you assess whether notification is required (using the four-factor risk assessment defined in the HIPAA Breach Notification Rule), and your notification procedures.
What counts as a breach: unauthorized access, use, or disclosure of PHI that compromises the security or privacy of the information. Common examples for therapy practices include sending records to the wrong patient, emailing PHI to an unintended recipient, a stolen laptop with unencrypted session notes, and unauthorized access by a staff member.
6. Workforce Training Records
HIPAA requires that all members of your workforce receive training on your privacy and security policies, and that this training is documented. Workforce includes employees, volunteers, trainees, and anyone under your direct control.
What counts as documentation: records showing who was trained, on what topics, on what date, and some form of acknowledgment or assessment. An annual sign-in sheet is better than nothing. A completed training module with a certificate and timestamp is significantly stronger.
Training records are one of the first things OCR requests. Practices that cannot produce training records are immediately at a disadvantage in an investigation.
7. Business Associate Agreements (BAAs)
A Business Associate is any person or organization that creates, receives, maintains, or transmits PHI on your behalf. For a private practice, this includes your EHR vendor, your telehealth platform, your billing service, your scheduling software, and your email provider if you use it to communicate PHI.
A BAA is a written contract that specifies what the Business Associate can do with PHI and requires them to implement appropriate safeguards. You must have a signed BAA with every Business Associate before sharing PHI with them.
The most common gap: therapists have a BAA with their EHR but not with their telehealth platform, scheduling tool, or cloud storage provider. Each of these touches PHI and requires its own BAA.
8. Access Control Procedures
Every person who accesses your systems should have a unique login. Shared passwords are a HIPAA violation because they make it impossible to audit who accessed what information and when. Your access control procedures document who has access to which systems, how access is granted, and how access is revoked when someone leaves the practice.
9. Audit Controls
You need to be able to demonstrate that you monitor who accesses PHI within your systems. Most EHR systems have built-in audit logging. Your policy should document that you review these logs, how frequently, and what you do when you identify suspicious access.
10. Sanction Policy
When a workforce member violates your privacy or security policies, you must apply appropriate sanctions. Your Sanction Policy documents what those consequences are, from verbal warnings to termination, depending on the severity of the violation. Having this policy and applying it consistently demonstrates a culture of compliance.
11. Notice of Privacy Practices
You are required to provide patients with a Notice of Privacy Practices (NPP) that explains how you use and disclose their PHI. For most therapy practices, this means giving patients the NPP at their first appointment and making a good-faith effort to get a signed acknowledgment.
12. Incident Response Log
When security incidents occur, even minor ones, you need a record. An incident log documents what happened, when, who was involved, what PHI was affected, and what action was taken. This log serves as evidence that you take security incidents seriously and respond to them appropriately.
What Does Not Count as HIPAA Compliance
Understanding what counts is as important as understanding what is required. Several common misconceptions lead therapists to believe they are compliant when they are not.
Using a HIPAA-compliant EHR does not make your practice compliant. Your EHR vendor protects the data within their platform. They cannot write your policies, train your staff, or manage your vendor agreements.
Signing a BAA with your EHR is not enough. Every vendor touching PHI needs a BAA, including your telehealth provider, scheduling software, billing service, and email provider if PHI flows through it.
Verbal training does not count. If you told your assistant about HIPAA when they were hired but have no written record of it, OCR will treat it as if it never happened.
Having policies without dates and version numbers is not much better than having no policies. Documentation that cannot be shown to be current undermines your entire compliance posture.
How to Document Everything in One Place
The challenge for most solo therapists is not understanding what is required. It is organizing and maintaining the documentation in a way that survives an audit request. OCR gives you 10 days to produce your compliance documentation. If it is scattered across multiple systems, that 10 days goes very fast.
The most practical approach is to keep all 12 elements of this checklist in a single location: your policies in one system, your Risk Assessment and mitigation records in the same place, your training records accessible, your BAAs organized and dated, and your incident log current.
Not sure where your practice stands right now? The HIPAA Hub free Risk Score assessment takes 10 minutes and shows you exactly which of these 12 elements you have covered and which need attention.
Keeping the Checklist Current
HIPAA compliance is not a one-time project. Policies must be reviewed annually. Risk Assessments must be updated when your environment changes. Training must happen annually for all staff. BAAs should be reviewed when vendor relationships change.
The practices that sail through OCR audits are not the ones that spent the most money on compliance consultants. They are the ones that built a simple, maintainable system and kept it current.
Ready to check every box? HIPAA Hub gives solo therapists and small clinics all 9 required policy templates, a guided Risk Assessment, BAA tracking, staff training documentation, and a one-click audit export. Setup takes one weekend. Start your free 14-day trial at hipaahubhealth.com.
Disclaimer: This article provides general educational information about HIPAA requirements and does not constitute legal advice. Consult qualified legal counsel for guidance specific to your practice situation.