HIPAA Risk Assessments for Therapists:
What Actually Counts (and What Doesn’t)
Most therapists assume they are “covered” when it comes to HIPAA.
They use an EHR.
They have intake paperwork.
They signed a few Business Associate Agreements.
They may have even downloaded a policy template at some point.
From a clinical perspective, that feels responsible.
From a compliance perspective, it is often incomplete.
Regulators do not evaluate whether a practice had good intentions. They evaluate whether the practice can produce documented proof that risks to protected health information were identified, assessed, and actively managed.
That process is the HIPAA risk assessment.
For mental health providers, this is one of the most misunderstood requirements under HIPAA. It is frequently rushed, treated as a one-time task, or assumed to be handled by an EHR vendor. In reality, it is the foundation of a defensible compliance program.
A therapy practice does not have to be large to be accountable. Solo clinicians, group practices, and telehealth-only providers all handle protected health information. That brings the same expectation to evaluate risk and document how it is addressed.
Understanding what actually counts as a HIPAA risk assessment and what does not is where many private practices get tripped up. The difference between those two determines whether a practice is prepared to demonstrate compliance or left exposed if questions arise.
Under HIPAA, the formal requirement is called a Security Risk Analysis, sometimes referred to as a Security Risk Assessment. Many therapists simply hear it called a “HIPAA risk assessment,” but all three terms refer to the same required evaluation under the HIPAA Security Rule.
Why This Matters Now
HIPAA enforcement does not begin with whether a therapist had policies, forms, or an EHR in place. It begins with whether the practice can demonstrate that it evaluated risks to protected health information and took steps to address them.
This requirement is foundational to how HIPAA evaluates whether a practice is actively managing risk, rather than assuming compliance is in place.
Any mental health provider who creates, receives, stores, or transmits protected health information is expected to conduct and document this evaluation. That includes solo therapists, group practices, telehealth-only providers, and organizations with clinical and administrative staff.
The purpose is not paperwork. The purpose is to identify where protected health information could be exposed and to show that the practice has taken reasonable steps to reduce those risks.
This is where many therapy practices unintentionally fall short. Compliance efforts often focus on visible elements such as consent forms, privacy notices, or business associate agreements. Those are important, but they do not replace a documented risk analysis.
Regulators evaluate whether a practice can demonstrate:
awareness of where protected health information exists
understanding of potential threats to that information
prioritization of risk areas
actions taken to reduce exposure
ongoing review as the practice changes
Without that documentation, a practice may appear organized on the surface while lacking the foundation required under HIPAA.
For mental health providers, this gap is common. Clinical training prepares therapists to protect client confidentiality in session. It does not typically prepare them to evaluate operational risk across devices, documentation workflows, staff access, telehealth platforms, and data transmission.
The HIPAA risk assessment sits at the intersection of those realities. It connects privacy obligations with daily practice operations and creates the documentation that demonstrates compliance is active, not assumed.
Understanding whether your current approach meets that standard is the first step. Many private practice clinicians discover that what they believed counted as a risk assessment was actually only one piece of a much larger requirement.
Do Therapists Legally Need a HIPAA Risk Assessment?
In most cases, yes.
If a therapist or mental health provider creates, receives, maintains, or transmits protected health information, HIPAA expects that practice to conduct and document a Security Risk Analysis. This applies regardless of practice size.
Many private practice clinicians assume the requirement is aimed at hospitals or large healthcare systems. In reality, the HIPAA Security Rule applies to any covered entity handling electronic protected health information.
This includes:
solo therapists in private practice
group practices
telehealth-only providers
clinicians using an electronic health record
practices that bill insurance electronically
practices that communicate with clients electronically
If protected health information exists in electronic form anywhere in the practice, the expectation to evaluate risk exists.
A common misconception is that small practices are exempt. HIPAA does not remove the requirement based on size. Instead, it expects risk analysis and safeguards to be appropriate to the scale and complexity of the practice.
Another misconception is that an EHR or telehealth platform “covers” this requirement. Technology vendors manage their own systems. They do not conduct a risk analysis of how a specific therapy practice uses those systems, how staff access information, or how documentation moves through the workflow.
A therapist may be fully licensed, ethically trained, and using reputable technology while still lacking a documented HIPAA risk assessment. From a regulatory perspective, that gap matters.
The expectation is not perfection. It is reasonable, documented awareness of risk and a process for addressing it.
For mental health providers, the environments where risk exists often extend beyond obvious systems. Risk can be present in:
personal and work devices
email and messaging workflows
telehealth platforms
documentation habits
staff access and supervision structures
billing and scheduling systems
physical office environments
record storage and retention practices
A Security Risk Analysis examines how protected health information moves through all of those areas. It looks at where exposure could occur and whether safeguards are in place.
Without that evaluation, a practice cannot demonstrate that it understands its risk landscape.
This is why the question is not simply whether therapists “need” a risk assessment. The more accurate question is whether a practice can show how it identified and addressed risks to client information.
For most mental health providers, that documentation is expected and becomes increasingly important as practices adopt telehealth, expand services, hire staff, or work across state lines.
What Counts as a Real HIPAA Risk Assessment?
A real HIPAA risk assessment is not a single document, a downloaded checklist, or a report generated by a software system. It is a structured evaluation of how protected health information moves through a therapy practice and where that information could be exposed.
Under the HIPAA Security Rule, the expectation is that a practice identifies potential threats to electronic protected health information, evaluates the likelihood and impact of those threats, and documents the safeguards in place to reduce risk.
For mental health providers, this goes beyond technology. It includes how clinical work, documentation, and communication actually occur day to day.
A meaningful risk assessment considers:
where protected health information is created, stored, and transmitted
who has access to that information and how access is managed
how devices are used for clinical and administrative tasks
how telehealth sessions are conducted and documented
how communication occurs with clients, staff, and vendors
how records are stored, retained, and disposed of
how billing, scheduling, and supervision processes interact with protected information
This evaluation is specific to the practice. Two therapy practices using the same EHR may have very different risk profiles depending on how clinicians document, communicate, and manage access.
For example, risk may exist in:
clinicians accessing records from multiple devices
shared office spaces and privacy controls
staff roles and permission levels
remote work environments
email and messaging workflows
supervision structures and documentation review
integrations between EHR, billing, and scheduling tools
A real risk assessment does not assume these areas are secure. It examines them and documents what is in place to reduce exposure.
The focus is not only on technology. Workflow habits matter. Documentation practices matter. Communication patterns matter. In mental health settings, these operational realities shape how protected health information is handled. Documentation requirements play a central role in how compliance is demonstrated, particularly through written policies, procedures, and workforce oversight.
A thorough Security Risk Analysis typically includes:
identification of where electronic protected health information exists
evaluation of potential threats to that information
assessment of existing safeguards
determination of where additional protections may be needed
documentation of findings and decisions
The process connects privacy obligations with daily practice operations. It shows how a practice moves from awareness to action.
For therapists and group practice owners, this is where the concept often shifts. What initially sounds like a technical requirement becomes an operational one. The assessment reflects how the practice actually functions, not just what policies say on paper.
When done correctly, the result is not a generic form. It is a documented understanding of the practice’s risk landscape and the steps taken to manage it.
What Does NOT Count as a HIPAA Risk Assessment?
One of the most common sources of confusion for therapists is assuming that certain actions or documents automatically satisfy the HIPAA requirement. Many practices have pieces of compliance in place but have never completed a true Security Risk Analysis.
Several things are often mistaken for a HIPAA risk assessment, even though they do not meet the expectation on their own.
Using an EHR does not equal a risk assessment.
Electronic health record vendors secure their platforms and provide their own safeguards, but they do not evaluate how a specific therapy practice uses the system, who has access, how documentation is handled, or how information moves between devices and workflows.
Signing Business Associate Agreements does not equal a risk assessment.
BAAs are necessary when vendors handle protected health information, but they do not evaluate the risks within the practice itself.
Having HIPAA policies and procedures does not equal a risk assessment.
Policies describe how a practice intends to operate. A risk assessment evaluates how the practice actually operates and where exposure may exist.
Completing a cybersecurity scan does not equal a risk assessment.
Technical scans can identify vulnerabilities in systems, but they do not address workflow habits, documentation practices, staff access, or communication patterns.
Downloading a checklist or template does not equal a risk assessment.
Generic tools may raise awareness, but they do not reflect the specific risks of an individual therapy practice unless they are tailored, evaluated, and documented in context.
Completing a risk assessment once and never revisiting it does not meet expectations.
HIPAA anticipates ongoing evaluation, especially as practices adopt telehealth, hire staff, change technology, or expand services.
Relying solely on a vendor’s statement that a system is “HIPAA compliant” does not replace internal evaluation.
Compliance is not transferred from a vendor to a practice. Each practice must understand how protected health information flows through its own environment.
For mental health providers, these misunderstandings are common because compliance efforts often start with visible steps such as purchasing software, updating forms, or signing agreements. Those actions are important, but they do not replace a documented analysis of risk.
A Security Risk Analysis looks at the practice holistically. It connects policies, technology, staff roles, documentation habits, and communication workflows. Without that connection, compliance can appear organized while still lacking the foundation regulators expect.
Recognizing what does not count is often the moment when private practice clinicians realize that their current approach may not fully meet the requirement. That realization is not about fault. It reflects how complex compliance can be when clinical work and operational systems intersect.
Common Mistakes Therapists Make with HIPAA Risk Assessments
Most compliance gaps in mental health practices do not come from ignoring HIPAA. They come from misunderstanding what is required and assuming certain steps already covered the obligation.
Therapists are trained to protect confidentiality in session. Operational risk across devices, documentation, staff access, and communication workflows is a different skill set. When practices grow or adopt new technology, the gap becomes more visible.
Several patterns show up repeatedly in private practice and group settings.
Treating the risk assessment as a one-time task.
A practice may complete something early in its development and never revisit it, even as telehealth, new systems, and staff roles are added.
Assuming technology handles the requirement.
Using an EHR, secure email, or telehealth platform can create a false sense of protection. Vendors manage their systems. They do not evaluate how a therapy practice uses them or where workflow risks exist.
Lacking documentation of the evaluation itself.
A practice may discuss risks informally or make adjustments over time but never document what was reviewed, what decisions were made, or how risks were prioritized.
Focusing only on policies rather than real workflows.
Written procedures may exist, but day-to-day habits around documentation, communication, and device use may differ from what is written.
Overlooking staff access and supervision structures.
As soon as additional clinicians, interns, or administrative staff are involved, access to protected health information becomes more complex and requires active evaluation.
Ignoring telehealth and remote work environments.
Working from home, using multiple devices, and conducting sessions across locations introduces risks that do not exist in a single office setting.
Not updating after changes in the practice.
Hiring staff, changing EHR systems, adding services, or working across state lines all affect how protected health information is handled. Each change alters the risk landscape.
Treating the assessment as a technical exercise only.
Risk analysis includes technology, but it also includes communication habits, documentation practices, record handling, and how information flows between people and systems.
These mistakes are understandable. Many therapists are balancing clinical work, business responsibilities, and administrative demands. Compliance tasks can feel secondary until something draws attention to them.
A well-structured risk assessment helps move the process from reactive to proactive. It creates a clearer picture of how protected health information is handled and where attention is needed, rather than relying on assumptions.
For group practices, these mistakes often compound. More staff, more systems, and more communication pathways increase complexity. Without a structured evaluation, it becomes difficult to see how risks interact across the organization.
Recognizing these patterns is often the point where clinicians begin to understand that compliance is not just about forms or software. It is about how the practice operates as a whole.
How Often Therapists Should Conduct a HIPAA Risk Assessment
HIPAA does not assign a single calendar date for completing a Security Risk Analysis, but it does expect the evaluation to be ongoing and updated as a practice evolves.
For most mental health providers, this means the risk assessment is not a one-time event. It is a recurring process that reflects changes in technology, staffing, services, and workflows.
A common standard in healthcare is to review and update the risk analysis at least annually. This aligns with the expectation that practices continually evaluate how protected health information is handled and whether safeguards remain appropriate.
Beyond an annual review, a new or updated risk assessment is typically needed when significant changes occur, such as:
adopting or changing an electronic health record
implementing or expanding telehealth services
hiring clinicians, interns, or administrative staff
restructuring supervision or documentation workflows
adding new service lines or practice locations
changing billing systems or vendors
beginning to work across state lines
modifying communication tools or platforms
Each of these changes alters how protected health information moves through the practice. As workflows shift, so does the risk landscape.
For solo clinicians, this might mean revisiting the evaluation when moving from paper to electronic documentation, adding telehealth, or changing communication habits with clients.
For group practices, the need for updates can occur more frequently. Growth introduces new access points, supervision structures, and coordination between clinical and administrative roles.
The expectation is not that practices repeat the entire process from the beginning every time something changes. Instead, the goal is to reassess how new developments affect risk and to document any adjustments.
This ongoing approach demonstrates that compliance is active rather than static. It shows that the practice is aware of how its operations evolve and is monitoring the impact on client information.
Without periodic review, a risk assessment can quickly become outdated. Technology changes, staff roles shift, and communication tools evolve. Documentation that once reflected the practice accurately may no longer match reality.
For therapists and private practice clinicians, this is often the point where compliance moves from theory into daily operations. The risk assessment becomes a living reference for how the practice manages protected health information over time.
What Documentation Must Exist After a HIPAA Risk Assessment
Completing a HIPAA risk assessment is only part of the requirement. The expectation under the Security Rule is that the evaluation is documented and that the practice can demonstrate how risks were identified, reviewed, and addressed.
This documentation becomes the evidence that compliance efforts are active and ongoing rather than assumed.
For therapists and mental health providers, this is often the most overlooked component. Practices may think through risk informally or make operational changes over time, but without documentation, there is no record that the evaluation occurred.
Regulators do not look for perfect systems. They look for proof that the practice:
examined where protected health information exists
considered potential threats to that information
reviewed current safeguards
identified areas needing attention
made decisions about how to reduce risk
revisited the process as the practice changed
The goal is to demonstrate a structured approach, not a single document completed in isolation.
Documentation typically reflects:
the scope of the evaluation
the environments and systems reviewed
areas where protected health information is handled
findings and observations
actions taken or planned
follow-up and ongoing monitoring
For private practice clinicians, this may include how devices are used, how documentation is created and stored, how telehealth sessions are conducted, how communication occurs with clients, and how access is managed.
For group practices, documentation often expands to include staff roles, supervision structures, vendor relationships, and coordination between administrative and clinical systems.
The purpose is to show that the practice understands its risk landscape and is actively managing it.
Without documentation, a practice may still be taking responsible steps, but it cannot demonstrate that work if questions arise. Compliance becomes difficult to verify, even when intentions and efforts are present.
This is why the risk assessment is considered foundational. It connects privacy obligations, operational workflows, and ongoing decision-making into a record that shows how the practice protects client information.
For many therapists, recognizing the importance of documentation shifts the way compliance is viewed. It moves from an abstract requirement into a concrete record of how the practice operates and evolves.
HIPAA Risk Assessment vs. “Being HIPAA Compliant”
A HIPAA risk assessment is a required component of compliance. It is not the same thing as being HIPAA compliant.
This distinction matters because many therapists and private practice clinicians assume that completing a risk assessment, updating policies, or adopting secure technology means the practice is fully compliant. In reality, compliance is an ongoing system of safeguards, decisions, and documentation that continues over time.
The Security Risk Analysis serves as a foundation. It helps a practice understand where protected health information exists, what risks are present, and what safeguards are needed. From there, compliance involves maintaining those safeguards, training staff, monitoring workflows, and revisiting decisions as the practice evolves.
A practice may complete a risk assessment and still have gaps if the findings are not addressed, updated, or integrated into daily operations.
For mental health providers, compliance typically includes:
privacy practices and client communication safeguards
secure handling of documentation and records
appropriate access to protected health information
staff training and supervision structures
vendor oversight and business associate management
technology safeguards and workflow controls
ongoing evaluation of risk as services and systems change
The risk assessment informs these areas, but it does not replace them.
Thinking of compliance as a one-time achievement creates vulnerability. Practices change constantly. Telehealth expands, new staff join, systems are updated, and communication habits shift. Each change affects how protected health information is handled.
A risk assessment helps identify where attention is needed at a given point in time. Compliance requires maintaining that awareness and documenting how the practice responds.
For therapists, this distinction can be clarifying. The goal is not to “finish HIPAA.” The goal is to operate in a way that continuously protects client information and can demonstrate that protection if asked.
Understanding this difference helps practices move away from a checklist mindset and toward a structured approach that reflects real operations.
HIPAA compliance is not a single task.
A Security Risk Analysis is a required foundation, but it does not equal full compliance. Compliance involves ongoing safeguards, documentation, staff awareness, and periodic review as a practice evolves.
What HIPAA Audits and Investigations Look For in Therapy Practices
When questions arise about HIPAA compliance, the focus is not on whether a therapist tried to do the right thing. The focus is on whether the practice can demonstrate how it identified risks to protected health information and what steps were taken to address them.
Audits and investigations look for documentation and consistency between what a practice says it does and how it actually operates.
For mental health providers, this often centers on a few key areas.
Evidence of a documented Security Risk Analysis.
Reviewers expect to see that risks were evaluated, not assumed, and that the process was recorded.
Alignment between policies and daily workflows.
If written procedures exist, they should reflect how the practice actually handles documentation, communication, and access to protected health information.
Awareness of where protected health information exists.
Practices are expected to understand how information moves across devices, systems, staff roles, and communication channels.
Actions taken to reduce identified risks.
The expectation is not that all risk is eliminated, but that reasonable safeguards are implemented and reviewed.
Ongoing attention rather than one-time activity.
Documentation should show that the practice revisits risk as technology, staffing, and services evolve.
In therapy settings, accountability often intersects with operational realities. Remote sessions, shared offices, staff supervision, and electronic communication all create environments where information can be exposed if safeguards are not clearly defined and maintained.
A practice that can explain how it evaluated these areas and what it implemented in response demonstrates active compliance. A practice that relies on assumptions or cannot produce documentation may appear unprepared, even if it has good intentions.
This is why the risk assessment carries so much weight. It reflects how a practice understands its responsibilities and how it manages the protection of client information over time.
For group practices, the complexity increases. More staff, more access points, and more systems require coordination. Documentation becomes even more important to show how responsibilities are assigned and monitored.
Understanding what audits and investigations look for helps shift the perspective from abstract compliance requirements to real-world accountability. It clarifies why the risk assessment is considered foundational and why ongoing attention is expected.
Therapist-Specific Risk Areas Often Overlooked
In mental health settings, risk does not exist only in large systems or complex networks. It often exists in ordinary, everyday workflows. Because these habits feel routine, they are easy to miss during a general review.
A Security Risk Analysis for a therapy practice must account for how clinical work actually happens, not just how systems are designed to function.
Several areas commonly require closer evaluation in private practice and group environments.
Device use across clinical and administrative tasks.
Therapists frequently move between laptops, tablets, and phones for documentation, scheduling, and communication. Each device introduces its own exposure if safeguards and usage habits are not clearly defined.
Remote work and telehealth environments.
Conducting sessions from home or multiple locations changes how privacy is maintained and how information is accessed and stored. These environments require evaluation beyond the telehealth platform itself.
Communication workflows with clients.
Email, messaging, appointment reminders, and follow-up communication all involve protected health information in different forms. Risk depends on how these workflows are structured and managed.
Documentation habits.
Where notes are created, how they are stored, how they are accessed, and who can view them all affect exposure. Differences between intended procedures and actual habits often emerge here.
Staff roles and supervision structures.
In group practices, interns, administrative staff, and supervising clinicians may interact with protected health information differently. Access and oversight require active review.
Scheduling, billing, and coordination systems.
Protected health information can exist outside clinical documentation in intake systems, billing tools, and communication between administrative and clinical teams.
Physical office environments.
Shared spaces, file storage, and conversations in administrative areas can introduce risk when privacy controls are not clearly defined.
Vendor relationships and integrations.
EHR systems, telehealth platforms, billing tools, and communication services interact in ways that affect how information moves between systems.
For therapists, these areas often feel like part of normal operations rather than compliance concerns. The purpose of a risk assessment is to step back and evaluate how each of these environments affects the protection of client information.
This perspective helps shift the conversation from abstract requirements to practical realities. It acknowledges that mental health practices operate differently from other healthcare settings and that risk is shaped by clinical workflows, not just technology.
Recognizing these areas does not mean something is wrong. It means the practice is taking a structured look at how protected health information is handled and where attention may be needed.
What to Do Next
Understanding what counts as a HIPAA risk assessment is often the point where therapists realize the gap between general compliance awareness and operational implementation.
For some practices, the next step is confirming that an existing process meets expectations. For others, it is recognizing that the evaluation was incomplete, outdated, or never formally documented.
Moving forward typically involves three practical considerations.
First, evaluate your current position.
Consider whether a documented Security Risk Analysis exists and whether it reflects how the practice operates today. Technology, staffing, and workflows change over time, and compliance documentation must keep pace.
Second, identify where assumptions may be present.
Many private practice clinicians rely on software, policies, or past efforts without revisiting how protected health information currently moves through the practice. Clarifying those areas helps bring risk into view.
Third, approach the process as ongoing rather than one-time.
HIPAA compliance is not achieved through a single task. It is maintained through periodic evaluation, adjustments, and documentation as the practice evolves.
For mental health providers, this process can feel unfamiliar at first. Clinical training emphasizes confidentiality and ethical responsibility, but operational risk management is often learned through experience. The risk assessment connects those worlds by translating privacy obligations into daily practice decisions.
Taking a structured approach helps practices move from uncertainty to clarity. It creates a foundation for protecting client information, supporting staff, and demonstrating accountability if questions arise.
Over time, this work becomes part of how a practice operates rather than a separate compliance task. It reflects an understanding that protecting protected health information is not only a regulatory expectation, but a core element of responsible clinical care.
About the Author
Samantha Schalk, LMSW-C, LMSW-M, CAADC, CIMHP, BCP3
Samantha is a licensed mental health professional, private and group practice owner, and the founder of Guardian Clinical Essentials™, where she helps therapists and group practices implement practical, audit-ready HIPAA and state-specific compliance systems.
Drawing from direct experience in clinical practice and compliance consulting, Samantha specializes in translating complex federal and state regulations into clear, usable policies, tools, and workflows designed specifically for mental health providers.
Related HIPAA Resources for Mental Health Providers
Review federal HIPAA Security Risk Analysis guidance (HHS/OCR)
Explore HIPAA compliance resources for mental health providers