HIPAA BinderGet my forms

The HIPAA compliance checklist for private practice

Most “HIPAA compliance” advice is written for IT departments. This is the version for a therapist who just wants to know: what do I actually need, and am I missing anything that could get me fined?

  1. 01Confirm whether you are a covered entity
  2. 02Complete and document a Security Risk Analysis (required, annual)
  3. 03Adopt written Privacy & Security Policies and Procedures
  4. 04Provide and post a current Notice of Privacy Practices
  5. 05Sign BAAs with every vendor touching client data (EHR, billing, email, scheduling, cloud, AI notes)
  6. 06Designate a Privacy Officer and a Security Officer
  7. 07Train yourself and staff, and keep a training log plus a sanctions policy
  8. 08Set up a breach-notification procedure and log
  9. 09Implement basic safeguards: encryption, access controls, unique logins, auto-logoff
  10. 10Handle psychotherapy notes under their heightened protection

Where practices most often fail

In OCR enforcement, the recurring deficiencies are a missing or stale risk analysis, vendors without signed BAAs, and impermissible disclosures. The good news: each one maps to a specific document on the list above, which is exactly what the binder produces for you.

Get every document on this checklist, done for you

Preview the binder free. Founding pre-orders are delivered within 30 days, with a full refund anytime before then.

See the binder and pricing