5 popular types of progress notes for therapists
Learn about how to write SOAP notes, DAP notes, BIRP notes, and more therapy notes.
Skip to main content
Become a Headway provider 
How to write GIRP notes
How to write SIRP notes
Compliance and documentation
Who does HIPAA apply to? Compliance for therapists
Compliance for therapists is imperative in behavioral health. Unsure if HIPAA applies to you? Our guide helps clarify compliance expectations.
Dr. Anum Ali, LPCTherapist
As a new therapist, navigating HIPAA, or the Health Insurance Portability and Accountability Act, compliance can feel overwhelming. While focusing on providing the best possible care, you also need to understand and adhere to all legal requirements of HIPAA. It’s crucial to safeguarding your clients and maintaining the integrity of your practice.
HIPAA ensures the confidentiality of protected health information (PHI) and sets the standards for privacy, security, and electronic data exchange in healthcare. In this guide, we’ll break down the key collaborators in your practice who must follow HIPAA, and help you ensure your practice is compliant.
Covered entities
HIPAA regulations apply to certain types of organizations, known as "covered entities.” They’re required to follow specific guidelines set forth by the Department of Health and Human Services to safeguard sensitive health information.
A covered entity is an individual or organization that processes health information or provides healthcare services. In a behavioral health context, these typically include providers like therapists, healthcare plans, and healthcare clearinghouses. Here are some examples of covered entities.
1. Providers
As a provider, you are considered a "covered entity" under HIPAA. This means you are legally obligated to protect your clients' health information by ensuring privacy, security, and confidentiality. HIPAA compliance for therapists requires careful attention to how client data is stored, transmitted, and shared.
In a behavioral health setting, this could include securely storing client records, using encrypted telehealth platforms, and ensuring confidentiality in communication. Any sharing of client data for treatment, billing, or other purposes must be done with explicit consent and with safeguards in place.
For example, if you're providing therapy via telehealth, it’s essential that the platform you use is HIPAA-compliant, ensuring it encrypts your clients' data to protect it from unauthorized access.
2. Healthcare plans
Healthcare plans, such as insurance companies, are also considered covered entities under HIPAA. While they don’t directly provide healthcare services, they handle PHI and must comply with the privacy and security rules of HIPAA. As a provider, you may need to share certain client information with insurance companies for billing or treatment purposes, but this must always be done securely and with the proper consent.
3. Healthcare clearinghouses
Healthcare clearinghouses process nonstandard health information, such as converting paper records into electronic formats. These entities play an essential role in simplifying administrative tasks like billing and payment processing. While you may not interact directly with a healthcare clearinghouse on a day-to-day basis, it's important to ensure they follow HIPAA guidelines when dealing with your clients' health data.
4. Business associates
Business associates are individuals or organizations that perform services for or on behalf of a covered entity and have access to PHI. This could include billing services, IT providers, or contracted administrative staff. Even though they are not directly providing therapy, if they handle or have access to your client’s data, they must comply with HIPAA.
For instance, if you work with an outside billing service, they must sign a Business Associate Agreement (BAA) ensuring they handle PHI in compliance with HIPAA regulations. This includes maintaining secure systems for storing and transmitting information.
5. Subcontractors
Subcontractors work under a business associate agreement and may also have access to PHI, meaning they must comply with HIPAA as well. For example, if your billing service hires a third-party contractor to manage patient records, that contractor is considered a subcontractor and must be HIPAA-compliant. Ensuring that subcontractors meet these standards protects your clients’ sensitive information from potential breaches.
6. Hybrid entities
Hybrid entities are organizations that are part healthcare provider and part non-healthcare provider. For example, a community health center that provides therapy services but also runs a wellness store is a hybrid entity. HIPAA applies only to the healthcare portion of the organization. It’s important to ensure that the non-healthcare parts of an organization are properly segmented and do not mishandle protected health information.
7. Researchers
In certain contexts, researchers may also be subject to HIPAA compliance if they are handling PHI as part of their studies. If a researcher collects mental health data for a study, they must ensure that the data is anonymized or protected to maintain confidentiality. This is particularly relevant in behavioral health research, where sensitive client information is often involved.
For example, if you're involved in research about treatment outcomes in therapy and need to access client records, you must ensure that the data is de-identified to comply with HIPAA’s privacy rule.
Who does HIPAA not apply to?
While HIPAA applies to a wide range of entities in the healthcare system, it does not extend to everyone. There are several organizations and individuals who are not required to follow HIPAA guidelines.
In the behavioral health context, here are some examples of those who are not obligated to comply with HIPAA:
- Life insurance companies: They do not fall under HIPAA as they’re not involved in the delivery of healthcare services.
- Employers: Unless they provide health plans, employers are not required to follow HIPAA.
- Schools: Educational records, such as student health records, are generally protected under the Family Educational Rights and Privacy Act (FERPA), not HIPAA.
- Gyms and fitness centers: Unless they are involved in medical services, gyms do not need to adhere to HIPAA.
What information is protected under HIPAA’s privacy rule?
The privacy rule sets standards for what is considered protected health information. PHI refers to any health data that identifies an individual and is related to that individual’s healthcare condition, treatment, or payment for treatment.
It’s essential to maintain the privacy and security of PHI to ensure client trust and legal compliance. Here are a few examples of what is considered PHI:
- Common identifiers, such as name, date of birth, or address, when it is related to health information
- Diagnosis
- Treatment history
- Insurance information
Protecting this information is paramount in behavioral health, as it directly affects the therapeutic relationship. Failure to properly safeguard PHI can lead to serious legal consequences and damage to your practice’s reputation.
Headway is your practice’s HIPAA-compliant partner.
Managing HIPAA compliance on your own can be challenging, but with the right tools, it doesn’t have to be overwhelming. Headway offers HIPAA-compliant solutions that help streamline the administrative side of your practice, allowing you to focus on what matters most—your clients. From secure scheduling and billing to telehealth solutions, Headway’s platform ensures that your practice stays compliant while providing a seamless experience for both you and your clients.
Headway limits requests for the use and disclosure of PHI to what is minimally necessary to accomplish the intended purpose of the request. Headway team members receive specialized training on HIPAA, the importance of PHI safety, and the “minimum necessary” rule. Headway also proactively maintains an audit log of all access to client records.
By partnering with Headway, you can be confident that your practice adheres to HIPAA standards, protecting your clients and giving you the peace of mind to focus on delivering the best care.
Compliance and documentation
5 popular types of progress notes for therapists
How to write GIRP notes
GIRP notes are a format for therapy progress notes. These examples can help you effectively document your work as a clinician.
How to write SIRP notes
SIRP notes are concise yet thorough, allowing therapists to make detailed assessments of their clients.