The 5 HIPAA Documents Every Therapist Needs (And What Goes in Each One)

If you've ever searched for "HIPAA compliance documents" and been overwhelmed by the results — hundreds of pages of federal regulation, expensive consultant packages, and generic templates that don't match your solo practice — you're not alone. Most therapists know they need "something in writing" for HIPAA but aren't sure exactly what, or what each document should actually contain.

Here's the reality: OCR (the Office for Civil Rights, which enforces HIPAA) expects to see specific documentation if they ever investigate your practice. Not vague policies. Not a stack of printouts from a Google search. Specific, dated, signed documents that show you've thought about your security risks, written down your policies, and have a plan for when things go wrong.

The good news? For a solo or small therapy practice, you don't need hundreds of pages. You need five core documents, each doing a specific job. This guide walks through all five — what they are, what goes in each one, and how to create them without hiring a consultant.

Document 1: The Security Risk Analysis (SRA)

What it is

The Security Risk Analysis is the single most important HIPAA compliance document. It's a systematic evaluation of where your patient data lives, what threats could compromise it, and what you're doing to protect it.

OCR has cited failure to conduct a Security Risk Analysis in virtually every enforcement action in recent years. It's not optional. It's not a "nice to have." It is the foundation everything else is built on.

What goes in it

A proper SRA for a solo therapy practice should cover:

Asset inventory. Where does electronic Protected Health Information (ePHI) live in your practice? Your EHR, email, telehealth platform, phone, laptop, backup drives, cloud storage. List every system that touches patient data.

Threat identification. What could go wrong? Lost or stolen devices, phishing emails, weak passwords, unpatched software, unauthorised access, natural disasters, vendor breaches. You're not being paranoid — you're being thorough.

Vulnerability assessment. For each threat, how vulnerable are you? Do you have encryption on your laptop? Is your EHR password-protected with MFA? Do you lock your office when you leave?

Risk rating. For each combination of threat and vulnerability, rate the likelihood of it happening and the impact if it did. This produces a risk level: high, medium, or low.

Current safeguards. What are you already doing to mitigate each risk? Document the protections you have in place — encryption, access controls, training, physical locks.

Remediation plan. For any risk rated medium or high, what will you do to reduce it? This is your action plan with specific steps and target dates.

What OCR actually looks for

OCR doesn't expect perfection. They expect evidence that you've systematically thought about your risks and have a plan to address them. A completed SRA with honest risk ratings and a realistic remediation timeline demonstrates exactly that.

Common mistakes

• Using the federal government's 156-question SRA Tool designed for large hospitals — it's overkill for solo practices
• Doing the SRA once and never updating it (HIPAA requires annual review)
• Rating every risk as "low" to make things look good — OCR sees right through this
• Not including a remediation plan for identified gaps

Document 2: Policies and Procedures Manual

What it is

Your written security policies — the rules your practice follows for handling patient data. Think of it as the instruction manual for how your practice protects ePHI.

What goes in it

For a solo therapist, the policies manual should cover:

Administrative safeguards. Who is your Security Official? (Hint: if you're solo, it's you.) What's your process for reviewing access? How do you handle workforce training?

Physical safeguards. How do you control physical access to your office and devices? What happens to devices at end of life? How do you secure workstations?

Technical safeguards. Password policies, encryption requirements, automatic logoff settings, audit log reviews, transmission security.

Vendor management. How do you evaluate new vendors? What's your BAA process?

Incident response overview. High-level reference to your incident response plan (which is a separate document).

Key principle

Your policies should describe what your practice actually does — not what you wish it did. If you don't have MFA enabled yet, don't write a policy claiming you do. Write the policy, note the gap, and include it in your remediation plan.

How long should it be?

For a solo practice, 12-15 pages is typical. Don't pad it. Every page should contain a real policy that you actually follow.

Document 3: Notice of Privacy Practices (NPP)

What it is

The patient-facing document that explains how your practice uses and protects their health information. Every HIPAA-covered entity must provide this to patients.

What goes in it

The NPP has specific content requirements under HIPAA:

How you use patient information. Treatment, payment, and healthcare operations — the three main permitted uses.

Patient rights. The right to access their records, request corrections, receive an accounting of disclosures, request restrictions, and file complaints.

Your obligations. That you're required by law to maintain the privacy of their health information and to notify them if a breach occurs.

Contact information. How patients can reach your practice's Privacy Officer (you) with questions or complaints.

Effective date. When the notice was last updated.

The February 2026 update

If your NPP was written before February 2026, it likely needs updating. The new requirements include alignment with 42 CFR Part 2 (substance use disorder records) and expanded individual rights provisions. If you treat anyone with substance use issues — even as a secondary concern — your NPP must address these changes.

How patients receive it

You must make a good-faith effort to obtain a written acknowledgment from patients that they received the NPP. Most practices handle this during intake — the patient signs a form acknowledging they received it.

Document 4: Incident Response Plan

What it is

Your step-by-step playbook for what to do when something goes wrong — a data breach, a security incident, a lost device, a phishing attack. Not if, but when.

What goes in it

Definition of an incident. What counts as a security incident in your practice? Unauthorised access to patient records, lost devices containing ePHI, suspicious emails, ransomware, physical break-in.

Immediate response steps. What do you do in the first hour? Contain the incident, document what happened, assess the scope.

Breach assessment. Is this a reportable breach under HIPAA? The four-factor risk assessment: nature of the PHI involved, who accessed it, whether it was actually acquired or viewed, and the extent of mitigation.

Notification requirements. If it is a reportable breach:

• Notify affected individuals within 60 days
• Notify HHS (the breach portal)
• If 500+ individuals affected, notify local media
• Document everything

Contact list. Phone numbers for: your IT support, your EHR vendor's security team, HHS breach portal, legal counsel (even if you don't have a lawyer on retainer, know who you'd call).

Post-incident review. After the dust settles, what did you learn? What changes to prevent it from happening again?

Why this matters

The biggest mistake therapists make with breaches isn't the breach itself — it's the response. Not reporting a breach you're required to report, or not reporting it within the 60-day window, turns a manageable situation into an enforcement action.

Document 5: Business Associate Agreement (BAA) Tracker

What it is

A record of every vendor that handles patient data on your behalf, whether you have a signed BAA with each one, and the status of each agreement.

What goes in it

Vendor inventory. List every company that could potentially access or store your patients' ePHI:

• EHR system (SimplePractice, TherapyNotes, Jane App, etc.)
• Email provider (Google Workspace, Microsoft 365, Hushmail)
• Telehealth platform (Doxy.me, Zoom for Healthcare, etc.)
• Cloud storage/backup (Dropbox, Google Drive, iCloud)
• Billing/clearinghouse
• Answering service
• Shredding company
• IT support provider

BAA status for each. Signed, pending, not available, not needed.

Date signed. When was the BAA executed?

Review date. When is it due for renewal or review?

Action items. For any vendor without a BAA: get one signed, switch vendors, or stop using them for anything involving ePHI.

The vendor most practices forget

Many therapists have BAAs with their EHR and telehealth platform but forget about their email provider. If you ever send or receive emails containing patient information — even appointment confirmations with names — you need a BAA with your email provider.

Gmail does not offer BAAs. Google Workspace does (on paid plans). This distinction matters.

Putting It All Together

These five documents work as a system:

1. The SRA identifies your risks and gaps
2. The Policies Manual documents how you address those risks
3. The NPP tells patients how you protect their information
4. The Incident Response Plan prepares you for when things go wrong
5. The BAA Tracker ensures your vendors are held to the same standard

Together, they demonstrate to OCR that you've taken HIPAA seriously, thought systematically about your practice's risks, and have documented evidence of your compliance efforts.

When to Update Them

All five documents should be reviewed at least annually. Update them whenever:

• You change EHR systems or other vendors
• You add a new location
• You hire staff or contractors
• You experience a security incident
• There's a significant change to HIPAA regulations (like the February 2026 update)

The Fastest Way to Get These Documents

You have three options:

DIY. Use federal templates and guidance documents. Free but time-consuming — expect 20-40 hours of work to create all five properly.

Hire a consultant. Typically $3,000-$10,000 for a solo practice. Thorough but expensive.

Use Yundra. Take the free 25-minute risk assessment, then generate all seven compliance documents (the five above plus two additional supporting documents) personalised to your practice — from $399.

Take the free HIPAA Risk Assessment →

Your compliance documents should reference your actual practice name, your specific EHR, your email provider, and your real compliance gaps — not generic placeholders. That's what makes them useful in an actual OCR review.