HIPAA Notice of Privacy Practices for Therapists: What Must Be Included

Most therapists have a Notice of Privacy Practices.

That does not automatically mean it is complete.

Recently, I reviewed a Notice of Privacy Practices that had been generated using an EHR template and AI assistance. It looked polished. It sounded official. At first glance, it seemed fine.

It was missing required federal disclosures.

That is happening more often than people realize.

A HIPAA Notice of Privacy Practices for therapists is not just an intake form. It is a federally required disclosure document governed by the HIPAA Privacy Rule at 45 CFR §164.520. If required elements are missing, that creates a compliance gap, even if everything else feels organized.

Here is what must actually be included.

What Is a HIPAA Notice of Privacy Practices?

The Notice of Privacy Practices, often called an NPP, explains how your practice may use and disclose protected health information and outlines your clients’ rights.

It must be provided no later than the first service encounter and must accurately reflect how your practice actually operates.

The Notice must also include an effective date and clearly reflect the version currently in effect.

This is where many templates fall short. They describe generic health care scenarios that do not match how a mental health practice functions.

If your Notice of Privacy Practices was:

Downloaded years ago
Pulled from a colleague
Automatically generated by your EHR
Created or refined using AI

It is worth reviewing whether it meets the requirements of 45 CFR §164.520.

Reviewing Your HIPAA Notice of Privacy Practices for Therapists

Many therapists assume their Notice of Privacy Practices is compliant because it came from an EHR or a template. Reviewing your HIPAA Notice of Privacy Practices for therapists against federal requirements helps identify missing disclosures before they become a compliance issue.

Required Uses and Disclosures

Your Notice must describe how protected health information may be used and disclosed for:

• Treatment
• Payment
• Health care operations

These uses and disclosures generally do not require written authorization under HIPAA.

The Notice must distinguish between uses and disclosures that require authorization and those that do not.

It must also explain disclosures that are permitted or required by law, including court orders, mandated reporting, serious and imminent threats, public health activities, health oversight activities, and other disclosures required by law.

If those categories are incomplete or overly simplified, that is a problem.

Psychotherapy Notes and HIPAA Requirements

If you are a therapist, this section matters.

Psychotherapy notes receive additional protection under federal law. Most uses and disclosures of psychotherapy notes require written authorization.

Many generic templates either omit this entirely or mention it vaguely.

For a mental health practice, that is not a minor detail.

Omnibus Rule Updates: Marketing and Sale of PHI

The HIPAA Omnibus Rule added specific requirements to the Notice of Privacy Practices.

Your NPP must state that:

• Most uses and disclosures of protected health information for marketing require written authorization.
• The sale of protected health information requires written authorization.

Even if you do not sell information, the disclosure requirement still applies. The Notice must also explain when written authorization is required and that authorizations may be revoked in writing, except to the extent action has already been taken.

This is one of the most common omissions I see.

Individual Rights That Must Be Explained

Your Notice must clearly describe client rights, including:

• Access to records
• Amendments
• Accounting of disclosures
• Restrictions
• Restriction to a health plan when services are paid in full out-of-pocket
• Confidential communications
• Paper copies
• Breach notification

Listing these without explaining how to exercise them is not sufficient.

How to Exercise Rights

The Notice must also explain how individuals can exercise these rights, including how to submit written requests, where requests should be directed, and how to contact the practice regarding privacy concerns.

Duties of the Practice

Your Notice must also describe the duties of the practice. This includes stating that the practice is required by law to maintain the privacy of protected health information, provide a Notice of Privacy Practices, and follow the terms of the Notice currently in effect. It must also explain that the practice reserves the right to revise the Notice and how individuals will be informed of material changes.

Business Associates and Electronic Systems

If you use an EHR, billing service, telehealth platform, or cloud storage provider, your Notice should reflect that protected health information may be shared with business associates who are required to safeguard it.

This is often missing in simplified versions.

State Law May Require More

HIPAA sets the federal baseline.

However, if your state provides stronger privacy protections, those may need to be reflected in your Notice.

This can include:

• Minor consent laws
• Parental access limitations
• Substance use disorder confidentiality
• HIV or genetic privacy protections
• State privacy statutes such as California’s CMIA

Your Notice cannot contradict stricter state law.

Your HIPAA Notice of Privacy Practices for therapists should accurately reflect your policies, your systems, and your state law obligations.

The Bigger Compliance Picture

Compliance is about accuracy and alignment.

Your Notice of Privacy Practices should reflect how your practice actually operates, including your documentation standards, workforce access, electronic systems, and state-specific confidentiality obligations.

The Notice is only one required component of a broader federal HIPAA compliance framework. When it does not align with your internal policies and procedures, that is where compliance gaps occur.

A compliant Notice of Privacy Practices should align with your broader federal HIPAA compliance policies and procedures for mental health practices.

If you’re questioning whether your Notice of Privacy Practices actually meets requirements, you’re not alone.

Get notified when new compliance articles and resources are released.

Practical, therapist-focused guidance on HIPAA, state requirements, and digital privacy, centered on what actually matters for your practice.

Where to File a HIPAA Privacy Complaint

If you believe your HIPAA privacy rights have been violated, you can file a complaint with the U.S. Department of Health and Human Services Office for Civil Rights.

Common Mistakes Therapists Make with HIPAA Risk Assessments

Most compliance gaps in mental health practices do not come from ignoring HIPAA. They come from misunderstanding what is required and assuming certain steps already covered the obligation.

Therapists are trained to protect confidentiality in session. Operational risk across devices, documentation, staff access, and communication workflows is a different skill set. When practices grow or adopt new technology, the gap becomes more visible.

Several patterns show up repeatedly in private practice and group settings.

Treating the risk assessment as a one-time task.
A practice may complete something early in its development and never revisit it, even as telehealth, new systems, and staff roles are added.

Assuming technology handles the requirement.
Using an EHR, secure email, or telehealth platform can create a false sense of protection. Vendors manage their systems. They do not evaluate how a therapy practice uses them or where workflow risks exist.

Lacking documentation of the evaluation itself.
A practice may discuss risks informally or make adjustments over time but never document what was reviewed, what decisions were made, or how risks were prioritized.

Focusing only on policies rather than real workflows.
Written procedures may exist, but day-to-day habits around documentation, communication, and device use may differ from what is written.

Overlooking staff access and supervision structures.
As soon as additional clinicians, interns, or administrative staff are involved, access to protected health information becomes more complex and requires active evaluation.

Ignoring telehealth and remote work environments.
Working from home, using multiple devices, and conducting sessions across locations introduces risks that do not exist in a single office setting.

Not updating after changes in the practice.
Hiring staff, changing EHR systems, adding services, or working across state lines all affect how protected health information is handled. Each change alters the risk landscape.

Treating the assessment as a technical exercise only.
Risk analysis includes technology, but it also includes communication habits, documentation practices, record handling, and how information flows between people and systems.

These mistakes are understandable. Many therapists are balancing clinical work, business responsibilities, and administrative demands. Compliance tasks can feel secondary until something draws attention to them.

A well-structured risk assessment helps move the process from reactive to proactive. It creates a clearer picture of how protected health information is handled and where attention is needed, rather than relying on assumptions.

For group practices, these mistakes often compound. More staff, more systems, and more communication pathways increase complexity. Without a structured evaluation, it becomes difficult to see how risks interact across the organization.

Recognizing these patterns is often the point where clinicians begin to understand that compliance is not just about forms or software. It is about how the practice operates as a whole.

How Often Therapists Should Conduct a HIPAA Risk Assessment

HIPAA does not assign a single calendar date for completing a Security Risk Analysis, but it does expect the evaluation to be ongoing and updated as a practice evolves.

For most mental health providers, this means the risk assessment is not a one-time event. It is a recurring process that reflects changes in technology, staffing, services, and workflows.

A common standard in healthcare is to review and update the risk analysis at least annually. This aligns with the expectation that practices continually evaluate how protected health information is handled and whether safeguards remain appropriate.

Beyond an annual review, a new or updated risk assessment is typically needed when significant changes occur, such as:

  • adopting or changing an electronic health record

  • implementing or expanding telehealth services

  • hiring clinicians, interns, or administrative staff

  • restructuring supervision or documentation workflows

  • adding new service lines or practice locations

  • changing billing systems or vendors

  • beginning to work across state lines

  • modifying communication tools or platforms

Each of these changes alters how protected health information moves through the practice. As workflows shift, so does the risk landscape.

For solo clinicians, this might mean revisiting the evaluation when moving from paper to electronic documentation, adding telehealth, or changing communication habits with clients.

For group practices, the need for updates can occur more frequently. Growth introduces new access points, supervision structures, and coordination between clinical and administrative roles.

The expectation is not that practices repeat the entire process from the beginning every time something changes. Instead, the goal is to reassess how new developments affect risk and to document any adjustments.

This ongoing approach demonstrates that compliance is active rather than static. It shows that the practice is aware of how its operations evolve and is monitoring the impact on client information.

Without periodic review, a risk assessment can quickly become outdated. Technology changes, staff roles shift, and communication tools evolve. Documentation that once reflected the practice accurately may no longer match reality.

For therapists and private practice clinicians, this is often the point where compliance moves from theory into daily operations. The risk assessment becomes a living reference for how the practice manages protected health information over time.

About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3

Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.

Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.

Learn more about her work with mental health practices.

Samantha Schalk, LMSW-C, LMSW-M, founder of Guardian Clinical Essentials

Related HIPAA Resources

ADA Website Compliance for Therapists: What Actually Applies in 2026

Federal HIPAA Manual for Solo Therapist

Browse the HIPAA Compliance Resource Hub

This site uses cookies to enhance your experience and analyze site usage. By continuing, you consent to our use of cookies. For details, see our Cookie Policy.

Cookie Policy