Is Your Software Truly HIPAA Compliant? A Checklist for Solo Therapists

Starting a solo private practice means taking on a high-stakes operational responsibility very quickly: protecting electronic protected health information, or ePHI.

Most therapists understand the ethical weight of confidentiality. What catches people off guard is the software side. Graduate school rarely gave anyone a practical manual for evaluating EHRs, email providers, calendars, telehealth tools, intake systems, or AI add-ons through a HIPAA lens.

That gap creates a predictable mistake. A lot of solo practitioners assume that if a product is heavily advertised, expensive, or labeled for healthcare, it must already be fully safe.

That is not how HIPAA works.

Software does not become magically compliant because a vendor says the right words on a pricing page. What software can do is support a safer, more defensible workflow when the vendor relationship, technical safeguards, and day-to-day practice habits are all handled properly.

If you are not sure whether your EHR, email, calendar, telehealth platform, or client intake stack belongs anywhere near PHI, use this checklist before you trust it.

If you need the broader foundation first, start with the plain-English HIPAA guide for solo therapists.

Phase 1: The Non-Negotiable Starting Point

Before you inspect a single feature, check the legal relationship.

1. Business Associate Agreement

• [ ] Has the vendor confirmed whether it will sign a Business Associate Agreement?
• [ ] Do you actually have the signed agreement on file where applicable?

If a vendor is creating, receiving, maintaining, or transmitting ePHI on your behalf, the BAA is often a core part of the relationship [1]. This is one of the fastest ways to separate healthcare-ready vendors from consumer-grade tools dressed up with better marketing.

Important nuance: a signed BAA is necessary in many cases, but it is not the same thing as full compliance. It is a contractual foundation, not a guarantee that the product settings, security controls, or your own internal practices are sound.

If you want to see the public language EasyMindCare uses around this, review the Business Associate Agreement page.

Phase 2: Technical Safeguards to Pressure-Test

This is the part most solo therapists think they are buying automatically. They are not. You have to ask direct questions.

2. Authentication and unique access

• [ ] Does the system require a unique account and secure authentication for each user?
• [ ] Are password expectations, account recovery, and login security described clearly?

Even if you are solo today, the software should not behave like a casual consumer app. Account access should be treated seriously from day one.

3. Access control

• [ ] Can access to records or workflows be limited based on who is authorized to see what?

This may feel less urgent when you are the only clinician, but it matters as soon as a biller, assistant, contractor, or future team member enters the picture. The existence of access controls tells you whether the product was built with healthcare realities in mind.

4. Session timeout and logoff controls

• [ ] Does the system support session timeout, automatic logoff, or equivalent session-management controls?

The issue here is not the label. The issue is whether the product reduces the chance that someone can walk up to an unattended device and access sensitive information.

5. Encryption in transit and at rest

• [ ] Does the vendor clearly state how data is protected while stored and while transmitted?
• [ ] Are the answers specific, or do they dissolve into vague marketing language?

Encryption is one of the easiest things for vendors to gesture at without explaining well. Vague answers are a warning sign. You are looking for a vendor that can speak clearly about how data is protected, not one that hides behind buzzwords.

6. Integrity controls

• [ ] Are there controls that help protect ePHI from unauthorized alteration or destruction?

You do not need the vendor to read you a cryptography textbook. You do need confidence that the system treats clinical records as something that must remain trustworthy, not casually editable without trace.

7. Audit controls

• [ ] Can the system record meaningful access and activity logs?
• [ ] If something goes wrong, could you reconstruct who accessed what and when?

Audit logs matter because they make the system more defensible under scrutiny. They are not a magic checkbox by themselves, but they are part of what separates serious healthcare infrastructure from generic software.

If you are evaluating a core record system specifically, the guide on HIPAA and EHR selection for solo therapists goes deeper on what these controls should look like in practice.

Phase 3: Administrative Safeguards You Still Own

This is the part software cannot do for you.

8. Written internal rules

• [ ] Do you have written policies for which tools are approved for PHI, how devices are secured, and how records are handled?

HIPAA risk is not just a product issue. It is also a workflow issue. The same app can be used thoughtfully or sloppily depending on the practice around it.

9. Periodic risk review

• [ ] Do you have a repeatable way to review software risk, device risk, and vendor changes over time?

Your stack does not stay frozen. Vendors change terms, add AI features, alter storage models, or raise prices. A tool that felt acceptable two years ago may deserve a second look now.

The Fast Red Flags List

If a vendor cannot answer these questions clearly, slow down.

• [ ] They avoid the BAA question or push you toward consumer tiers.
• [ ] They use phrases like "HIPAA certified" or "fully compliant" without meaningful detail.
• [ ] They cannot explain logging, data handling, or access controls in plain language.
• [ ] They speak confidently about convenience and barely at all about record security.
• [ ] They make it hard to understand what happens to your data if you stop paying.

That last point matters more than many therapists realize. If you want the ownership angle, read what actually happens when you stop paying your EHR.

A Better Way to Think About Compliance and Architecture

Many solo therapists buy software as if the main question is whether the vendor is safe enough.

That is only part of the question.

The better question is: how much control, clarity, and dependency does this setup create over time?

Different architectures create different risk boundaries. A shared cloud SaaS platform can be managed responsibly. A more ownership-oriented or dedicated setup can reduce some kinds of vendor dependence and make long-term retention questions easier to reason about. Neither approach removes the need for sound policies, secure devices, backups, access discipline, and ongoing review.

That is the frame EasyMindCare is pushing: solo therapists need simpler infrastructure, clearer responsibility, and less permanent dependence on bloated software rent.

If you want to pressure-test the cost side of stacking tool after tool, the software rent calculator is the fastest place to start.

Use the Checklist Before You Trust the Tool

The point of this checklist is not to make solo practice more intimidating.

It is to replace vague fear with better questions.

If a vendor can answer those questions clearly, great. If they cannot, that is useful information too.

You do not need a perfect stack. You need a stack you can understand, defend, and live with over time.

If you want to talk through BAAs, software sprawl, or EasyMindCare's approach to solo-practice infrastructure, request an EasyMindCare demo.

Quick note: any demos or previews use fake client data in a compliant environment.

References

• [1] U.S. Department of Health & Human Services. Business Associate Contracts. Accessed March 2026.
• [2] U.S. Department of Health & Human Services. Summary of the HIPAA Security Rule. Accessed March 2026.
• [3] U.S. Department of Health & Human Services. HIPAA Enforcement. Accessed March 2026.