HIPAA Compliance for Therapists:

7 Common Mistakes
That Could Cost You
(And How to Fix Them)

As therapists, we enter practice to help others, not to become compliance experts. But here’s the truth. HIPAA compliance is not optional, and small misunderstandings can lead to big fines, licensing headaches, or even investigations that take you away from your clients.

This article breaks down the 7 most common HIPAA mistakes therapists make, why they matter, and how you can fix them confidently and clearly.

1. Assuming Your EHR Keeps You Compliant

Many clinicians believe that because their electronic health record (EHR) has security features, they are covered. That is not the case. HIPAA compliance requires written policies, documented processes, and proof that you are following them, something an EHR alone does not provide.

Fix: Start with a complete compliance manual and forms that are audit-ready.

Free resource: Grab the HIPAA compliance checklist to compare your current setup to what is actually required. (see below)

If you want help figuring out what applies to your specific practice, you can schedule a free compliance strategy call to talk it through.

2. Missing State-Specific Rules That Go Beyond HIPAA

Federal HIPAA sets the minimum, but nearly every state adds rules around record retention, minor consent, or telehealth. Ignoring this puts you at risk of state board complaints or fines.

Fix: Use a state-specific HIPAA supplement that bridges federal and local requirements.

3. No Written Security Risk Assessment

HIPAA mandates a documented security risk assessment. This goes beyond “I think we’re secure.” It requires a formal review of threats, vulnerabilities, and corrective actions.

Fix: Conduct and save an official assessment. It is your strongest protection if there is ever a problem.

Not sure if your practice is truly HIPAA compliant?

This free 15-point HIPAA Compliance Self-Check helps you see what you already have in place and where additional protection may be needed.

👉 Download the HIPAA Compliance Self-Check

4. Not Training Staff (or Not Documenting It)

If you have anyone helping you, such as front desk staff or contracting clinicians, they must be trained and you must document that training. Without it, any compliance claim is weak.

Fix: Build a training schedule and keep a signed log every time you educate your team.

5. Website and Contact Form Risks

Even simple things like a contact form or chat popup can create privacy risks if they are not configured properly. Many therapist websites leak information without anyone realizing it.

Fix: Review your online forms, encryption, and cookies, and update your policies accordingly.

6. Lack of a Breach Response Plan

HIPAA does not just require prevention. It requires a plan for when something goes wrong. Without one, you could miss deadlines and face bigger penalties.

Fix: Create a breach response protocol and test it annually.

7. Believing You Will Never Be Audited

Most therapists were never taught HIPAA in school. But ignorance does not protect you. Audits can happen without warning, and even one complaint can trigger a review.

Fix: Treat compliance like insurance. Proactive documentation now saves massive stress later.

Laptop displaying a HIPAA security risk assessment on a desk with Guardian Clinical Essentials branded coffee mug and organized workspace

Conclusion

HIPAA compliance does not have to be confusing. The key is turning vague rules into clear, documented processes that protect your clients and your license.

If this list felt overwhelming, start with the free checklist and work through each area one by one.

Get your HIPAA compliance checklist here.

Written by Samantha Schalk, LMSW, CAADC, CIMHP, BCP3
Founder, Guardian Clinical Essentials™

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy