Yundra
← All articlesPractical Guides

HIPAA Compliance Checklist for Starting a New Therapy Practice

12 min read

You're starting a private practice. Congratulations — that's a huge step. Somewhere between picking a name, setting up your EHR, and figuring out billing, you've probably realized that HIPAA is sitting there waiting for you, and it's not optional.

The good news: HIPAA compliance for a solo therapist is absolutely manageable. You don't need a compliance department or a five-figure consultant. You need a plan, a few weeks, and a checklist you can actually work through.

That's what this is. We've broken it into four weeks, each with a clear focus and a concrete checklist. Work it in order — each phase builds on the last. If you do all of it, you'll open your doors genuinely compliant, not just hoping you are.

Before You Start: Two Things to Understand

First, you are a covered entity the moment you transmit health information electronically in connection with a billing or insurance transaction — which virtually every modern practice does. That triggers full HIPAA obligations.

Second, the single most-cited deficiency in OCR enforcement is the missing or inadequate Security Risk Analysis. It's not flashy, but it's the foundation of everything else. So that's where week one starts.

Week 1: Foundation — Risk Analysis and Officer Roles

This week is about understanding your own risk and formally taking ownership of compliance.

Conduct a Security Risk Analysis

The Security Rule (45 CFR § 164.308(a)(1)(ii)(A)) requires every covered entity to conduct an accurate, thorough assessment of the risks to electronic protected health information (ePHI). For a solo practice, that means mapping reality:

  • Inventory where ePHI lives — your EHR, your laptop, your phone, your email, cloud storage, your telehealth platform, your scheduling tool
  • Identify threats to each location — theft, loss, hacking, accidental disclosure, unencrypted devices
  • Assess your current safeguards — what's encrypted, what has multi-factor authentication, what's backed up
  • Document the gaps and rank them by risk
  • Write a remediation plan with target dates

This is not a one-time form. It's a living document you'll revisit at least annually. But the first version is what makes everything downstream make sense.

Designate yourself as Security Officer and Privacy Officer

HIPAA requires you to formally name both roles:

  • The Security Officer (45 CFR § 164.308(a)(2)) owns your security policies and technical safeguards
  • The Privacy Officer (45 CFR § 164.530(a)(1)) owns how PHI is used and disclosed

For a solo practice, both are you. This isn't a hire — it's a documented assignment. Write a short, dated, signed memo naming yourself in both roles and keep it in your compliance file. OCR specifically looks for this, and its absence is a citeable deficiency.

Week 1 checklist:

  • [ ] Complete a written Security Risk Analysis
  • [ ] Inventory every place ePHI is stored or transmitted
  • [ ] Document risks and a remediation plan
  • [ ] Sign a memo designating yourself Security Officer and Privacy Officer

Week 2: Write Your Core Policies

Policies are where intentions become documentation. If a behavior isn't written down, OCR treats it as if it doesn't exist. You don't need 200 pages — for a solo practice, a focused set of policies covering your actual practices is enough.

Privacy Policy

This governs how you use and disclose PHI. It should cover:

  • Permitted uses and disclosures (treatment, payment, healthcare operations)
  • The minimum necessary standard — only access or share the smallest amount of PHI needed
  • Patient rights: access, amendment, accounting of disclosures, and the right to request restrictions
  • How you handle authorizations for disclosures that fall outside routine treatment

Security Policy

This governs how you protect ePHI and maps to the Security Rule's three categories of safeguards:

  • Administrative safeguards — risk management, training, access management
  • Physical safeguards — locked offices, screen positioning, device control
  • Technical safeguards — encryption, unique logins, multi-factor authentication, automatic logoff, audit logging

Breach Notification Policy

If PHI is compromised, the Breach Notification Rule (45 CFR §§ 164.400–414) sets strict timelines. Your policy should spell out:

  • How you'll assess whether an incident is a reportable breach
  • Notifying affected patients without unreasonable delay and no later than 60 days
  • Notifying HHS (immediately for breaches of 500 or more individuals; in the annual log for smaller ones)
  • How you'll document the incident and your response

Week 2 checklist:

  • [ ] Draft and date a Privacy Policy
  • [ ] Draft and date a Security Policy covering all three safeguard types
  • [ ] Draft and date a Breach Notification Policy
  • [ ] Store all policies where you can produce them quickly

Week 3: Vendors and Business Associate Agreements

Almost every tool you use touches PHI, and that means you need a Business Associate Agreement (BAA) with each vendor before you send a single byte of patient data through it. Under 45 CFR § 164.308(b) and § 164.314, a vendor handling PHI on your behalf must have a signed BAA — no exceptions.

A free tool without a BAA is not "free." It's a violation waiting to happen.

EHR / practice management

  • Choose an EHR that will sign a BAA (SimplePractice, TherapyNotes, Jane, and similar platforms do)
  • Get the BAA signed before entering any real patient data
  • Turn on encryption, unique login, and multi-factor authentication

Email

  • Standard consumer Gmail or Outlook without a BAA is not HIPAA compliant for PHI
  • Use Google Workspace or Microsoft 365 with a signed BAA, or a dedicated secure-email service
  • Confirm encryption in transit and at rest

Telehealth

  • Your video platform handles PHI, so it needs a BAA too
  • Use a platform built for healthcare (or one that will sign a BAA), not a generic consumer video app
  • Verify encryption and that sessions aren't being recorded or stored without your control

Scheduling and intake

  • Online scheduling, intake forms, and reminder tools frequently store names, contact info, and appointment data — that's PHI
  • Make sure each one will sign a BAA before you connect it
  • Don't forget reminder text/email services and payment processors that touch PHI

Build a vendor register

Keep a simple list: each vendor, what PHI they touch, whether a signed BAA is on file, and where that BAA is stored. This single document answers one of the first questions any auditor asks.

Week 3 checklist:

  • [ ] Signed BAA with your EHR
  • [ ] Signed BAA with your email provider
  • [ ] Signed BAA with your telehealth platform
  • [ ] Signed BAA with scheduling, intake, reminder, and payment tools
  • [ ] A vendor register listing every BAA and where it's stored

Week 4: Training, Notices, and Patient-Facing Forms

The final week makes you operational — ready to actually see patients with everything in place.

Workforce training (yes, even solo)

HIPAA requires workforce training (45 CFR § 164.530(b)). If your workforce is just you, you still must complete and document training. If you bring on a virtual assistant, biller, or associate, they need training before touching PHI too.

  • Complete HIPAA Privacy and Security training
  • Save a dated certificate or log entry as proof
  • Plan to refresh training annually and after any major change

Post your Notice of Privacy Practices

The Privacy Rule (45 CFR § 164.520) requires a Notice of Privacy Practices (NPP) that tells patients how their information is used and what rights they have.

  • Write or adopt a compliant NPP
  • Post it prominently in your office and on your website
  • Provide it to each patient at first contact and obtain written acknowledgment of receipt

Intake forms and consent

  • Build HIPAA-aware intake forms that collect only what you need (minimum necessary)
  • Include consent for treatment and, where you'll communicate by email or text, consent for those channels
  • Use a separate, specific authorization form for any disclosure outside routine treatment, payment, or operations

Secure your physical and digital space

  • Lock file cabinets and your office; position screens away from waiting areas
  • Enable full-disk encryption on every device that touches PHI
  • Turn on automatic screen lock and use strong, unique passwords with a password manager
  • Set up encrypted backups

Week 4 checklist:

  • [ ] Complete and document HIPAA training
  • [ ] Write, post, and distribute your Notice of Privacy Practices
  • [ ] Collect acknowledgment of the NPP at intake
  • [ ] Use minimum-necessary intake and consent forms
  • [ ] Encrypt devices, enable screen locks, and set up backups

After Launch: Keep It Alive

Compliance isn't a one-time setup. Once you're open:

  • Revisit your Security Risk Analysis at least annually and after any major change
  • Refresh training every year
  • Review your vendor register whenever you add or drop a tool
  • Update your policies and NPP when your practices change
  • Keep your documentation for six years (45 CFR § 164.316(b)(2))

Starting a practice is overwhelming enough without HIPAA hanging over you. But work this checklist over four focused weeks and you'll open your doors genuinely compliant — protecting your patients, your license, and your peace of mind from day one.

Take the next step

Not sure where your practice stands? Yundra's free HIPAA risk assessment takes 25 minutes and gives you a clear compliance score with specific gaps identified. No credit card required.

Start your free assessment →

Would your practice survive an OCR audit?

Find out in 25 minutes. Our free assessment identifies every gap an auditor would flag — and shows you how to fix them.

Free · See your score instantly