mytherapist.tools
Login
Guide7 min read

The HIPAA Checklist for Choosing Therapy Software (2026)

A practical, vendor-agnostic checklist for vetting any software tool that will touch PHI from your therapy practice. Written for solo and small-group therapists, not lawyers.

Published May 15, 2026

If you run a therapy practice and you're about to sign up for an EHR, an AI scribe, a scheduling tool, or anything else that will touch client data, this checklist is the thing to print out and walk through before you click "Buy".

It's written for clinicians, not lawyers. The goal is to keep you out of the situations that have actually gotten therapy practices into trouble, not to make you read 200 pages of HHS guidance.

The two concepts vendors confuse on purpose

Almost every confusion in this category comes from collapsing two different things into one phrase. They are not the same.

"HIPAA-compliant software"

This means the vendor believes their product can be used in a HIPAA-compliant way. It is a marketing claim with no certification body behind it. Anyone can write it on a homepage.

"We will sign a BAA with your practice"

A Business Associate Agreement is the actual legal document that creates a chain of liability between your practice and the vendor for PHI handling. If the vendor will not sign a BAA, the tool cannot be used with PHI, full stop, no matter what their marketing says.

The first question to ask any vendor is not "are you HIPAA-compliant?" but "will you sign a BAA, and is it included in this pricing tier?"

The checklist

Print this. Walk through it for every tool before you commit. If a vendor cannot answer a question in 24 hours, assume the answer is no.

Section 1: The BAA

  • Vendor will sign a BAA without negotiation
  • BAA is included in the pricing tier you can actually afford (not gated behind enterprise)
  • BAA names your practice (LLC, S-corp, sole prop) by its legal name
  • BAA includes a breach-notification timeline you can live with (60 days is the HIPAA floor; many vendors offer faster)
  • BAA specifies how data is returned or destroyed at end of contract

Section 2: Data at rest

  • PHI is encrypted at rest (AES-256 or equivalent, the standard answer)
  • Encryption keys are managed by the vendor, not stored alongside the data
  • You know which country/region the data physically lives in (US-only is the safe default for US-licensed therapists)
  • Backups are encrypted with the same standard

Section 3: Data in transit

  • All connections use TLS 1.2 or higher
  • No PHI is sent via email or SMS unless explicitly encrypted
  • Vendor support cannot read your PHI in support tickets

Section 4: Access controls

  • You can enforce unique logins per clinician (no shared accounts)
  • You can require strong passwords and 2FA
  • You can revoke an employee's access in under 5 minutes
  • You get an access log you can actually read (not just "available on request")

Section 5: Audit and breach

  • Vendor has had a SOC 2 Type II audit in the last 18 months
  • You can request the SOC 2 report (often under NDA, which is fine)
  • Vendor has a documented incident-response plan
  • Vendor's last-known breach (if any) was disclosed and remediated

Section 6: AI-specific (if applicable)

  • No PHI is used to train the vendor's models (this is non-negotiable for therapy)
  • You know what happens to session audio after transcription (deleted? retained? for how long?)
  • You can opt out of any "model improvement" data collection
  • If the vendor uses a third-party LLM (OpenAI, Anthropic, Google), they have a BAA with that provider too, not just with you

Section 7: Your side of the chain

  • You have a Notice of Privacy Practices that mentions software vendors
  • Your intake forms disclose use of recording / AI tools where applicable
  • You have a process for clients to opt out without penalty
  • You have a documented vendor list (you'd be surprised how many practices can't list theirs)
  • You review and re-sign BAAs annually

Red flags that should stop the conversation

A few things that, if you encounter them, should make you walk away, no matter how good the software looks.

  • "We don't need a BAA because we don't see your data." Wrong. If PHI moves through their infrastructure, even briefly, a BAA is required.
  • "Our BAA is only available on the Enterprise tier ($X,000/month)." Some vendors do this. It is not necessarily disqualifying for a 50-clinician practice, but for a solo therapist it tells you the vendor has not built for your segment.
  • "We're working on our SOC 2." Reasonable from a 6-month-old startup. Not reasonable from a 5-year-old EHR.
  • "All your data is processed in [country with unclear data-residency laws]." Stop the conversation.
  • No clear way to export your data if you leave. Data lock-in plus PHI is a long-term liability.

The 10-minute vendor-vetting script

If you'd rather not work through the full checklist, here's the abbreviated version you can email to any vendor sales rep:

Hi, before I move forward with [vendor name], I need to confirm a few things:

  1. Will you sign a BAA with my practice, and is the BAA included in the [tier] plan?
  2. Can you share your most recent SOC 2 Type II report (under NDA is fine)?
  3. Where is PHI stored geographically, and is it encrypted at rest with AES-256?
  4. What is your breach-notification timeline?
  5. If you use any third-party AI providers, do you have BAAs in place with them?

Could you send a written response to these by [date]?

Thanks, [your name]

If you get clear written answers to all five in under a week, the vendor is operationally serious about HIPAA. If you get vague or evasive answers, you have the information you need.

What this checklist does NOT cover

  • State law. Some states (California, Texas, New York) have privacy laws that go beyond HIPAA. You may need additional protections.
  • State licensing board rules. Your state board may have telehealth, recording, or documentation requirements that supersede vendor capabilities.
  • Cyber insurance. If you don't have a policy, get one. They are cheap and they pay out.
  • Your physical office. Locks, printers, paper records, screen-locking habits. The most common breach mode is still a laptop left on a coffee shop table.

When you're ready to start vetting tools, the directory has every tool we've reviewed organized by category, with HIPAA status surfaced on each profile. Filter by HIPAA-compliant in the comparison table and start your shortlist there.

Get the monthly roundup

New tools, deep-dives, and pricing changes. One email a month.

Keep reading

More guides for therapy practices

ai clinical notes

How AI Clinical Notes Actually Work (and Where They Fail) for Therapists

A plain-English explanation of how AI scribes turn a therapy session into a structured progress note, and where they reliably break down.

May 12, 2026

Read

© 2026 Mytherapist Tools. Independent editorial directory. We do not store or transmit PHI.