HIPAA Business Associate Agreement for Therapists

By BAA Generator Editorial  ·  Updated Apr 19, 2026  ·  5 min read

Private practice therapists are among the most common targets of HIPAA enforcement actions — not because they suffer major data breaches, but because they're operating without signed BAAs. A missing BAA with a billing company or an EHR vendor is a technical violation that the OCR can and does cite in investigations. Here's what every mental health provider needs to know.

Why Therapists Are Covered Entities Under HIPAA

HIPAA applies to "covered entities" — health plans, healthcare clearinghouses, and healthcare providers who transmit health information electronically in connection with certain standard transactions. Mental health providers who submit claims electronically (or whose billing company does) are covered entities.

This means:

• Licensed Clinical Social Workers (LCSWs)
• Licensed Marriage and Family Therapists (LMFTs)
• Licensed Professional Counselors (LPCs)
• Psychologists (PhD, PsyD)
• Psychiatrists (MD, DO) who provide therapy
• Licensed Mental Health Counselors (LMHCs)

All of the above are covered entities. If you accept insurance — or if your biller submits claims electronically — you are covered by HIPAA and must have BAAs in place.

What PHI Does a Therapy Practice Handle?

Protected health information in a therapy context includes more than just session notes. PHI encompasses:

• Client names, addresses, and dates of service
• Diagnosis codes (ICD-10) and treatment plans
• Session notes (progress notes, SOAP notes, DAP notes)
• Insurance information and billing records
• Appointment scheduling data that links a person to your practice
• Any communications (email, text, voicemail) that reference a client's treatment

If a vendor's system touches any of this data, a BAA is required before that vendor can access it.

Vendors Therapists Typically Need BAAs With

EHR and Practice Management Software

SimplePractice, TherapyNotes, TheraNest, Kareo, and similar platforms store your session notes, treatment plans, and billing records. All of them offer BAAs — but you must actively sign or accept the BAA; it doesn't happen automatically when you sign up.

Billing Companies and Clearinghouses

If you outsource billing or use a clearinghouse to submit claims, your biller receives client names, diagnosis codes, and insurance details. A BAA is required. Many billing companies will proactively send you their standard BAA; if they don't, you should request one before sharing any client data.

Telehealth Platforms

Zoom for Healthcare, Doxy.me, and similar telehealth platforms can sign a BAA. Standard Zoom (non-healthcare plans) cannot — do not use a free or standard Zoom account for therapy sessions. Doxy.me offers a free tier with HIPAA compliance and BAA for individual providers, making it a common choice for solo therapists.

Cloud Storage

Google Drive (on paid Workspace plans), Dropbox Business, and Microsoft OneDrive for Business all offer BAAs. Personal/free storage accounts — including personal Google Drive, personal Dropbox, and iCloud — do not qualify for HIPAA BAAs and cannot be used to store client files.

Scheduling and Appointment Software

Acuity Scheduling, Calendly, and similar tools that link a person's identity to your practice (even just appointment times) may constitute PHI if combined with other identifiers. Acuity offers a BAA on paid plans. Calendly's BAA availability depends on plan and usage — check before using it for healthcare scheduling.

Email Platforms

Standard Gmail and Outlook personal accounts are not HIPAA compliant. Google Workspace (paid) and Microsoft 365 Business plans both offer BAAs for encrypted business email. If you communicate with clients via email about their care, your email platform must be covered by a BAA.

IT Support and Managed Service Providers

If an IT company has access to your computer systems — even just for remote support — and those systems contain PHI, the IT company is a business associate and needs a BAA. This is a commonly missed requirement for small practices.

How to Get a BAA as a Solo Therapist

You have two paths:

• Request the vendor's standard BAA — most compliant vendors have a pre-drafted BAA they'll send you. Review it, sign it, and keep a copy in your compliance records.
• Provide your own BAA — generate a standard HIPAA-compliant BAA and send it to the vendor for countersignature. This gives you more control over the terms and is often faster when dealing with smaller vendors who don't have their own BAA ready.

Either approach is acceptable under HIPAA. The critical thing is that a signed BAA exists before any PHI is shared.

Frequently Asked Questions

Does a solo private practice therapist really need a BAA?

Yes. HIPAA applies to all covered entities regardless of size. A solo LCSW with 10 clients has the same BAA obligations as a large group practice. The OCR has pursued enforcement actions against individual providers. Practice size does not create an exemption.

My EHR says it's HIPAA compliant — do I still need to sign a BAA?

Yes. "HIPAA compliant" infrastructure is not the same as an executed BAA. The BAA is a contract that creates enforceable legal obligations. Without it, there is no agreement governing how the vendor protects your clients' data. You must sign (or accept) the BAA — typically during account setup or on request — even if the platform is technically HIPAA-capable.

What if a vendor refuses to sign a BAA?

You cannot use that vendor for PHI-handling functions. This is a bright-line rule under HIPAA. If a vendor won't sign a BAA, you need to either find an alternative vendor who will, or ensure the vendor never accesses any PHI (which may not be possible depending on the service). Do not proceed and "hope for the best."