Your practice management software (or EHR) handles the most sensitive data you touch: clinical notes, diagnoses, treatment plans, contact details, and often payment information. Choosing the right one isn't just a workflow decision — it's a HIPAA decision. The wrong setup can leave PHI exposed; the right one gives you a solid, compliant foundation to build on.

This guide compares seven of the most popular tools therapists use in 2026, with an honest take on each and what to check before you commit.

What Makes Software "HIPAA Compliant"?

No software is automatically "HIPAA compliant" — compliance is a shared responsibility. A tool can support your compliance if it provides:

A Business Associate Agreement (BAA). This is the legal contract that lets a vendor handle PHI on your behalf. Without a signed BAA, using the tool for PHI is a violation — full stop.
Encryption in transit (TLS) and at rest (typically AES-256).
Access controls — unique logins, two-factor authentication, role-based permissions, and automatic session timeouts.
Audit logging — a record of who accessed what and when, which you'll want if you're ever investigated.
Reasonable infrastructure — reputable hosting, backups, and breach-notification commitments.

A vendor that ticks these boxes and signs a BAA can be used compliantly. How you configure and use it is still up to you.

The 7 Tools Compared

1. SimplePractice

The most widely used EHR among solo therapists. Clean interface, strong client portal, built-in telehealth, and a great mobile app. Pricing: ~$29–99/mo by tier. Standout: all-in-one client experience and self-booking. HIPAA: BAA available (accepted at setup), AES-256 + TLS, 2FA, AWS hosting.

2. TherapyNotes

Focused, reliable clinical documentation and well-regarded insurance billing. Fewer bells and whistles, more substance. Pricing: ~$49–59/mo. Standout: structured notes and dependable claims. HIPAA: BAA available, strong encryption, audit logs, US hosting.

3. Jane App

Canadian-built, popular across allied health and mental health. Excellent scheduling and a polished portal. Pricing: ~$54–79 CAD/mo. Standout: multi-discipline support and mature scheduling. HIPAA: PIPEDA + HIPAA compliant, BAA available, modern encryption (TLS 1.3).

4. TheraNest

Long-established mental health EHR with Wiley Treatment Planners integration and per-client pricing that suits smaller caseloads. Pricing: ~$39+/mo, scales with active clients. Standout: Wiley Planners. HIPAA: BAA available, encryption, 2FA, audit logs.

5. Carepatron

A newer, fast-growing platform with a genuinely usable free tier. Good fit for new or budget-conscious practices. Pricing: free–$36/mo. Standout: free tier and momentum. HIPAA: BAA offered, encryption in transit and at rest — confirm current specifics before storing PHI.

6. Alma

Less an EHR and more a membership platform that helps therapists accept insurance, with practice tools bundled in. Great if insurance credentialing and billing support are your pain points. Pricing: membership fee model. Standout: insurance enablement and billing support. HIPAA: operates as a business associate — ensure the BAA and data handling are documented for your use case.

7. Headway

Similar in spirit to Alma — a network that handles insurance billing and credentialing so you get paid faster, with lightweight practice tooling. Pricing: typically no direct software fee (revenue model differs). Standout: insurance billing handled for you. HIPAA: acts as a business associate; confirm the agreement and what data it processes.

Master Comparison Table

| Tool | Best for | Pricing (approx) | Standout | BAA | Encryption | |------|----------|------------------|----------|-----|------------| | SimplePractice | All-in-one solo practice | $29–99/mo | Client experience | Yes | TLS + AES-256 | | TherapyNotes | Documentation + billing | $49–59/mo | Clinical notes | Yes | TLS + AES-256 | | Jane App | Multi-discipline clinics | $54–79 CAD/mo | Scheduling | Yes | TLS 1.3 | | TheraNest | Wiley Planners users | $39+/mo (per client) | Wiley Planners | Yes | TLS + AES-256 | | Carepatron | New/budget practices | Free–$36/mo | Free tier | Yes* | TLS + at rest | | Alma | Accepting insurance | Membership | Insurance enablement | Yes* | Vendor-managed | | Headway | Insurance billing done-for-you | Revenue model | Billing handled | Yes* | Vendor-managed |

* Confirm current BAA terms and security specifics directly with the vendor before storing PHI.

How to Choose

A few practical filters:

Private-pay, want polish? SimplePractice or Jane.
Heavy insurance biller who wants control? TherapyNotes or TheraNest.
Want insurance handled for you? Alma or Headway.
Brand new and watching costs? Carepatron.
Use Wiley Planners? TheraNest.
Multi-discipline clinic? Jane.

Whatever you choose, do two things before storing a single client's data: sign the BAA, and turn on every security control the platform offers (2FA, session timeouts, role-based access).

How to Verify a Vendor's BAA (and Spot Red Flags)

"HIPAA compliant" is a marketing phrase anyone can print on a homepage. Before you trust a vendor with PHI, verify the substance:

Ask for the BAA in writing and actually read it. It should name your practice as the covered entity, describe the vendor's safeguards, and spell out breach-notification timelines.
Confirm how the BAA is executed. Some are accepted at signup (SimplePractice); others require a request. Either way, save a dated copy.
Check encryption claims. Look for TLS in transit and AES-256 (or equivalent) at rest, stated plainly in their security documentation.
Look for access controls and audit logs. Two-factor authentication and some form of access logging should be standard.

Red flags worth pausing on: a vendor that won't sign a BAA at all ("we're HIPAA compliant, you don't need one" is wrong — if they handle PHI, you need one); vague or missing security documentation; or a free tier that quietly excludes the BAA or core security features. If a vendor can't or won't put their safeguards in writing, treat that as your answer.

A Quick Buyer's Checklist

Before storing a single client's data on any tool above:

Signed, saved BAA in hand
Two-factor authentication enabled on your account
Strong, unique password (and a password manager)
Role-based access configured if anyone else logs in
The vendor added to your written list of business associates
The tool reflected in your practice's risk analysis

That last point is the bridge most therapists skip — which brings us to the limits of any EHR.

What an EHR Doesn't Cover

Here's the trap. Therapists choose a "HIPAA-compliant" EHR, check the box, and assume they're done. But your EHR is only one piece of your compliance picture. It does not cover:

Your other vendors. Your email, scheduling tool, cloud storage, billing clearinghouse, and any contractors all touch PHI and each need their own BAA.
Your written policies and procedures. HIPAA requires documented safeguards — administrative, physical, and technical.
Your Security Risk Analysis. OCR expects every covered entity to have a current, practice-wide risk analysis on file. This is the single most commonly missing document in enforcement actions.
Your workforce training. Even a solo practice has training obligations.
Your incident response plan. You need to know what you'll do before a breach happens.

In other words: the right EHR is necessary, but it's maybe 20% of HIPAA compliance. The other 80% is the practice you build around it.

Your EHR Is One Piece — Find Out What Else You Need

Picking a compliant tool is a great start. But if that's all you've done, you almost certainly have gaps that an OCR investigation or a client complaint would surface.

Take Yundra's free 25-minute HIPAA Risk Assessment. It evaluates your entire practice across all five compliance categories — software, policies, training, vendors, and physical safeguards — and gives you a prioritised report showing exactly what to fix next.

Take the free HIPAA Risk Assessment →

The 7 Best HIPAA-Compliant Practice Management Tools for Therapists (2026)