Compliance and documentation
Who does HIPAA apply to? Compliance for therapists
Compliance for therapists is imperative in behavioral health. Unsure if HIPAA applies to you? Our guide helps clarify compliance expectations.
As a new therapist, navigating HIPAA, or the Health Insurance Portability and Accountability Act, compliance can feel overwhelming. While focusing on providing the best possible care, you also need to understand and adhere to all legal requirements of HIPAA. It’s crucial to safeguarding your clients and maintaining the integrity of your practice.
HIPAA ensures the confidentiality of protected health information (PHI) and sets the standards for privacy, security, and electronic data exchange in healthcare. In this guide, we’ll break down the key collaborators in your practice who must follow HIPAA, and help you ensure your practice is compliant.
Covered entities
HIPAA regulations apply to certain types of organizations, known as "covered entities.” They’re required to follow specific guidelines set forth by the Department of Health and Human Services to safeguard sensitive health information.
A covered entity is an individual or organization that processes health information or provides healthcare services. In a behavioral health context, these typically include providers like therapists, healthcare plans, and healthcare clearinghouses. Here are some examples of covered entities.
1. Providers
As a provider, you are considered a "covered entity" under HIPAA. This means you are legally obligated to protect your clients' health information by ensuring privacy, security, and confidentiality. HIPAA compliance for therapists requires careful attention to how client data is stored, transmitted, and shared.
In a behavioral health setting, this could include securely storing client records, using encrypted telehealth platforms, and ensuring confidentiality in communication. Any sharing of client data for treatment, billing, or other purposes must be done with explicit consent and with safeguards in place.
For example, if you're providing therapy via telehealth, it’s essential that the platform you use is HIPAA-compliant, ensuring it encrypts your clients' data to protect it from unauthorized access.
2. Healthcare plans
Healthcare plans, such as insurance companies, are also considered covered entities under HIPAA. While they don’t directly provide healthcare services, they handle PHI and must comply with the privacy and security rules of HIPAA. As a provider, you may need to share certain client information with insurance companies for billing or treatment purposes, but this must always be done securely and with the proper consent.
3. Healthcare clearinghouses
Healthcare clearinghouses process nonstandard health information, such as converting paper records into electronic formats. These entities play an essential role in simplifying administrative tasks like billing and payment processing. While you may not interact directly with a healthcare clearinghouse on a day-to-day basis, it's important to ensure they follow HIPAA guidelines when dealing with your clients' health data.
4. Business associates
Business associates are individuals or organizations that perform services for or on behalf of a covered entity and have access to PHI. This could include billing services, IT providers, or contracted administrative staff. Even though they are not directly providing therapy, if they handle or have access to your client’s data, they must comply with HIPAA.
For instance, if you work with an outside billing service, they must sign a Business Associate Agreement (BAA) ensuring they handle PHI in compliance with HIPAA regulations. This includes maintaining secure systems for storing and transmitting information.
5. Subcontractors
Subcontractors work under a business associate agreement and may also have access to PHI, meaning they must comply with HIPAA as well. For example, if your billing service hires a third-party contractor to manage patient records, that contractor is considered a subcontractor and must be HIPAA-compliant. Ensuring that subcontractors meet these standards protects your clients’ sensitive information from potential breaches.
6. Hybrid entities
Hybrid entities are organizations that are part healthcare provider and part non-healthcare provider. For example, a community health center that provides therapy services but also runs a wellness store is a hybrid entity. HIPAA applies only to the healthcare portion of the organization. It’s important to ensure that the non-healthcare parts of an organization are properly segmented and do not mishandle protected health information.
7. Researchers
In certain contexts, researchers may also be subject to HIPAA compliance if they are handling PHI as part of their studies. If a researcher collects mental health data for a study, they must ensure that the data is anonymized or protected to maintain confidentiality. This is particularly relevant in behavioral health research, where sensitive client information is often involved.
For example, if you're involved in research about treatment outcomes in therapy and need to access client records, you must ensure that the data is de-identified to comply with HIPAA’s privacy rule.
Practice in-network with confidence
Simplify insurance and save time on your entire workflow — from compliance and billing to credentialing and admin.
Who does HIPAA not apply to?
While HIPAA applies to a wide range of entities in the healthcare system, it does not extend to everyone. There are several organizations and individuals who are not required to follow HIPAA guidelines.
In the behavioral health context, here are some examples of those who are not obligated to comply with HIPAA:
- Life insurance companies: They do not fall under HIPAA as they’re not involved in the delivery of healthcare services.
- Employers: Unless they provide health plans, employers are not required to follow HIPAA.
- Schools: Educational records, such as student health records, are generally protected under the Family Educational Rights and Privacy Act (FERPA), not HIPAA.
- Gyms and fitness centers: Unless they are involved in medical services, gyms do not need to adhere to HIPAA.
What information is protected under HIPAA’s privacy rule?
The privacy rule sets standards for what is considered protected health information. PHI refers to any health data that identifies an individual and is related to that individual’s healthcare condition, treatment, or payment for treatment.
It’s essential to maintain the privacy and security of PHI to ensure client trust and legal compliance. Here are a few examples of what is considered PHI:
- Common identifiers, such as name, date of birth, or address, when it is related to health information
- Diagnosis
- Treatment history
- Insurance information
Protecting this information is paramount in behavioral health, as it directly affects the therapeutic relationship. Failure to properly safeguard PHI can lead to serious legal consequences and damage to your practice’s reputation.
Headway is your practice’s HIPAA-compliant partner
Managing HIPAA compliance can be complex, but Headway makes it easier. With secure scheduling, billing, and a telehealth platform, our tools support a seamless, HIPAA-compliant practice. We limit PHI access to what's necessary, train our team on privacy best practices, and maintain audit logs for added security. With Headway, you can protect your clients and focus on what matters most — providing excellent care.
This content is for general informational and educational purposes only and does not constitute clinical, legal, financial, or professional advice. All decisions should be made at the discretion of the individual or organization, in consultation with qualified clinical, legal, or other appropriate professionals.
© 2025 Therapymatch, Inc. dba Headway. All rights reserved. No part of this publication may be reproduced without permission.
Compliance and documentation
How to write a mental health treatment plan
Whenever you want to change the goal of your therapy care, or the path you want to take with the client to reach that goal, you’ll want to document a treatment plan.
How to have a successful client discharge (with discharge summary template)
Every discharge situation is different, but a few best practices can help ensure the discharge note documentation process is successful.
How to write progress notes
Progress notes are the core piece of documentation a provider should write after each client session, but it’s more than just a record of what happened.