Do therapists need a HIPAA Business Associate Agreement?

Yes — therapists, LCSWs, psychologists, and other mental health providers are covered entities under HIPAA. Any vendor or service provider who accesses, stores, or transmits your clients' protected health information (PHI) — including session notes, billing records, or appointment data — must sign a BAA with your practice before accessing that data.

What vendors does a therapist need a BAA with?

Therapists typically need BAAs with: their EHR or practice management software (SimplePractice, TherapyNotes, etc.), billing companies or clearinghouses, cloud storage services used for clinical notes, telehealth platforms (Zoom for Healthcare, Doxy.me), appointment scheduling software that stores client names and contact info, email platforms used for clinical communication, and IT support providers who have access to systems storing PHI.

Does a solo private practice therapist need BAAs?

Yes — HIPAA BAA requirements apply regardless of practice size. A solo therapist is still a covered entity under HIPAA. If any third-party vendor handles your clients' PHI on your behalf, a BAA is required. The only exception is vendors who receive PHI solely for treatment, payment, or healthcare operations on behalf of another covered entity — but most software vendors fall outside that exception.

What happens if a therapist doesn't have a BAA with their EHR vendor?

Operating without a required BAA is a direct HIPAA violation under 45 CFR § 164.504(e). Penalties range from $141 to $68,928 per violation, with annual caps up to $2,067,813. The HHS Office for Civil Rights (OCR) has levied settlements specifically against solo and small-practice providers for missing BAAs. The risk is real even for small practices.

Mental Health Practices

HIPAA Business Associate Agreement for Therapists

By BAA Generator Editorial · Updated Apr 19, 2026 · 5 min read

Key Takeaways

✓ All therapists — including solo practices — are HIPAA covered entities and must have BAAs
✓ Every vendor handling client PHI (EHR, billing, storage, telehealth) requires a signed BAA
✓ Missing a BAA is a direct HIPAA violation — penalties apply regardless of practice size
✓ Most EHR platforms (SimplePractice, TherapyNotes) include a BAA — but you must sign it
✓ Vendors who don't offer a BAA cannot be used to store or process client data

Direct answer: Yes — therapists, LCSWs, marriage and family therapists, psychologists, and psychiatrists are all HIPAA covered entities. Any vendor who accesses, stores, or processes your clients' protected health information must sign a Business Associate Agreement with your practice. This includes your EHR, billing company, telehealth platform, cloud storage, and more.

Private practice therapists are among the most common targets of HIPAA enforcement actions — not because they suffer major data breaches, but because they're operating without signed BAAs. A missing BAA with a billing company or an EHR vendor is a technical violation that the OCR can and does cite in investigations. Here's what every mental health provider needs to know.

Why Therapists Are Covered Entities Under HIPAA

HIPAA applies to "covered entities" — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with certain standard transactions. Mental health providers who submit claims electronically (or whose billing company does) are covered entities.

This means:

Licensed Clinical Social Workers (LCSWs)
Licensed Marriage and Family Therapists (LMFTs)
Licensed Professional Counselors (LPCs)
Psychologists (PhD, PsyD)
Psychiatrists (MD, DO) who provide therapy
Licensed Mental Health Counselors (LMHCs)

All of the above are covered entities. If you accept insurance — or if your biller submits claims electronically — you are covered by HIPAA and must have BAAs in place.

What PHI Does a Therapy Practice Handle?

Protected health information in a therapy context includes more than just session notes. PHI encompasses:

Client names, addresses, and dates of service
Diagnosis codes (ICD-10) and treatment plans
Session notes (progress notes, SOAP notes, DAP notes)
Insurance information and billing records
Appointment scheduling data that links a person to your practice
Any communications (email, text, voicemail) that reference a client's treatment

If a vendor's system touches any of this data, a BAA is required before that vendor can access it.

Vendors Therapists Typically Need BAAs With

EHR and Practice Management Software

SimplePractice, TherapyNotes, TheraNest, Kareo, and similar platforms store your session notes, treatment plans, and billing records. All of them offer BAAs — but you must actively sign or accept the BAA; it doesn't happen automatically when you sign up.

Billing Companies and Clearinghouses

If you outsource billing or use a clearinghouse to submit claims, your biller receives client names, diagnosis codes, and insurance details. A BAA is required. Many billing companies will proactively send you their standard BAA; if they don't, you should request one before sharing any client data.

Telehealth Platforms

Zoom for Healthcare, Doxy.me, and similar telehealth platforms can sign a BAA. Standard Zoom (non-healthcare plans) cannot — do not use a free or standard Zoom account for therapy sessions. Doxy.me offers a free tier with HIPAA compliance and BAA for individual providers, making it a common choice for solo therapists.

Cloud Storage

Google Drive (on paid Workspace plans), Dropbox Business, and Microsoft OneDrive for Business all offer BAAs. Personal/free storage accounts — including personal Google Drive, personal Dropbox, and iCloud — do not qualify for HIPAA BAAs and cannot be used to store client files.

Scheduling and Appointment Software

Acuity Scheduling, Calendly, and similar tools that link a person's identity to your practice (even just appointment times) may constitute PHI if combined with other identifiers. Acuity offers a BAA on paid plans. Calendly's BAA availability depends on plan and usage — check before using it for healthcare scheduling.

Email Platforms

Standard Gmail and Outlook personal accounts are not HIPAA compliant. Google Workspace (paid) and Microsoft 365 Business plans both offer BAAs for encrypted business email. If you communicate with clients via email about their care, your email platform must be covered by a BAA.

IT Support and Managed Service Providers

If an IT company has access to your computer systems — even just for remote support — and those systems contain PHI, the IT company is a business associate and needs a BAA. This is a commonly missed requirement for small practices.

How to Get a BAA as a Solo Therapist

You have two paths:

Request the vendor's standard BAA — most compliant vendors have a pre-drafted BAA they'll send you. Review it, sign it, and keep a copy in your compliance records.
Provide your own BAA — generate a standard HIPAA-compliant BAA and send it to the vendor for countersignature. This gives you more control over the terms and is often faster when dealing with smaller vendors who don't have their own BAA ready.

Either approach is acceptable under HIPAA. The critical thing is that a signed BAA exists before any PHI is shared.

Generate a BAA for your therapy practice

Preview the full BAA structure free, or pay $49 one-time to get a clean, signable PDF and editable Word file with your actual practice and vendor information. No subscription required.

Generate BAA for Free →

Frequently Asked Questions

Does a solo private practice therapist really need a BAA?

Yes. HIPAA applies to all covered entities regardless of size. A solo LCSW with 10 clients has the same BAA obligations as a large group practice. The OCR has pursued enforcement actions against individual providers. Practice size does not create an exemption.

My EHR says it's HIPAA compliant — do I still need to sign a BAA?

Yes. "HIPAA compliant" infrastructure is not the same as an executed BAA. The BAA is a contract that creates enforceable legal obligations. Without it, there is no agreement governing how the vendor protects your clients' data. You must sign (or accept) the BAA — typically during account setup or on request — even if the platform is technically HIPAA-capable.

What if a vendor refuses to sign a BAA?

You cannot use that vendor for PHI-handling functions. This is a bright-line rule under HIPAA. If a vendor won't sign a BAA, you need to either find an alternative vendor who will, or ensure the vendor never accesses any PHI (which may not be possible depending on the service). Do not proceed and "hope for the best."