What's a Business Associate Agreement and who needs one?

A BAA is a contract you sign with any vendor that creates, receives, maintains, or transmits PHI on your behalf — your EHR, your email host, your telehealth platform, your cloud backup. If a vendor cannot provide a signed BAA, they cannot legally hold PHI for you.

Anything California-specific I need beyond HIPAA?

Yes — California Confidentiality of Medical Information Act (CMIA) is stricter than HIPAA in several places, plus CA AB-2013 (AI disclosure) and CCPA/CPRA apply if you hit revenue/data thresholds. California Board of Psychology requires record retention for 7 years from last contact (10 years for minors). Notice of Privacy Practices must be provided AND posted in your office waiting room (CA-specific stricter than HIPAA).

2026 Operator Guide · PhD · PsyD · EdD · Encinitas · San Diego County

HIPAA for Clinical Psychologists in Private Practice

Q: Do I have to be HIPAA compliant as a private-practice clinical psychologist?

Yes — if you bill insurance electronically, use any EHR, email or text clients, store testing data in cloud software, or use telehealth. The California Board of Psychology assumes you are HIPAA compliant for license renewal. Psychological assessment data (WAIS, MMPI, Rorschach test protocols) is explicitly PHI under HIPAA.

Q: What's the cheapest HIPAA-compliant stack for a solo psychology practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email (Paubox or Hushmail Pro ~$10-13/mo or Google Workspace with BAA) + signed BAAs with every vendor that touches PHI. Telehealth tier if you do telehealth. Total ~$80-150/mo for a solo full-stack.

Q: What gets a small psychology practice fined the fastest?

Three things, in order: (1) Texting clients from a personal phone without a BAA-eligible texting service, (2) Sending PHI from a Gmail account that's not Google Workspace with a signed BAA, and (3) Using consumer Zoom or FaceTime for telehealth instead of HIPAA tiers. OCR fines for small practices in 2024-2026 have ranged from $25K to $250K for these patterns.

Q: Do I need a Notice of Privacy Practices?

Yes — every HIPAA Covered Entity must provide a Notice of Privacy Practices (NPP) to each new client and post it on your practice website if you have one. Free template at hhs.gov/sites/default/files/ocr/privacy/hipaa/modelnotices/healthplan-A.pdf. Most EHRs auto-generate one in their intake flow.

Q: Is the OCR really fining small psychology practices?

Yes. The OCR publicly enforces HIPAA against small and solo practices, not just big hospital systems. The public enforcement portal at HHS OCR shows the names, dates, and dollar amounts.

Operator-honest answers from a working SEO/AI shop in Encinitas to the questions clinical psychologists actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. California Board of Psychology (BoP) aligned. No fluff, no scare tactics, no $5K "compliance package" upsell.

Skip to: Fix-This-Week Checklist → $250 Operator Audit (3-5 day signal-quality report)

What's in this page 1 · Do I actually need to be HIPAA compliant? 2 · Clinical Psychologists-specific risk patterns 3 · The minimum-viable HIPAA stack ($80-150/mo) 4 · The fix-this-week checklist (6 items · <3 hours) 5 · The 3 things that get small practices fined the fastest 6 · California layer (CMIA + AB-2013 + CCPA) + California Board of Psychology (BoP) 7 · Vendor cheatsheet · who signs BAAs cleanly 8 · How SideGuy helps (if you want help) 9 · FAQ

1 · Do I actually need to be HIPAA compliant?

Short answer: yes, in 2026, almost certainly.

You are a HIPAA Covered Entity the moment any one of these is true:

You bill insurance — Medicare, Medi-Cal, commercial, workers comp — through electronic claims.
You use any cloud-based EHR or scheduling system.
You email or text a client anything identifying them as your client.
You use a patient portal for forms, payments, or messaging.
You store notes, intake forms, or treatment plans in cloud software.

Operator translation: if you are running anything besides a 100% cash, paper-records, phone-call-only psychology practice in 2026, you're inside HIPAA scope.

2 · Clinical Psychologists-specific risk patterns

Clinical Psychologists-specific risk: Psychological testing and assessment data (WAIS, MMPI, Rorschach) is PHI under HIPAA. Storing test protocols in non-BAA cloud (Dropbox personal, iCloud, Google Drive personal) is the #1 quiet violation among California psychologists.

Clinical Psychologists-specific vendor notes

PsychAssessments + TheraNest are HIPAA-eligible psych-assessment platforms with BAAs. Q-global (Pearson) signs BAAs. Q-interactive (Pearson) signs BAAs. Free PDF assessment forms emailed to clients from a personal Gmail account = HIPAA breach.

3 · The minimum-viable HIPAA stack ($80-150/mo)

This is the stack most solo and 2-3 clinician psychology practices in 2026 actually run:

Layer	Vendor (one of)	Cost / mo	BAA included?
EHR + Notes + Billing	See vendor cheatsheet below	$49-$99	Yes (auto on signup for paid plans)
HIPAA Email	Paubox · Hushmail · Google Workspace + BAA	$10-$25	Yes (Google requires active BAA sign)
Telehealth (if used)	EHR-integrated · Doxy.me · Zoom for Healthcare	$0-$25	Yes — NOT consumer Zoom
Texting / SMS	Spruce · OhMD · EHR portal	$15-$30	Yes
Cloud backup (optional)	Google Workspace · Box for Healthcare	$0-$15	Yes (active BAA required)
Total · solo practice	—	$80-$150/mo	—

Signal: the most common over-spend we see is paying $5K-$20K for a one-time "HIPAA compliance package" or a $300+/mo "compliance platform". For a solo psychology practice without 50+ employees, you do not need that. You need 6 contracts, 4 settings, 2 documents, and an annual re-check.

4 · The fix-this-week checklist (6 items · <3 hours)

1. Stop using personal email / consumer Zoom / personal text messages

30 min. Anything sent from yourname@gmail.com with a client's first name + appointment is a HIPAA breach. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Same for Zoom — switch to Zoom for Healthcare or use your EHR telehealth.

2. Sign BAAs with every vendor that touches PHI

45 min. Make a folder (Drive folder works). Save signed BAA from EHR, email host, telehealth, scheduling, billing service, cloud backup. If a vendor cannot give you a BAA, they cannot legally hold PHI.

3. Publish a Notice of Privacy Practices

20 min. Most EHRs auto-include this in intake flow. If yours doesn't, use the HHS template at hhs.gov · Model NPP. Every new client signs that they received it.

4. Configure 2FA on every account that touches PHI

20 min. EHR · email · cloud storage · password manager. Use authenticator app (Authy · 1Password), not SMS where possible.

5. Encrypt your laptop and phone

10 min. Mac: System Settings → Privacy & Security → FileVault → On. iPhone: 6+ digit passcode auto-encrypts. This converts a stolen laptop from "reportable HIPAA breach" to "stolen laptop" (OCR safe harbor).

6. Write a one-page HIPAA Security Risk Assessment (SRA)

45 min. Required by HIPAA Security Rule. Solo practice = one-page is defensible. Free HHS interactive tool: healthit.gov SRA Tool. Re-do once a year.

5 · The 3 things that get small practices fined the fastest

Pattern	Typical fine range	How to avoid
1. Texting clients from a personal phone	$25K-$100K	Spruce, OhMD, or EHR portal
2. Sending PHI from Gmail (not Workspace + BAA)	$50K-$250K	Workspace + BAA, Paubox, or Hushmail
3. Consumer Zoom or FaceTime for telehealth	$50K-$150K	Zoom for Healthcare or Doxy.me or EHR telehealth
4. No Notice of Privacy Practices on file	$10K-$50K	HHS template + EHR intake flow
5. Lost / stolen unencrypted laptop with PHI	$50K-$300K	FileVault / BitLocker · 10 min one-time

6 · California layer (CMIA + AB-2013 + CCPA) + California Board of Psychology (BoP)

CMIA · California Confidentiality of Medical Information Act — broader than HIPAA in some areas. Civil penalties up to $25K per violation + actual damages.
CA AB-2013 (AI Disclosure) — disclose AI use in your Notice of Privacy Practices (conservative posture).
CCPA / CPRA — applies if you hit thresholds (~$25M revenue OR 100K+ consumers). Most solo practices fall below.
CA breach notification — 72 hours written notification for breaches affecting 500+ records (stricter than HIPAA's 60 days).
California Board of Psychology (BoP)-specific — California Board of Psychology requires record retention for 7 years from last contact (10 years for minors). Notice of Privacy Practices must be provided AND posted in your office waiting room (CA-specific stricter than HIPAA).

7 · Vendor cheatsheet · who signs BAAs cleanly

Clinical Psychologists-specific vendor notes

Category	Vendor	BAA process
Email	Google Workspace	Self-serve in admin console · MUST sign actively
Email	Paubox	Auto with subscription · encrypts outbound by default
Email	Hushmail for Healthcare	Auto with subscription · cheap solo tier
Telehealth	Doxy.me	Auto with any tier · including free
Telehealth	Zoom for Healthcare	Active BAA setup required · consumer Zoom is NOT compliant
Texting	Spruce	Auto with subscription · HIPAA-eligible 2-way SMS
Cloud storage	Google Workspace Drive	Auto if Workspace BAA signed · personal Drive is NOT
Cloud storage	Dropbox HIPAA	Auto with Business plan + BAA · sign actively

8 · How SideGuy helps (if you want help)

SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA. For private-practice clinical psychologists:

Tier	Price	What
SideGuy Hour	$150 one-time	One hour, async-friendly · walk your stack · 2-3 gaps that matter · written one-page fix-list
Operator Audit	$250 one-time	3-5 day signal-quality audit · full setup · written PDF + 30-min walkthrough
Practice Compliance Sprint	$2,000 one-time	10 days · audit + cleanup + missing-document drafts + vendor migrations + re-usable annual SRA

5-min Self-Serve Worksheet (no meeting required) $250 Operator Audit Detail →

9 · FAQ

Do I have to be HIPAA compliant as a private-practice clinical psychologist?

Yes — if you bill insurance electronically, use any EHR, email or text clients, store testing data in cloud software, or use telehealth. The California Board of Psychology assumes you are HIPAA compliant for license renewal. Psychological assessment data (WAIS, MMPI, Rorschach test protocols) is explicitly PHI under HIPAA.

What's the cheapest HIPAA-compliant stack for a solo psychology practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email + signed BAAs. Add telehealth tier if you do telehealth.

What gets a small psychology practice fined the fastest?

Texting clients from a personal phone, sending PHI from non-Workspace Gmail, and consumer Zoom for telehealth. OCR fines $25K-$250K.

Do I need a Notice of Privacy Practices?

Yes. Free HHS template. Most EHRs auto-generate one. Every new client signs that they received it.

What's a Business Associate Agreement?

A contract with any vendor that touches your PHI. If a vendor cannot provide one, they cannot legally hold PHI for you.

Is the OCR really fining small psychology practices?

Yes. HHS OCR Breach Reports portal shows names, dates, and dollar amounts publicly.

Anything California-specific?

Yes — CMIA, CA AB-2013 AI disclosure, CCPA if you hit thresholds, and California Board of Psychology (BoP) record-keeping rules. California Board of Psychology requires record retention for 7 years from last contact (10 years for minors). Notice of Privacy Practices must be provided AND posted in your office waiting room (CA-specific stricter than HIPAA).

Can I use ChatGPT / Claude / AI for note-taking?

Only with a signed BAA from the AI vendor. Anthropic offers BAAs for Claude Enterprise. OpenAI for ChatGPT Enterprise. Google for Gemini through Workspace. Free / consumer tiers do NOT come with BAAs.

Related operator pages

Not legal advice. Operator-grade reference written by working SEO/AI operators in Encinitas, CA. Not attorneys. For licensure-specific or breach-specific questions consult a healthcare attorney. HHS OCR is the federal HIPAA enforcement authority. California enforces CMIA + state-board rules.