Do Solo Therapists Need HIPAA Compliance? Yes — Here's What OCR Actually Expects
"I'm just a solo therapist — HIPAA doesn't really apply to me, right?"
This is one of the most common misconceptions in mental health, and one of the most dangerous. The short answer: if you see patients and handle their health information in any electronic form — yes, HIPAA applies to you. There is no small-practice exemption. There is no solo-provider carve-out. And OCR (the Office for Civil Rights, which enforces HIPAA) has proven repeatedly that they will investigate and fine individual practitioners.
This guide covers exactly what HIPAA requires of you as a solo therapist, what OCR actually looks for, and how to get compliant without spending thousands on a consultant.
The "I'm Too Small" Myth
Let's be blunt: practice size has never been a factor in HIPAA applicability. The law covers every "covered entity" — and that includes every healthcare provider who transmits health information electronically in connection with a HIPAA-standard transaction.
If you do any of the following, you're a covered entity:
- Submit electronic claims to insurance
- Use an EHR that stores patient records
- Send or receive electronic referrals
- Use a practice management system that handles billing
Even if you're entirely self-pay and don't bill insurance, if you use an EHR, a telehealth platform, or email for anything involving patient information, HIPAA's Security Rule applies to you.
Real Fines Against Solo Providers
OCR doesn't just go after hospitals. Here are real enforcement actions against individual and small providers:
$25,000 — Solo dental practice. Failed to provide a patient with records within the required 30-day window. OCR investigated and found no policies, no risk analysis, no training documentation.
$30,000 — Solo medical practice. A breach report triggered an investigation. OCR found the practice had never conducted a Security Risk Analysis — the single most common violation in enforcement history.
$100,000 — Solo physician. Inappropriately accessed patient records for personal reasons. The underlying investigation revealed zero compliance documentation.
$125,000 — Small allergy practice. Allowed a TV crew to film in the office with patients visible. Investigation found no risk analysis, no policies, no BAAs, no training.
The pattern is consistent: the triggering event is usually something specific (a complaint, a breach, a records request), but the real damage comes from the absence of basic compliance documentation.
What OCR Actually Expects From Solo Practices
OCR doesn't expect you to have a dedicated compliance officer, a 200-page policy manual, or enterprise-grade security infrastructure. They expect evidence that you've taken reasonable steps to protect patient data. Specifically:
1. A completed Security Risk Analysis
This is non-negotiable. It's the first thing OCR asks for in every investigation. Your SRA should identify where ePHI lives in your practice, what threats exist, and how you're mitigating them.
For a solo practice, this doesn't need to be hundreds of pages. It needs to be thorough, honest, and documented. Yundra's free assessment generates a scored risk analysis from 40 plain-English questions — it takes about 25 minutes.
2. Written policies and procedures
You need written security policies that describe how your practice handles ePHI. Not what you plan to do someday — what you actually do now. Administrative safeguards (who is your Security Official?), physical safeguards (how do you secure your devices?), and technical safeguards (password policies, encryption, audit logs).
3. Business Associate Agreements
Every vendor that handles patient data on your behalf needs a signed BAA. This includes your EHR, email provider (if used for patient communication), telehealth platform, cloud storage, billing service, and any answering service. If you're not sure which vendors need BAAs, read our guide to HIPAA BAAs for therapists.
4. Security awareness training
You need to complete HIPAA security training and document it. If you have any staff (even a part-time receptionist or billing assistant), they need training too.
5. An incident response plan
What will you do if something goes wrong? A lost laptop, a phishing email, a misdirected fax. You need a written plan that covers containment, assessment, notification, and documentation.
The Minimum Viable Compliance Checklist
Here's what "reasonably compliant" looks like for a solo therapy practice:
- [ ] Completed and dated Security Risk Analysis (reviewed annually)
- [ ] Written security policies covering admin, physical, and technical safeguards
- [ ] Signed BAAs with every vendor that touches ePHI
- [ ] Notice of Privacy Practices provided to all patients
- [ ] HIPAA security training completed and logged
- [ ] Incident response plan written and accessible
- [ ] Devices encrypted (full-disk encryption on laptops, phones)
- [ ] MFA enabled on EHR, email, and telehealth accounts
- [ ] Unique passwords for every system (use a password manager)
- [ ] Automatic logoff configured on workstations
- [ ] Regular backup of patient data
This isn't optional. It's not aspirational. It's the baseline.
"But My EHR Is HIPAA Compliant"
This is the second most dangerous misconception. Your EHR being "HIPAA compliant" means the EHR vendor has built their product with HIPAA-appropriate security features. It does not mean your practice is compliant.
Using a compliant EHR is like buying a car with seatbelts — it provides the safety features, but you still have to wear the seatbelt. You still need to:
- Configure it properly (enable MFA, set session timeouts)
- Use strong, unique passwords
- Understand and document what security features you're using
- Have policies for how your practice uses the system
- Have a BAA signed with the EHR vendor
The EHR is one piece of your compliance puzzle, not the whole picture.
What About Telehealth?
If you provide telehealth sessions, additional requirements apply:
- Your telehealth platform must be HIPAA compliant (Doxy.me, Zoom for Healthcare — not regular Zoom, not FaceTime, not Google Meet)
- You need a signed BAA with the platform provider
- Transmission encryption must be enabled (most compliant platforms handle this automatically)
- You should document your telehealth security practices in your policies
Read our guide to HIPAA-compliant telehealth platforms for a detailed comparison.
What About Email?
Email is where many solo therapists unknowingly violate HIPAA. Key rules:
- Regular Gmail is not HIPAA compliant and Google will not sign a BAA for it
- Google Workspace (paid) offers a BAA — you must sign it and configure the account properly
- Microsoft 365 offers a BAA
- Hushmail and Paubox are purpose-built HIPAA-compliant email services
- If you send any email containing patient names, appointment details, or clinical information, you need a BAA with your email provider
For the full breakdown, read Is Gmail HIPAA Compliant for Therapists?
The Cost of Non-Compliance vs. Compliance
Let's do the math:
Cost of an OCR settlement: $25,000–$125,000+ for a solo practice, plus legal fees, remediation costs, reputational damage, and 1-3 years of corrective action monitoring.
Cost of getting compliant:
- DIY with federal templates: $0 but 20-40 hours of your time
- Consultant: $3,000–$10,000
- Yundra Compliance Pack: $399 (includes all 7 documents personalised to your practice)
The risk-reward calculation is clear. The question isn't whether you can afford to get compliant. It's whether you can afford not to.
Getting Started Today
If you're reading this and realising you have gaps, here's the fastest path to compliance:
Step 1 (25 minutes). Take Yundra's free HIPAA Risk Assessment. It scores your current compliance level across five categories and identifies every gap.
Step 2 (review your report). Your personalised report shows exactly where you stand — overall score, category breakdown, specific gaps with remediation steps.
Step 3 (get your documents). Generate your Compliance Pack — seven personalised HIPAA documents built from your assessment answers, referencing your practice name, vendors, and specific compliance situation.
Step 4 (implement). Use the remediation plan from your risk analysis to systematically close your gaps. Enable encryption, sign BAAs, configure MFA, complete training.
Step 5 (maintain). Review your risk analysis annually. Update policies when things change. Log training. Keep your BAA tracker current.
HIPAA compliance isn't a one-time project — it's an ongoing practice. But it starts with taking that first step. And for a solo therapist, the first step takes 25 minutes.