SimplePractice, TherapyNotes, or Jane App: Which EHR Is Most HIPAA Compliant?
Choosing an EHR is one of the most important HIPAA decisions you'll make as a therapist. Your EHR stores everything — clinical notes, diagnoses, treatment plans, insurance information, contact details. It's the central repository for virtually all of your electronic Protected Health Information (ePHI).
The three most popular EHRs for solo therapists and small mental health practices are SimplePractice, TherapyNotes, and Jane App. All three market themselves as "HIPAA compliant" — but what does that actually mean in practice, and how do they compare on the security features that matter most?
This guide breaks down each EHR's HIPAA features side by side so you can make an informed decision.
The Comparison Framework
We're evaluating seven HIPAA security dimensions:
- Business Associate Agreement (BAA) — Is one available and how is it executed?
- Data encryption — At rest and in transit
- Access controls — MFA, role-based access, session management
- Audit logging — Can you see who accessed what and when?
- Backup and recovery — How is data protected against loss?
- Breach notification — How quickly are you informed of incidents?
- Infrastructure and certifications — Where is data hosted and what standards are met?
SimplePractice
Overview
SimplePractice is the most widely used EHR among solo therapists, known for its clean interface, integrated telehealth, and strong mobile app. Pricing starts at approximately $29/month for the Essential plan.
HIPAA Features
BAA: Available and auto-accepted during account setup. You agree to the BAA as part of the Terms of Service. A copy is accessible in your account settings at any time. This is the simplest BAA process of the three.
Encryption: All data is encrypted in transit using TLS 1.2+. Data at rest is encrypted using AES-256 on their cloud infrastructure. This meets HIPAA's encryption standards.
Access controls: Supports two-factor authentication (2FA) via SMS or authenticator app. Role-based access is available for group practices — you can set different permission levels for clinicians, billing staff, and administrative users. Automatic session timeout configurable.
Audit logging: SimplePractice maintains internal audit logs for compliance purposes, but client-facing audit log visibility is limited. You can see appointment history and document access timestamps, but granular "who viewed this record at what time" reports require contacting support.
Backup and recovery: Data is backed up continuously on redundant cloud infrastructure (AWS). SimplePractice has documented disaster recovery procedures. Individual record recovery requires contacting support.
Breach notification: SimplePractice commits to notifying affected customers "without unreasonable delay" following discovery of a breach. Their BAA specifies notification obligations.
Infrastructure: Hosted on Amazon Web Services (AWS) in the United States. AWS is SOC 2 Type II certified and maintains its own HIPAA compliance program.
Strengths for HIPAA
- Frictionless BAA process
- Strong encryption standards
- Built-in HIPAA-compliant telehealth
- Wide adoption means more security investment and faster updates
Considerations
- Audit log granularity could be better for compliance documentation
- The Essential plan has fewer security configuration options than higher tiers
TherapyNotes
Overview
TherapyNotes is built exclusively for behavioural health providers and is known for its documentation-focused approach and strong compliance posture. Pricing starts at approximately $49/month for solo practitioners.
HIPAA Features
BAA: Available during onboarding. TherapyNotes provides a dedicated BAA document that you review and accept separately from their general Terms of Service. This separation makes it clearer what you're agreeing to from a HIPAA perspective.
Encryption: TLS 1.2+ for all data in transit. AES-256 encryption for data at rest. End-to-end encryption for their integrated telehealth feature (TherapyNotes Telehealth). Encryption standards are comparable to SimplePractice.
Access controls: Supports two-factor authentication. Role-based permissions for multi-user practices with granular control over who can access clinical notes vs. billing vs. scheduling. Session timeout is enforced. Unique login credentials required for every user (no shared accounts).
Audit logging: This is where TherapyNotes differentiates itself. The platform provides detailed audit trails showing who accessed each patient record, when, and what action was performed (view, edit, print, export). This documentation is valuable during an OCR investigation.
Backup and recovery: Real-time data replication across multiple data centres. Documented backup and disaster recovery procedures. Daily backups with point-in-time recovery capability.
Breach notification: TherapyNotes commits to breach notification within the timeframes specified in their BAA. They have a dedicated security team that monitors for incidents.
Infrastructure: Hosted on dedicated infrastructure in SOC 2 audited data centres in the United States. TherapyNotes undergoes annual third-party security assessments.
Strengths for HIPAA
- Best-in-class audit logging among the three
- Behavioural health specialisation means features are designed for therapy workflows
- Annual security assessments
- Granular role-based access controls
Considerations
- Higher starting price point
- Less polished mobile experience compared to SimplePractice
- Telehealth is integrated but less feature-rich than SimplePractice's offering
Jane App
Overview
Jane App is a Canadian-origin practice management platform popular among allied health and therapy providers. Known for its flexibility across practice types and its online booking features. Pricing starts at approximately $54/month (USD) for the Base plan.
HIPAA Features
BAA: Available for US customers upon request or during account setup. Jane App provides a BAA covering their HIPAA obligations as a business associate. Because Jane App is headquartered in Canada, they also comply with PIPEDA (Canada's federal privacy law) which has overlapping requirements.
Encryption: TLS 1.3 for data in transit (slightly newer standard than the TLS 1.2 minimum). AES-256 encryption at rest. Jane App's security documentation explicitly references HIPAA encryption requirements.
Access controls: Supports two-factor authentication via authenticator apps. Role-based access with configurable permission sets. Session management includes automatic timeout and forced re-authentication for sensitive actions.
Audit logging: Jane App provides activity logs showing login history, record access, and modifications. The level of detail is between SimplePractice (limited) and TherapyNotes (comprehensive) — sufficient for most compliance needs but not as granular as TherapyNotes.
Backup and recovery: Hosted on cloud infrastructure with automated backups and geographic redundancy. Data recovery procedures documented.
Breach notification: Jane App commits to breach notification as specified in their BAA. Their privacy team handles incident response.
Infrastructure: Hosted on secure cloud infrastructure with data centres in the United States and Canada. Undergoes regular security audits and penetration testing.
Strengths for HIPAA
- Modern encryption standards (TLS 1.3)
- Dual compliance (HIPAA + PIPEDA) demonstrates security maturity
- Flexible permission system for multi-disciplinary practices
- Strong online booking integration with consent management
Considerations
- Canadian headquarters may raise questions for some compliance-focused practices (though data can be stored in US data centres)
- Newer to the US therapy market than SimplePractice or TherapyNotes
- Pricing higher than SimplePractice at the base tier
Side-by-Side Comparison
| Feature | SimplePractice | TherapyNotes | Jane App | |---------|---------------|--------------|----------| | BAA | Auto-accepted in setup | Separate document | Available on request | | Encryption (transit) | TLS 1.2+ | TLS 1.2+ | TLS 1.3 | | Encryption (at rest) | AES-256 | AES-256 | AES-256 | | MFA/2FA | Yes | Yes | Yes | | Audit logs | Basic | Detailed | Moderate | | Telehealth | Built-in | Built-in | Built-in | | Starting price | ~$29/mo | ~$49/mo | ~$54/mo | | Built for therapy | Yes | Yes (BH-specific) | Multi-discipline | | Infrastructure | AWS (US) | US data centres | US + Canada |
So Which Should You Choose?
There's no single "most HIPAA compliant" option — all three meet the baseline requirements. The right choice depends on what you prioritise:
Choose SimplePractice if: You want the most user-friendly experience, strong telehealth, and the largest community of therapy users. The BAA process is painless and the platform is well-maintained. Best for solo therapists who want a polished, affordable all-in-one solution.
Choose TherapyNotes if: Audit logging and compliance documentation are your top priorities. If you want the strongest paper trail for an OCR investigation — who accessed what, when, and why — TherapyNotes provides the most detailed records. Best for compliance-focused practitioners or those who've been through an audit.
Choose Jane App if: You run a multi-disciplinary practice, want the most modern security standards (TLS 1.3), or need flexibility across different provider types. Best for practices that combine therapy with other allied health services.
What Your EHR Doesn't Do For You
Regardless of which EHR you choose, remember: your EHR being HIPAA compliant does not make your practice HIPAA compliant. You still need:
- A Security Risk Analysis covering your entire practice
- Written policies and procedures
- BAAs with all your other vendors (not just the EHR)
- Security awareness training
- An incident response plan
Your EHR is a tool. Compliance is what you do with that tool — and everything around it.
If you're not sure where your practice stands, take Yundra's free 25-minute HIPAA Risk Assessment. It evaluates all five compliance categories — not just your EHR choice — and gives you an actionable report with specific gaps to address.