What's a Business Associate Agreement and who needs one?

A BAA is a contract you sign with any vendor that creates, receives, maintains, or transmits PHI on your behalf — your EHR, your email host, your telehealth platform, your cloud backup. If a vendor cannot provide a signed BAA, they cannot legally hold PHI for you.

2026 Operator Guide · SLP · CCC-SLP · Encinitas · San Diego County

HIPAA for Speech-Language Pathologists in Private Practice

Q: Do I have to be HIPAA compliant as a private-practice speech-language pathologist?

Yes if you bill insurance (Medi-Cal, private), use an EHR, record therapy videos for parent review, store eval reports in cloud software, or offer teletherapy. Pediatric SLPs working with school-aged children also navigate FERPA in parallel — the rule of thumb: services billed through insurance trigger HIPAA, school-contracted services under IDEA trigger FERPA.

Q: What's the cheapest HIPAA-compliant stack for a solo speech-language pathology practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email (Paubox or Hushmail Pro ~$10-13/mo or Google Workspace with BAA) + signed BAAs with every vendor that touches PHI. Telehealth tier if you do telehealth. Total ~$80-150/mo for a solo full-stack.

Q: What gets a small speech-language pathology practice fined the fastest?

Three things, in order: (1) Texting clients from a personal phone without a BAA-eligible texting service, (2) Sending PHI from a Gmail account that's not Google Workspace with a signed BAA, and (3) Using consumer Zoom or FaceTime for telehealth instead of HIPAA tiers. OCR fines for small practices in 2024-2026 have ranged from $25K to $250K for these patterns.

Q: Do I need a Notice of Privacy Practices?

Yes — every HIPAA Covered Entity must provide a Notice of Privacy Practices (NPP) to each new client and post it on your practice website if you have one. Free template at hhs.gov/sites/default/files/ocr/privacy/hipaa/modelnotices/healthplan-A.pdf. Most EHRs auto-generate one in their intake flow.

Q: Is the OCR really fining small speech-language pathology practices?

Yes. The OCR publicly enforces HIPAA against small and solo practices, not just big hospital systems. The public enforcement portal at HHS OCR shows the names, dates, and dollar amounts.

Q: Anything California-specific I need beyond HIPAA?

Yes — California Confidentiality of Medical Information Act (CMIA) is stricter than HIPAA in several places, plus CA AB-2013 (AI disclosure) and CCPA/CPRA apply if you hit revenue/data thresholds. California SLPAB regulates SLPs. For school-contracted SLPs, FERPA applies WITH HIPAA — the line is blurry but generally: school evaluations under IDEA → FERPA; private-pay services contracted separately → HIPAA. Pediatric SLPs commonly bill both Medi-Cal and private insurance — both trigger HIPAA.

Operator-honest answers from a working SEO/AI shop in Encinitas to the questions speech-language pathologists actually ask: when you have to be HIPAA compliant, what to fix this week, what it costs, and which mistakes the OCR fines the fastest. California Speech-Language Pathology & Audiology Board (SLPAB) aligned. No fluff, no scare tactics, no $5K "compliance package" upsell.

Skip to: Fix-This-Week Checklist → $250 Operator Audit (3-5 day signal-quality report)

What's in this page 1 · Do I actually need to be HIPAA compliant? 2 · Speech-Language Pathologists-specific risk patterns 3 · The minimum-viable HIPAA stack ($80-150/mo) 4 · The fix-this-week checklist (6 items · <3 hours) 5 · The 3 things that get small practices fined the fastest 6 · California layer (CMIA + AB-2013 + CCPA) + California Speech-Language Pathology & Audiology Board (SLPAB) 7 · Vendor cheatsheet · who signs BAAs cleanly 8 · How SideGuy helps (if you want help) 9 · FAQ

1 · Do I actually need to be HIPAA compliant?

Short answer: yes, in 2026, almost certainly.

You are a HIPAA Covered Entity the moment any one of these is true:

You bill insurance — Medicare, Medi-Cal, commercial, workers comp — through electronic claims.
You use any cloud-based EHR or scheduling system.
You email or text a client anything identifying them as your client.
You use a patient portal for forms, payments, or messaging.
You store notes, intake forms, or treatment plans in cloud software.

Operator translation: if you are running anything besides a 100% cash, paper-records, phone-call-only speech-language pathology practice in 2026, you're inside HIPAA scope.

2 · Speech-Language Pathologists-specific risk patterns

Speech-Language Pathologists-specific risk: Pediatric SLPs in private practice handle two parallel privacy laws: HIPAA (medical privacy) and FERPA (educational privacy) when working with school-aged children. Video recordings of therapy sessions for parent review are PHI. Storing those videos on Google Drive personal or iCloud Family Sharing is the #1 quiet violation in pediatric SLP private practice.

Speech-Language Pathologists-specific vendor notes

SLP-specific HIPAA platforms with BAAs: TheraPlatform, Fusion Web Clinic, ClinicSource, WebPT (multi-specialty). For video recordings with BAA: SimplePractice video storage, WebPT video, or AWS S3 + BAA. For tele-SLP: PresenceLearning, eLuma (school contracts), or general HIPAA telehealth.

3 · The minimum-viable HIPAA stack ($80-150/mo)

This is the stack most solo and 2-3 clinician speech-language pathology practices in 2026 actually run:

Layer	Vendor (one of)	Cost / mo	BAA included?
EHR + Notes + Billing	See vendor cheatsheet below	$49-$99	Yes (auto on signup for paid plans)
HIPAA Email	Paubox · Hushmail · Google Workspace + BAA	$10-$25	Yes (Google requires active BAA sign)
Telehealth (if used)	EHR-integrated · Doxy.me · Zoom for Healthcare	$0-$25	Yes — NOT consumer Zoom
Texting / SMS	Spruce · OhMD · EHR portal	$15-$30	Yes
Cloud backup (optional)	Google Workspace · Box for Healthcare	$0-$15	Yes (active BAA required)
Total · solo practice	—	$80-$150/mo	—

Signal: the most common over-spend we see is paying $5K-$20K for a one-time "HIPAA compliance package" or a $300+/mo "compliance platform". For a solo speech-language pathology practice without 50+ employees, you do not need that. You need 6 contracts, 4 settings, 2 documents, and an annual re-check.

4 · The fix-this-week checklist (6 items · <3 hours)

1. Stop using personal email / consumer Zoom / personal text messages

30 min. Anything sent from yourname@gmail.com with a client's first name + appointment is a HIPAA breach. Upgrade to Google Workspace + BAA, Paubox, or Hushmail. Same for Zoom — switch to Zoom for Healthcare or use your EHR telehealth.

2. Sign BAAs with every vendor that touches PHI

45 min. Make a folder (Drive folder works). Save signed BAA from EHR, email host, telehealth, scheduling, billing service, cloud backup. If a vendor cannot give you a BAA, they cannot legally hold PHI.

3. Publish a Notice of Privacy Practices

20 min. Most EHRs auto-include this in intake flow. If yours doesn't, use the HHS template at hhs.gov · Model NPP. Every new client signs that they received it.

4. Configure 2FA on every account that touches PHI

20 min. EHR · email · cloud storage · password manager. Use authenticator app (Authy · 1Password), not SMS where possible.

5. Encrypt your laptop and phone

10 min. Mac: System Settings → Privacy & Security → FileVault → On. iPhone: 6+ digit passcode auto-encrypts. This converts a stolen laptop from "reportable HIPAA breach" to "stolen laptop" (OCR safe harbor).

6. Write a one-page HIPAA Security Risk Assessment (SRA)

45 min. Required by HIPAA Security Rule. Solo practice = one-page is defensible. Free HHS interactive tool: healthit.gov SRA Tool. Re-do once a year.

5 · The 3 things that get small practices fined the fastest

Pattern	Typical fine range	How to avoid
1. Texting clients from a personal phone	$25K-$100K	Spruce, OhMD, or EHR portal
2. Sending PHI from Gmail (not Workspace + BAA)	$50K-$250K	Workspace + BAA, Paubox, or Hushmail
3. Consumer Zoom or FaceTime for telehealth	$50K-$150K	Zoom for Healthcare or Doxy.me or EHR telehealth
4. No Notice of Privacy Practices on file	$10K-$50K	HHS template + EHR intake flow
5. Lost / stolen unencrypted laptop with PHI	$50K-$300K	FileVault / BitLocker · 10 min one-time

6 · California layer (CMIA + AB-2013 + CCPA) + California Speech-Language Pathology & Audiology Board (SLPAB)

CMIA · California Confidentiality of Medical Information Act — broader than HIPAA in some areas. Civil penalties up to $25K per violation + actual damages.
CA AB-2013 (AI Disclosure) — disclose AI use in your Notice of Privacy Practices (conservative posture).
CCPA / CPRA — applies if you hit thresholds (~$25M revenue OR 100K+ consumers). Most solo practices fall below.
CA breach notification — 72 hours written notification for breaches affecting 500+ records (stricter than HIPAA's 60 days).
California Speech-Language Pathology & Audiology Board (SLPAB)-specific — California SLPAB regulates SLPs. For school-contracted SLPs, FERPA applies WITH HIPAA — the line is blurry but generally: school evaluations under IDEA → FERPA; private-pay services contracted separately → HIPAA. Pediatric SLPs commonly bill both Medi-Cal and private insurance — both trigger HIPAA.

7 · Vendor cheatsheet · who signs BAAs cleanly

Speech-Language Pathologists-specific vendor notes

Category	Vendor	BAA process
Email	Google Workspace	Self-serve in admin console · MUST sign actively
Email	Paubox	Auto with subscription · encrypts outbound by default
Email	Hushmail for Healthcare	Auto with subscription · cheap solo tier
Telehealth	Doxy.me	Auto with any tier · including free
Telehealth	Zoom for Healthcare	Active BAA setup required · consumer Zoom is NOT compliant
Texting	Spruce	Auto with subscription · HIPAA-eligible 2-way SMS
Cloud storage	Google Workspace Drive	Auto if Workspace BAA signed · personal Drive is NOT
Cloud storage	Dropbox HIPAA	Auto with Business plan + BAA · sign actively

8 · How SideGuy helps (if you want help)

SideGuy is a one-operator AI + SEO + compliance shop in Encinitas, CA. For private-practice speech-language pathologists:

Tier	Price	What
SideGuy Hour	$150 one-time	One hour, async-friendly · walk your stack · 2-3 gaps that matter · written one-page fix-list
Operator Audit	$250 one-time	3-5 day signal-quality audit · full setup · written PDF + 30-min walkthrough
Practice Compliance Sprint	$2,000 one-time	10 days · audit + cleanup + missing-document drafts + vendor migrations + re-usable annual SRA

5-min Self-Serve Worksheet (no meeting required) $250 Operator Audit Detail →

9 · FAQ

Do I have to be HIPAA compliant as a private-practice speech-language pathologist?

Yes if you bill insurance (Medi-Cal, private), use an EHR, record therapy videos for parent review, store eval reports in cloud software, or offer teletherapy. Pediatric SLPs working with school-aged children also navigate FERPA in parallel — the rule of thumb: services billed through insurance trigger HIPAA, school-contracted services under IDEA trigger FERPA.

What's the cheapest HIPAA-compliant stack for a solo speech-language pathology practice?

~$80-150/month total: HIPAA-eligible EHR + HIPAA-eligible email + signed BAAs. Add telehealth tier if you do telehealth.

What gets a small speech-language pathology practice fined the fastest?

Texting clients from a personal phone, sending PHI from non-Workspace Gmail, and consumer Zoom for telehealth. OCR fines $25K-$250K.

Do I need a Notice of Privacy Practices?

Yes. Free HHS template. Most EHRs auto-generate one. Every new client signs that they received it.

What's a Business Associate Agreement?

A contract with any vendor that touches your PHI. If a vendor cannot provide one, they cannot legally hold PHI for you.

Is the OCR really fining small speech-language pathology practices?

Yes. HHS OCR Breach Reports portal shows names, dates, and dollar amounts publicly.

Anything California-specific?

Yes — CMIA, CA AB-2013 AI disclosure, CCPA if you hit thresholds, and California Speech-Language Pathology & Audiology Board (SLPAB) record-keeping rules. California SLPAB regulates SLPs. For school-contracted SLPs, FERPA applies WITH HIPAA — the line is blurry but generally: school evaluations under IDEA → FERPA; private-pay services contracted separately → HIPAA. Pediatric SLPs commonly bill both Medi-Cal and private insurance — both trigger HIPAA.

Can I use ChatGPT / Claude / AI for note-taking?

Only with a signed BAA from the AI vendor. Anthropic offers BAAs for Claude Enterprise. OpenAI for ChatGPT Enterprise. Google for Gemini through Workspace. Free / consumer tiers do NOT come with BAAs.

Related operator pages

Not legal advice. Operator-grade reference written by working SEO/AI operators in Encinitas, CA. Not attorneys. For licensure-specific or breach-specific questions consult a healthcare attorney. HHS OCR is the federal HIPAA enforcement authority. California enforces CMIA + state-board rules.