If you run a therapy practice, you already know that HIPAA compliance is not optional. But knowing you need to be compliant and actually being compliant are two very different things.
The penalties for violations are severe — fines range from $100 to $50,000 per violation, with annual maximums of $1.5 million per violation category. And beyond the fines, a breach destroys patient trust and can end a practice.
This checklist covers the essential HIPAA requirements every therapy practice must meet. Use it to identify gaps and take corrective action before an audit or breach forces your hand.
1. Risk Assessment
HIPAA requires a documented risk assessment — not a one-time event, but an ongoing process. This is the single most cited deficiency in Office for Civil Rights (OCR) enforcement actions.
Checklist Items
- ☐ Conduct a formal risk assessment at least annually that covers all systems handling protected health information (PHI).
- ☐ Document identified risks and assign each a severity rating and remediation plan.
- ☐ Track remediation progress and document completion of each corrective action.
- ☐ Review and update the assessment whenever you add new technology, change vendors, or experience a security incident.
2. Business Associate Agreements (BAAs)
Every vendor that touches PHI must have a signed Business Associate Agreement in place. This includes your EHR provider, cloud storage, email service, billing company, IT provider, and even your shredding service.
Checklist Items
- ☐ Inventory all vendors that create, receive, maintain, or transmit PHI on your behalf.
- ☐ Verify a signed BAA exists for each vendor on the list.
- ☐ Review BAAs annually to ensure terms still reflect actual data handling practices.
- ☐ Terminate or replace vendors that refuse to sign a BAA — no exceptions.
3. Encrypted Communications
Any communication that contains PHI must be encrypted — in transit and at rest. This applies to email, text messages, telehealth sessions, and file transfers.
Checklist Items
- ☐ Use HIPAA-compliant email with TLS encryption for all messages containing PHI. Consumer Gmail and Yahoo do not qualify.
- ☐ Deploy encrypted messaging for any text-based communication with patients. Standard SMS is not compliant.
- ☐ Verify telehealth platforms provide end-to-end encryption and have signed BAAs. Zoom for Healthcare and Doxy.me are common compliant options.
- ☐ Enable full-disk encryption on all devices that store PHI — laptops, tablets, phones, and external drives.
4. Access Controls
HIPAA requires that access to PHI is limited to the minimum necessary for each individual to perform their job. Every user needs unique credentials, and access must be revoked immediately when staff leave.
Checklist Items
- ☐ Assign unique login credentials to every user — no shared accounts, ever.
- ☐ Enable multi-factor authentication (MFA) on all systems that contain PHI.
- ☐ Implement role-based access controls so front desk staff, clinicians, and billing each see only what they need.
- ☐ Review access logs quarterly to identify unauthorized or unusual access patterns.
- ☐ Revoke access within 24 hours of any staff termination or role change.
- ☐ Enable automatic session timeouts on all workstations and EHR systems.
5. Staff Training
Your staff is your biggest asset and your biggest vulnerability. HIPAA requires that all workforce members receive training on policies and procedures — and that training is documented.
Checklist Items
- ☐ Conduct HIPAA training for all new hires within 30 days of start date.
- ☐ Provide annual refresher training covering current threats, policy updates, and real-world scenarios.
- ☐ Include phishing awareness training with simulated phishing exercises at least twice per year.
- ☐ Document all training sessions with attendee lists, topics covered, and dates.
- ☐ Require signed acknowledgments that each employee has read and understands your HIPAA policies.
6. Breach Response Plan
When a breach occurs — and the question is when, not if — you need a documented plan that your team can execute immediately. HIPAA requires notification to affected individuals within 60 days and to the OCR for breaches affecting 500 or more individuals.
Checklist Items
- ☐ Create a written incident response plan that covers detection, containment, investigation, notification, and remediation.
- ☐ Designate a breach response team with clear roles and contact information.
- ☐ Prepare notification templates for patients, OCR, and media (if required for breaches over 500 individuals).
- ☐ Run tabletop exercises annually to test your team’s response to simulated breach scenarios.
- ☐ Maintain a breach log that documents every incident, including those below the notification threshold.
7. Physical Safeguards
Digital security gets all the attention, but HIPAA also requires physical safeguards for any location where PHI is accessed or stored.
Checklist Items
- ☐ Secure server rooms and network equipment behind locked doors with restricted access.
- ☐ Position workstation screens so patients and visitors cannot view PHI.
- ☐ Implement a clean desk policy — no paper records left on desks overnight.
- ☐ Use cross-cut shredders for all paper documents containing PHI.
- ☐ Secure mobile devices with remote wipe capability and require biometric or PIN locks.
Take Action Today
HIPAA compliance is not a one-time project — it is an ongoing program. But it does not have to be overwhelming. Start with the risk assessment, work through this checklist systematically, and address the highest-risk gaps first.
Need help getting your practice compliant? We specialize in HIPAA-compliant IT for therapy practices and can guide you through every step — from risk assessment to ongoing monitoring.
Ready to Secure Your Practice?
Get a free IT assessment from GreatHelpNow — specialized support for your industry.
