HIPAA compliance is not a one-time checklist. It's a continuous obligation — and for mental health practices, the stakes are particularly high. Protected Health Information (PHI) in a therapy context includes some of the most sensitive personal data that exists: session notes, diagnoses, trauma histories, medication records. A breach isn't a paperwork problem. It's a clinical problem that can cost you your license.
Most therapists assume their practice management software handles HIPAA compliance automatically. It doesn't. Many popular tools used by solo practitioners and small group practices are not HIPAA-compliant — and software vendors are not required to tell you that upfront. The liability for a breach falls on you, the covered entity, not the vendor.
HIPAA violation fines range from $100 to $50,000 per violation, with an annual maximum of $1.5 million per violation category. A single unencrypted email containing patient intake data can trigger a fine. Most breaches affecting small mental health practices are caused by two things: unencrypted communication channels and inadequate access controls — both of which are entirely fixable today.
The checklist below covers the 10 technical and administrative requirements that matter most for small therapy practices. Work through it with your current software stack. If any item fails, don't wait — switch tools or escalate to your vendor before you're treating a patient whose data ends up exposed.
The 10-Point Compliance Checklist
End-to-End Encryption (TLS/SSL) on All Data Transmitted
What It Means
Every piece of data moving between your computer, your patients, and your software vendor must travel over an encrypted connection. This is the baseline layer of HIPAA compliance — and the one most commonly missing in free or low-cost tools.
Why It Matters
An unencrypted connection means anyone on the same WiFi network — a coffee shop, a shared office building — can intercept patient names, session details, and insurance information as it travels. HIPAA explicitly requires this protection as a technical safeguard.
How to Check
Look for HTTPS (not just HTTP) at the beginning of every URL in your practice software. Click the padlock icon in your browser — it should show a valid TLS certificate. If your scheduling tool, intake form, or email system doesn't have HTTPS, it is not HIPAA-compliant, regardless of what the vendor claims.
Data Encryption at Rest
What It Means
Data stored on servers (at rest) must be encrypted so that even if the server is breached, patient data is unreadable. This is distinct from encryption in transit — your vendor should be encrypting the database layer itself.
Why It Matters
Server breaches happen. When they do at unencrypted practices, patient records become public. Equifax paid $700 million after a breach. Small therapy practices can't absorb that — which is why HIPAA requires encryption at rest as a "addressable" implementation specification. In practice, for any system holding PHI, it should be mandatory.
How to Check
Ask your vendor directly: "Is patient data encrypted at rest on your servers?" If they can't answer immediately with a yes — or if they redirect to "our data center uses physical security" — that's your answer. Walk.
Signed Business Associate Agreement (BAA)
What It Means
Any third party that handles, stores, or processes PHI on your behalf — including your practice management software, email provider, cloud storage, and appointment reminder service — must sign a HIPAA Business Associate Agreement. This is a legal contract that makes the vendor jointly liable for breaches.
Why It Matters
Without a BAA, you have no HIPAA-compliant vendor relationship. Your practice is technically non-compliant the moment a vendor without a BAA touches PHI. Many popular tools — including Gmail, personal Dropbox accounts, and most free scheduling apps — explicitly do not sign BAAs.
How to Check
Search the vendor's website for "Business Associate Agreement" or "HIPAA" — most compliant vendors have this prominently available. If you can't find it, submit a support ticket asking for their BAA. A real HIPAA-compliant vendor will send one. If they say "we don't offer BAAs," they are not compliant.
Role-Based Access Controls
What It Means
Not everyone on your staff team should see every patient's record. HIPAA requires that access to PHI be limited to those who need it to perform their job function — the "minimum necessary" standard.
Why It Matters
A receptionist doesn't need to see clinical notes. An intern doesn't need to see all patients in the practice. If your software has one login that grants full access to everything, it fails this requirement — and it creates internal risk if a staff member's credentials are compromised.
How to Check
In your practice management software, check whether you can create different user accounts with different permission levels. If there's only one admin-level account and everything else is unrestricted, that's a compliance gap. MindDesk handles this by default — clinicians see clinical records; staff see scheduling and intake status.
Audit Logs — Who Accessed What, When
What It Means
Your software must keep a record of who accessed patient data, when, and what they did. This log should be automatic, tamper-resistant, and available for review.
Why It Matters
If a breach occurs, the first thing regulators and investigators ask is: "Who accessed this data, and when?" Practices without audit logs cannot answer that question — which is itself a HIPAA violation. Audit logs also deter internal misuse, because staff who know their access is tracked are less likely to view records outside their scope.
How to Check
Ask your vendor: "Do you log user access to patient records, and are those logs accessible to the covered entity (me)?" If the answer is no or "we don't have that feature," that's a significant gap. Audit trail capability is a baseline HIPAA technical safeguard.
Multi-Factor Authentication (MFA)
What It Means
MFA adds a second verification step — a code sent to your phone, or a biometric — when logging in. Even if someone steals your password, they can't access the account without the second factor.
Why It Matters
Password-based breaches are among the most common causes of healthcare data exposure. A 2023 IBM study found that compromised credentials were the leading cause of healthcare breaches. MFA specifically addresses this attack vector. It's a required technical safeguard under HIPAA's authentication standard.
How to Check
Go to your practice software settings and look for "Two-Factor Authentication" or "MFA." Enable it for every account. If it's not available as an option, that's a red flag. MindDesk requires MFA for all admin-level accounts.
Automatic Session Timeout
What It Means
Staff who leave their computer unattended while logged into patient records create an exposure risk. HIPAA requires "automatic logoff" — a mechanism that ends a session after a period of inactivity.
Why It Matters
A therapist who steps out of the room to take a crisis call, leaving their computer open in a community space, has just exposed patient records to whoever walks by. Automatic session timeout limits the window of exposure. This is especially critical for group practices with shared workspaces.
How to Check
Check if your software has a session timeout setting. Most modern tools have this under security or privacy settings. If there's no timeout option, set a calendar reminder to manually log out when stepping away — or consider it a gap and request a fix from your vendor.
Secure, Compliant Patient Messaging
What It Means
If you communicate with patients via text, email, or a messaging feature in your practice software, those channels must be HIPAA-compliant. Regular SMS and standard email are not HIPAA-compliant — they are not encrypted end-to-end, and messages sit on carriers' servers indefinitely.
Why It Matters
Many therapist-patient communication happens between sessions — scheduling questions, reschedule requests, brief check-ins. If these messages contain any PHI (and they usually do, even something as basic as "yes, your 3pm slot is confirmed"), regular email and SMS are not compliant channels.
How to Check
Audit every communication channel you use with patients: email, SMS, WhatsApp, your practice software's messaging feature. For each, ask: "Is this channel encrypted and BAA-covered?" If you can't confirm both, stop using it for PHI — or switch to a compliant alternative. Digital intake systems like MindDesk use encrypted channels for all patient communication.
Vendor Security Certifications (SOC 2, Annual Penetration Testing)
What It Means
SOC 2 Type II certification means an independent auditor has verified the vendor's security controls over a period of time — not just at a point in time. Annual penetration testing means someone has actively tried to break into their systems to find weaknesses before attackers do.
Why It Matters
A vendor can say "we take security seriously." A SOC 2 report is evidence. Without third-party validation, you're trusting marketing language. Healthcare organizations are a high-value target for attackers specifically because of the sensitivity of the data — small solo practice software is often less secure than enterprise tools, making it an attractive target.
How to Check
Ask potential vendors: "Can you provide your most recent SOC 2 Type II report?" and "Do you conduct annual penetration testing?" Respected vendors will have these documents ready to share under NDA. If a vendor hesitates, deflects, or says "we handle security internally," that's a serious concern.
Breach Notification Procedures and Incident Response
What It Means
HIPAA requires covered entities to notify affected patients within 60 days of discovering a breach. Your software vendor must have a documented, tested incident response procedure — and must notify you fast enough that you can meet your own 60-day obligation.
Why It Matters
If your vendor's system is breached and they don't tell you until week 10, you've lost the window to notify your patients before the legal deadline. You face fines not because of the vendor's breach, but because of your failure to notify on time. The vendor's response speed is your response speed.
How to Check
Ask vendors: "What's your breach notification procedure, and what's your typical time-to-notify covered entities?" A compliant vendor should answer this directly and should have a published security contact and incident response page. If you can't find this information, request it before signing any contract.
Common HIPAA Mistakes Small Practices Make
Beyond the checklist, three patterns show up repeatedly in HIPAA enforcement actions against mental health practices. Knowing them doesn't make you compliant — but it helps you avoid the most common traps.
Using personal accounts for practice communications. Google Workspace free accounts, personal Dropbox, and iCloud do not sign BAAs and are not HIPAA-compliant. If you're using any of these to store or transmit patient records, you're in violation. The same applies to standard Zoom and other consumer video tools for telehealth sessions — a signed BAA is required before you use any platform for patient video sessions. See our guide on HIPAA-compliant telehealth platforms for therapists for a full breakdown of which tools qualify. The fix: migrate to business-tier accounts with signed BAAs, or use a dedicated patient intake system that handles this automatically.
Assuming "HIPAA-compliant" software means you don't have to do anything. HIPAA places obligations on the covered entity — you — not just your vendor. You still need to conduct regular risk assessments, train staff on handling PHI, and have a written privacy policy. Your software vendor handles the technical safeguards; you handle the administrative safeguards. Both are required.
Not auditing your technology stack after onboarding. Most practices choose software once and use it for years. But HIPAA compliance isn't static. Vendors can lose their certifications, change their infrastructure, or get acquired — any of which can change your compliance status. Run through this checklist annually, or whenever you switch vendors or major features.
How MindDesk Handles Each Requirement
MindDesk was built with HIPAA compliance as a foundation, not an afterthought. Here's how the platform maps to each checklist item:
Encryption in transit and at rest: All data transmitted through MindDesk uses TLS 1.2+. Patient records at rest are encrypted using AES-256 — the same standard used by banks and healthcare systems. Data is stored in SOC 2 Type II certified infrastructure.
Business Associate Agreement: MindDesk signs BAAs with all customers as part of onboarding. This is available before you submit a single patient intake form — not after a sales conversation.
Role-based access controls: MindDesk separates clinical access from administrative access. Clinicians see clinical records. Office staff see scheduling and intake status. Access is scoped to role, not to everything by default.
Audit logs: Every login, record access, and data export is logged with timestamp, user, and action. Practice administrators can request an audit log export at any time.
Multi-factor authentication: MFA is required for all admin accounts on MindDesk and available for all team members. This is enabled by default — no configuration required.
Secure patient messaging: All patient communication through MindDesk's intake and scheduling platform stays within the encrypted, BAA-covered environment. No PHI travels over standard email or SMS.
Breach notification: MindDesk maintains a documented incident response procedure with a maximum 24-hour notification window to covered entities. We maintain a dedicated security contact listed in our customer portal.
Built HIPAA-compliant, not HIPAA-aware
Most practice software is "HIPAA-aware" — they have a checkbox somewhere. MindDesk is HIPAA-compliant by architecture. Every layer of the stack was built to meet the requirements above. If you're evaluating practice management tools, see what that difference looks like in a live demo.
Request a Demo →We'll walk through the compliance architecture, not just the features.