Is a solo private-practice therapist a HIPAA covered entity?

A licensed mental-health professional in private practice is a HIPAA covered entity if they transmit any health information electronically in connection with a HIPAA-defined transaction — most commonly, submitting an insurance claim, checking eligibility, or receiving an electronic remittance advice. Cash-only practices that never electronically bill, never check eligibility, and never use a clearinghouse can fall outside the strict statutory definition, but in practice almost every modern private practice — including most cash-pay practices — uses at least one tool that triggers covered-entity status, and is best served by acting as one regardless. Your state may also impose its own confidentiality and breach-notification requirements that apply whether or not federal HIPAA does.

What changed for HIPAA between 2022 and 2026 that a private-practice clinician should care about?

Three things. First, the subprocessor-breach pattern has become routine across SaaS — vendors a clinician has a BAA with use vendors who use vendors, and breaches at the third or fourth layer have produced clinician-notification letters with surprising regularity. Second, plaintiff-side discovery has begun naming AI vendors and cloud transcription providers directly in subpoenas in domestic, custody, and personal-injury matters. Third, AI scribes — Mentalyc, Upheal, Blueprint, Supanote, Freed, and others — have become a normal line item on a practice's tool list, which means the practice's compliance posture now depends on the architecture of an AI vendor it had no idea existed two years ago.

Does HIPAA require a Business Associate Agreement with my AI scribe vendor?

Yes. Any vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate, and must sign a BAA. Every reputable cloud AI scribe will sign one as a matter of course. The BAA is necessary; it is not the entire compliance picture. The BAA does not relieve the covered entity of the obligation to evaluate whether the vendor is a reasonable choice, to maintain a subprocessor inventory, or to act on a breach notification when one arrives.

How does an on-device AI scribe interact with HIPAA?

An on-device AI scribe runs the transcription and drafting locally on the clinician's own machine, so the audio and the draft never leave the device on which the clinician is already working. From a HIPAA standpoint, the practice is still the covered entity and is still responsible for safeguarding PHI on the device — encryption, screen lock, backup posture, and physical security all matter. What changes is that the chain of business associates and subprocessors collapses, because no vendor receives the PHI in the course of generating the draft. The vendor of the on-device tool is still a business associate to the extent it touches license activation or update metadata, but is not in the position of holding session audio or notes.

What is the minimum HIPAA documentation a solo private practice should maintain in 2026?

Five pages, kept current and dated: a Notice of Privacy Practices given to every client; a Risk Analysis describing where PHI lives, how it moves, and what could go wrong; a Subprocessor and BAA Inventory listing every vendor that touches PHI and the BAA on file with each; a Breach Notification Protocol describing the 60-day notification window and who the practice will contact; and a brief Workforce Training Log documenting that the clinician (and any contractors) reviewed the practice's safeguards on a defined cadence. None of these are long. All of them are what an OCR investigator, a licensing board, or a plaintiff's counsel will ask to see if anything ever goes wrong.

Blog · HIPAA · 2026-04-30

HIPAA for private-practice therapists — the 2026 rewrite

A working clinician's read of what has and has not changed in HIPAA for solo and small-group mental-health practice between the 2022 baseline and the early-2026 landscape — the subprocessor reality, the discovery shift, the AI-scribe section, and the five pages of documentation that hold the whole thing together for a one-person business.

TL;DR

The HIPAA Privacy and Security Rules a private-practice therapist learned in graduate school are still the spine of compliance. What has changed in 2026 is the periphery: vendors a practice has a BAA with depend on subprocessors that depend on subprocessors, breaches happen at depths most clinicians never see, plaintiff-side discovery has become more aggressive about reaching cloud AI vendors directly, and the rapid adoption of AI scribes has added a new category of compliance question that most published HIPAA-for-therapists guides have not been updated to cover. A maintainable solo-practice posture in 2026 is five short pages — Notice, Risk Analysis, Subprocessor Inventory, Breach Protocol, Training Log — and a deliberate stance on where session audio is allowed to live. The architectural-vs-contractual distinction at the AI-scribe layer is the most consequential single decision a privacy-cautious practice will make this year.

→ For the cornerstone BAA argument: see What is a BAA, actually — and what it does NOT cover. For the data-flow grid: The 7 things Mentalyc, Upheal, and Blueprint actually send to their servers.

Why this gets re-read every January

Every January, a recognizable wave of search traffic lands on whatever HIPAA-for-private-practice page is currently ranking. The wave is not random. It is the convergence of a calendar that puts annual practice review at the top of every clinician's list — renewing licensure, renewing malpractice coverage, refreshing the practice's policies and disclosures, sending the new year's Notice of Privacy Practices reminder — with the specific anxiety that comes from having spent the prior year using new tools without ever quite sitting down to ask whether the practice's compliance posture had kept up.

The 2026 version of that question is materially different from the 2022 version. In 2022 a private-practice clinician's tool list was usually one EHR, one telehealth platform, one secure-email or fax, and the clinician's laptop. By the start of 2026 the same practice often runs an EHR, a telehealth platform, a secure-messaging app, an online intake-form vendor, an e-prescribing or referral-routing tool if applicable, an accounting or invoicing tool, a scheduling tool, an analytics or marketing add-on, and — increasingly — an AI scribe. Each of those is a BAA the practice has to keep on file, a subprocessor list to read at least once, and a breach-notification clause whose timeline starts running the moment something goes wrong somewhere downstream.

The fundamentals have not changed. The volume and surface area of what the fundamentals govern has.

What hasn't changed

The HIPAA Privacy Rule still governs how a covered entity uses and discloses PHI. The Security Rule still requires administrative, physical, and technical safeguards proportional to the practice's size and risk. The Breach Notification Rule still requires notification of affected individuals, of the Department of Health and Human Services, and — for breaches affecting 500 or more individuals — of the media, generally within 60 days of discovery. The HITECH-era enforcement structure still empowers the Office for Civil Rights to investigate, conciliate, and settle, with state attorneys general retaining a parallel enforcement role.

For a solo or small-group mental-health practice, the practical implications still reduce to five recurring obligations: give every client a Notice of Privacy Practices and document that you did; safeguard PHI in transit and at rest with reasonable technical controls; sign a BAA with every vendor that touches PHI on the practice's behalf; respond to breaches inside the 60-day window with the right people notified in the right order; and keep a paper trail that an investigator could read on a Tuesday afternoon and conclude that the practice has been operating in good faith. None of that is new. None of it needs a 2026 rewrite. It is the load-bearing core that the rest of this post sits on top of.

Mental-health PHI also still gets the heightened protections that distinguish it from general medical PHI in important ways: psychotherapy notes (in the strict 45 CFR 164.501 sense — the clinician's process notes kept separately from the rest of the record) require a specific authorization for release that does not extend to routine progress notes; substance-use disorder records under 42 CFR Part 2 still have their own confidentiality regime that runs alongside HIPAA; and many states layer additional protection on top of all of the above. Those protections are also unchanged. They are also the reason a private-practice mental-health clinician's threat model is not the same as a primary-care physician's.

What changed between 2022 and 2026

Three shifts have moved the periphery enough that a practice's documented posture should reflect them.

1. The subprocessor-breach pattern has become routine. Through 2024 and 2025 the steady cadence of breaches at vendors-of-vendors began producing notification letters that named services a clinician had never heard of. The pattern is mechanical: a practice signs with vendor A, vendor A uses subprocessor B for one of its core functions, subprocessor B has an incident, the practice is notified weeks or months later through the chain. The BAA is what turns that chain into legible obligations. It is also the reason a 2026 compliance posture should include a current Subprocessor Inventory, separate from the BAA file itself, that the practice can read in five minutes to know which downstream vendors might be the source of a notification when one arrives.

2. Plaintiff-side discovery has become aggressive about reaching cloud vendors directly. Subpoenas to AI vendors and to cloud transcription providers are no longer unusual in family-law, custody, personal-injury, and employment matters. Where prior to 2024 a subpoena for therapy records would land at the clinician's office, in 2026 it can also land at a cloud AI scribe's legal department for the same session, and the practice's ability to even know that the request was issued depends on the BAA's notification clause. None of this changes the underlying privilege analysis — psychotherapist-patient privilege is what it has always been — but it changes who is in a position to assert privilege on the practice's behalf, on what timeline, and with what kind of legal counsel paying attention.

3. AI scribes are now a normal practice tool, and the privacy questions they introduce are not yet codified anywhere. A clinician evaluating an AI scribe in 2026 is evaluating a SaaS tool that ingests the most identifying form of session content (the audio), runs it through a transcription engine and a large language model, returns a draft, and stores all of the above for some period. The compliance footprint is real. The published HIPAA-for-therapists guides — even the good ones — generally were written before AI scribes were a category, and so the section a clinician most needs to read is exactly the section that does not exist yet.

The AI-scribe section

An AI scribe is a business associate the moment it touches PHI, which it does as soon as the clinician uploads a session audio file or grants it microphone access. The threshold question — is the vendor a business associate — is therefore trivial. The harder questions live below the BAA.

The first question is what the vendor actually receives. The second is who its subprocessors are. The third is how long each artifact (audio, transcript, draft, edits, metadata) is retained, and on whose schedule. The fourth is what the vendor's notification clause obligates it to do when a subpoena, a security incident, or a regulatory inquiry lands on its end. The fifth, increasingly, is whether the vendor's architecture even requires the audio to be transmitted in the first place — because in 2026 that is no longer a hypothetical.

The vendor that runs everything in its cloud and offers a strong BAA is a real choice with real virtues — feature breadth, multi-device sync, automatic updates, professional security posture, and an organizational counterparty whose job it is to keep the lights on. The vendor that runs the inference on the clinician's own machine is a different choice with different virtues — the seven-category data-flow grid collapses, no subprocessors hold session audio, no notification chain depends on a downstream party, and the practice's threat model becomes "what's on the device I'm sitting at" rather than "what's everywhere a SaaS pipeline can reach." Neither is the right answer for every practice. Both are now legible answers, where two years ago only one of them existed.

The clinician's job is not to pick a tribe. It is to write down which categories of session content the practice has decided are not allowed to live on someone else's server, hand that list to whichever vendor is being evaluated, and read the answer carefully. The seven-row data-flow grid is one workable form of that exercise; the practice can pick its own.

The five-page checklist a solo practice can actually keep current

Most HIPAA-for-private-practice guidance assumes a practice has a compliance officer, an attorney on retainer, and the time to maintain a binder. A solo practice has none of those. The maintainable version of HIPAA documentation for one or two clinicians is five short, dated pages, regenerated annually, that an OCR investigator could read in twenty minutes and a plaintiff's counsel could read in ten.

1. Notice of Privacy Practices. One to two pages, written in plain language, given to every client at intake and posted on the practice's website. The Notice describes how the practice uses and discloses PHI, who it can be disclosed to without authorization, what rights the client has, and how the client can complain to the practice or to OCR. The Notice's content is largely standard; the practice's job is to make sure the version actually given to clients matches the practice's current operations and to date the document.

2. Risk Analysis. One to two pages, dated, describing where PHI lives in the practice (which devices, which cloud accounts, which paper files), how it moves between those locations, what could go wrong at each step, and what controls are in place to mitigate the most likely risks. The Risk Analysis is required by the Security Rule and is the single document an OCR investigator will read first if anything is reported. It does not need to be sophisticated. It needs to exist, to be specific to the practice, and to be current.

3. Subprocessor and BAA Inventory. One page. A list of every vendor that touches PHI on the practice's behalf, the date the BAA with that vendor was signed, and — for each vendor — the named subprocessors disclosed in the vendor's documentation that the practice has reviewed at least once. This is the page that gives the practice a chance of understanding a notification letter when one arrives. It is also the page most likely to be missing in a 2026 audit, because vendor lists have grown faster than the documentation describing them.

4. Breach Notification Protocol. Half a page. A flowchart, written down, of what the practice will do if a breach is discovered or notified: who decides whether the threshold for notification is met, what records get pulled, the 60-day clock, the order of notifications (affected individuals, HHS, media if > 500 affected, state regulators where applicable, malpractice carrier), and the contact information for the practice's attorney or compliance consultant. The Protocol is a decision support tool for the worst day of the practice's year — the value comes from having pre-decided how it will be handled rather than improvising under deadline pressure.

5. Workforce Training Log. Half a page, often a single dated table. The clinician (and any contractors, supervisees, billers, or admin support) reviewed the practice's safeguards on a defined cadence — annually at minimum, plus whenever a meaningful change happens. The Log is what closes the loop on the administrative-safeguard requirement; it is also the fastest item on this list to maintain because the entries are short.

Five pages. Kept on a shared encrypted drive or a paper folder in a locked filing cabinet, dated, regenerated annually as part of the practice's January review. That is what HIPAA documentation for a solo private practice looks like in 2026 if the practice intends to actually keep up rather than buy a binder it never opens.

Where the architectural-vs-contractual distinction lands

The reason this post — and the rest of the writing on this site — keeps returning to the architectural-vs-contractual distinction is that it is the layer of HIPAA compliance the five-page checklist cannot directly improve. The Notice, the Risk Analysis, the Inventory, the Protocol, and the Training Log are administrative artifacts. They allocate responsibility, document care, and provide the paper trail that turns a bad day into a survivable one. None of them changes whether the audio of a session is or is not on someone else's server at the moment something goes wrong.

A practice that has done the five-page work and chosen a cloud AI scribe with a strong BAA is a defensible practice. The contractual layer is real protection. A practice that has done the five-page work and chosen on-device inference is also a defensible practice, with a different shape: the BAA chain is shorter, the Subprocessor Inventory has fewer entries, the Breach Notification Protocol's "what gets notified" list is structurally smaller because there is structurally less data on someone else's machine to be exposed in the first place. The two postures are distinguishable, and either is responsive to the obligations a 2026 covered entity carries.

The mistake is to treat "we have a BAA" as if it were the entire posture. The BAA is necessary. The five-page documentation is necessary. The deliberate stance on where the practice's most identifying data is allowed to live — that is the part that has to be a decision the practice has actually made, not a default it has inherited.

The 2026 January-review checklist (compressed)

Re-date the Notice of Privacy Practices and confirm the website-posted version matches the intake-given version.
Re-date the Risk Analysis and walk through the practice's tool list, asking whether anything moved, was added, or was removed in the prior year.
Pull the Subprocessor and BAA Inventory. For each vendor, confirm the BAA on file is current and read the vendor's most recent subprocessor disclosure. Add or remove rows as needed.
Re-read the Breach Notification Protocol. Confirm the contacts are still the right people. Save the file with the current year in the filename.
Update the Workforce Training Log with this year's review entry. If anyone new came on or anyone left, document that.
For the AI-scribe vendor specifically: pull the seven-category data-flow grid, fill it in for the current vendor, and ask whether the practice's threshold for "what should not be on someone else's server" has changed in the prior twelve months. If it has, the next entry on the Risk Analysis should reflect the change.

That is the 2026 rewrite. The substance is the same as the 2022 version. The periphery is what has moved.

Run the five-question gap check

Our BAA Coverage Gap Quiz turns the AI-scribe section above into five questions you can answer in sixty seconds. The quiz runs entirely in your browser; nothing is sent to us. Run the BAA Coverage Gap Quiz

Try TherapyDraft

The private beta is free for ten sessions — no credit card, no upload. Install the signed .dmg, grant microphone access, draft your first note on the laptop that already holds your calendar and your EHR login. The session audio, the transcript, and the draft never leave your Mac. Your Subprocessor Inventory does not gain a row because of this tool.

Join the private beta

This post is general information about HIPAA for private-practice mental-health professionals as of early 2026. It is not legal advice or compliance advice and does not establish a professional relationship. Statutes, regulations, enforcement priorities, and vendor practices change; consult a qualified healthcare attorney, a licensed compliance professional, or your state licensing board's published guidance before relying on any specific point in this post for an audit, an investigation, or a procurement decision. The "five-page checklist" framing is a suggested working minimum, not a substitute for the comprehensive Privacy and Security Rule analyses that larger practices and covered entities with significant transaction volume should commission.