Yundra
← All articlesPractical Guides

Your First 90 Days as a Solo Therapist: The Complete Setup Guide

14 min read

You handed in your notice. Or maybe you never had an agency job to leave — you finished supervision, got licensed, and decided you were going to do this thing yourself. Either way, there's a particular feeling that hits somewhere around week one: a thrilling, slightly nauseating realization that you are now the clinician, the receptionist, the bookkeeper, the IT department, and the boss.

Grad school taught you to hold space for grief and reframe cognitive distortions. It did not teach you how to get an NPI number, choose between a dozen records systems, or figure out whether you need an LLC. Nobody does. You learn it by doing it, usually in a slightly panicked order.

This is the guide that lays it out calmly, in the sequence that actually works. Think of it as three phases of thirty days. You won't do everything perfectly, and you don't need to. You need to build the foundation in roughly the right order so nothing critical falls through the cracks.

Days 1 to 30: The business foundations

Before you see a single client, you're building the legal and financial shell your practice lives inside. This is the unglamorous month. It's also the month that, done right, you never have to think about again.

Decide on your business structure

Most solo therapists choose between operating as a sole proprietor or forming an LLC. A sole proprietorship is the default — you do nothing and you are one. An LLC creates a legal separation between you and the business, which can offer liability protection and a more professional footing.

There's no universally correct answer, and it depends on your state and your finances. This is worth one conversation with an accountant or a small-business attorney. An hour of paid advice here saves you from restructuring everything in year two.

Get your NPI number

Your National Provider Identifier is a free, ten-digit number that identifies you as a healthcare provider. You'll need it for insurance, for many records systems, and on a lot of paperwork. You apply through the NPPES website, and it's genuinely free — anyone charging you for it is reselling a public service.

Apply early, because the number shows up in other steps and you don't want to be blocked waiting for it.

Open a business bank account

Even as a sole proprietor, separate your business and personal money from day one. A dedicated checking account makes taxes infinitely simpler, makes you look professional, and keeps you from the nightmare of untangling a year of mixed transactions every April.

Pair it with simple bookkeeping. You don't need enterprise software — a clean spreadsheet or an inexpensive small-business accounting app is plenty for a solo practice starting out.

Lock in your insurance

You need professional liability insurance (malpractice coverage) before you see clients. Full stop. It's more affordable than new therapists expect, and several carriers specialize in mental health. Get a policy that matches how you'll actually practice — telehealth, in person, or both.

While you're at it, think about general business liability, especially if clients will physically visit you. And if you're working from home, confirm your home insurance doesn't quietly exclude business activity.

Sort out the practical odds and ends

  • Register your business name and check that the matching domain and social handles are available.
  • Get a business phone line separate from your personal cell — a voice-over-IP number works well and keeps your personal number private.
  • If you'll bill insurance, start the credentialing process now, because it is notoriously slow and can take months.

By the end of month one, you have a legally formed business, an NPI, a bank account, insurance, and a phone number. You are officially a practice. Now you make it work.

Days 31 to 60: Your tech stack

This is the fun month — and the month where it's easiest to either overspend on shiny tools or quietly sign yourself up for compliance problems. The goal is a small, reliable set of tools that talk to each other and treat client data properly.

A theme that runs through everything below: any tool that touches client information must be willing to sign a Business Associate Agreement, or BAA. We'll come back to BAAs in phase three, but keep the concept in mind as you shop. The consumer version of a popular app is rarely the version you can use.

Choose your EHR (electronic health record system)

This is your central nervous system — where notes, scheduling, billing, and client communication often live together. For solo therapists, several platforms are built specifically for small mental health practices, bundling progress notes, calendars, intake forms, payments, and a client portal into one subscription.

When you evaluate options, weigh:

  • Will they sign a BAA? A real practice-management platform always will. If they won't, walk away.
  • Does it fit how you work? Look at the note templates, the telehealth integration, and whether billing matches your insurance-or-private-pay reality.
  • What's the true cost? Watch for per-claim fees and add-ons stacked on top of the monthly base.
  • How painful is it to leave? Can you export your data if you outgrow it?

Don't agonize endlessly. Pick a well-reviewed system that fits your budget and your workflow, and start using it. Migrating later is possible if you must.

Set up telehealth

If your records system includes a built-in, BAA-backed video tool, that's often the simplest path — one fewer vendor to manage. If you want a standalone platform, choose one designed for healthcare that signs a BAA.

The consumer free tiers of mainstream video apps generally are not appropriate for clinical sessions, even when they feel secure, because you can't get the agreement that puts the vendor on the hook for protecting data. Use the healthcare-grade version.

Get HIPAA-compliant email

Your regular personal inbox is not built for clinical communication. You'll want email that supports a BAA and proper encryption for anything that might contain client information. Several providers offer this affordably, and some bundle it with the professional domain you set up in month one.

This matters even if you "barely email clients." Appointment confirmations, intake links, and the occasional message all count.

Build a simple website and scheduling flow

Your website does not need to be a work of art. It needs to:

  • Tell potential clients who you are, what you treat, and how to reach you.
  • Make booking or inquiring easy — ideally connected to your records system's scheduler so you're not double-entering appointments.
  • Avoid collecting sensitive health details through an unsecured contact form. A simple "request a consult" that routes into your secure system is far safer than a public form asking people to describe their symptoms.

A clean one-page site you can launch this month beats a perfect site you're still tinkering with in month six.

A note on devices and passwords

While you're assembling tools, set the ground rules: a dedicated work device with full-disk encryption turned on, automatic screen locking, a password manager generating a unique password for every account, and two-factor authentication everywhere it's offered. These habits cost almost nothing and prevent the most common, most embarrassing security failures.

By the end of month two, a client could find you online, book a session, meet you over secure video, and have their notes land in a proper records system. The machine runs. Now you make it bulletproof.

Days 61 to 90: Compliance and the part that protects you

Here's the honest framing. HIPAA is one piece of launching a practice, not the whole story — but it's the piece that turns a thriving practice into a crisis if you ignore it. The good news is that if you made smart choices in phase two, most of this month is documentation and a few signatures, not a scramble.

Do a HIPAA risk assessment

This is the single most important compliance task, and it's the one most new therapists skip because they don't know it's required.

A Security Risk Assessment is a structured look at where client data lives, how it could be exposed, and what you're doing about each risk. It is not optional — it's an explicit expectation under the HIPAA Security Rule, and it's the first thing investigators ask for. For a solo practice it's very manageable, especially with a guided tool that walks you through it.

The output is a clear picture of your gaps and a plan to close them. Doing this in month three means you find problems while they're cheap and easy to fix.

Collect your Business Associate Agreements

Now you go back to every vendor that touches client data — your records system, telehealth platform, email provider, secure storage, billing service — and make sure you have a signed BAA with each one.

Most of these are available with a few clicks in the vendor's account settings or by request. Save every signed agreement in one folder. A missing BAA with a vendor that handles real client data is one of the more common ways a small practice gets caught out, and it's entirely preventable.

Write your policies and your Notice of Privacy Practices

You need a small set of written policies and procedures — how you handle records, respond to a potential breach, manage access, and dispose of data. As a solo practitioner these can be concise and practical; they just need to exist, reflect what you actually do, and get reviewed periodically.

You also need a Notice of Privacy Practices, the document that tells clients how their information is used and what rights they have. You provide it at the start of care and make it available in your office or portal. Templates exist; tailor one to your practice rather than inventing it from scratch.

Train yourself and anyone who helps you

HIPAA expects workforce training, even when the workforce is a workforce of one. Document that you've completed basic privacy and security training, and date it. If you ever bring on a virtual assistant, biller, or associate, they need training too, before they touch anything sensitive.

Name yourself the security officer

Every practice needs a designated person responsible for its security and privacy practices. In a solo practice, that's you. Note it in your records. It sounds bureaucratic, but it's a thirty-second task that closes a real requirement.

By the end of month three, you have a completed risk assessment, signed BAAs on file, written policies, a Notice of Privacy Practices, documented training, and a named security officer. That's a compliant practice — not a perfect one, because no practice is, but a defensible, responsible one.

You don't have to do it all at once

Reading this in one sitting can feel like a lot. Living it across ninety days is entirely doable, and thousands of solo therapists do it every year without a business background.

Build the foundation, assemble a small honest tech stack, then document the compliance layer that protects everything else. Move in roughly that order, give yourself grace where you fall behind, and remember that the goal isn't a flawless launch. It's a practice you can actually run — one where the back office is quiet enough that you can give your full attention to the people in the room.

Get your compliance sorted early

Setting up a practice is overwhelming enough without worrying about federal regulations. Yundra's free HIPAA risk assessment takes 25 minutes and tells you exactly where you stand — so you can tick the compliance box and get back to the work that matters.

Start your free assessment →

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly