Limited-time offer: LAUNCH50 gives 50% off forever. Auto-applied at checkout.See pricing

SimplePractice

Is SimplePractice HIPAA Compliant?

What mental and behavioral health practitioners need to know about SimplePractice's HIPAA compliance — including BAA availability across all paid plans, what the BAA covers, and what the clinic's compliance program must still address independently.

Short answer

SimplePractice is HIPAA compliant. It is purpose-built for mental and behavioral health practitioners and includes a Business Associate Agreement at all paid plan tiers — no enterprise gate, no special negotiation required. Telehealth, clinical notes, scheduling, and billing are covered. The BAA covers the software platform and SimplePractice's obligations as a business associate. It does not replace the practice's own HIPAA compliance program: clinics still need a risk assessment, workforce training documentation, written policies, a sanctions policy, and an incident response plan.

Short answer

Is SimplePractice HIPAA compliant? Yes. SimplePractice is built specifically for mental and behavioral health practitioners and includes a Business Associate Agreement at all paid plan tiers. No enterprise upgrade is required. Telehealth, notes, scheduling, intake forms, and billing are covered. The nuance: SimplePractice’s BAA covers the software platform. The clinic’s compliance program — risk assessment, training records, written policies, incident response plan — remains the practice’s own responsibility. A BAA with one good vendor does not replace a HIPAA compliance program.

BAA availability across SimplePractice plans

SimplePractice’s approach to BAA coverage is notably accessible compared to many other vendors in this series. While tools like SurveyMonkey and Doxy.me require enterprise-tier plans or specific paid upgrades to access a BAA, SimplePractice includes the BAA for all paying subscribers.

This reflects SimplePractice’s positioning as a healthcare-first platform. Mental and behavioral health practitioners — the primary user base — are nearly always covered entities under HIPAA. A platform designed for this market that gated BAA access behind an enterprise tier would underserve its users.

Review SimplePractice’s current terms of service and security documentation to understand exactly how the BAA is presented to subscribers. The mechanics of accepting or executing the BAA may be embedded in the subscription agreement or available as a separate document. Confirm the current process and retain documentation.

What SimplePractice’s BAA covers

Under the BAA, SimplePractice is a business associate for covered entities using the platform. SimplePractice’s obligations include:

  • Protecting the confidentiality, integrity, and availability of PHI stored in the platform
  • Reporting breaches of PHI to the covered entity
  • Ensuring that any subcontractors it uses who handle PHI are similarly bound
  • Returning or destroying PHI upon termination of the business associate relationship per the BAA terms

SimplePractice covers these clinical and administrative functions under the BAA:

Clinical documentation: Progress notes, treatment plans, assessments, and clinical records created in SimplePractice are PHI. The BAA covers their storage and handling within the platform.

Scheduling: Appointment records, session history, and scheduling data are covered.

Telehealth: SimplePractice’s built-in telehealth video sessions are covered under the BAA. This eliminates the need for a separate telehealth BAA (such as a separate Doxy.me agreement) if you conduct telehealth within SimplePractice.

Client intake and forms: Digital intake forms submitted through SimplePractice’s client portal are covered.

Billing and superbills: Insurance claims, superbills, and payment records are covered.

What the BAA does not cover

Your other software tools: If your practice uses any tool outside of SimplePractice that handles PHI — a separate billing service, a referral management tool, an email platform with patient data, a scheduling tool other than SimplePractice — those tools require their own BAA evaluation. SimplePractice’s BAA applies only to SimplePractice.

Your practice’s internal operations: The BAA does not address how your staff handles PHI outside the software — physical records, conversations about patients, how providers access patient information from personal devices. These are your HIPAA administrative and physical safeguard obligations.

Your compliance program: The BAA establishes SimplePractice’s obligations. Your practice’s HIPAA compliance program is a separate and required body of work.

What your practice still needs

Having a BAA with SimplePractice is necessary. It is not sufficient. HIPAA requires covered entities to implement administrative, physical, and technical safeguards independent of any vendor agreement. For a small mental or behavioral health practice, the minimum compliance program includes:

Risk assessment: A documented analysis of the risks to PHI in your practice — how PHI is created, stored, transmitted, and accessed; what vulnerabilities exist; and what safeguards are in place. This is required under the HIPAA Security Rule and must be updated when significant changes occur.

Written HIPAA policies: Documented policies covering access control, workforce training, media disposal, breach response, and other required areas. SimplePractice may provide template resources, but the policies must be adopted and implemented by your practice.

Workforce training: All staff who handle PHI must receive HIPAA training at hire and at least annually thereafter. Training must be documented — who attended, when, what was covered.

Sanctions policy: A written policy describing consequences for workforce members who violate HIPAA requirements. Required under the Security Rule.

Physical safeguards: Policies governing workstation security (screen locking, positioning screens away from patient areas), facility access controls, and mobile device use when accessing PHI.

Incident response and breach notification: A written plan for responding to potential HIPAA incidents — what constitutes a breach, how to investigate, when HHS and patient notification is required, and who is responsible for each step.

SimplePractice in the broader tool ecosystem

Many SimplePractice users also use other tools:

  • Email (Google Workspace, Microsoft 365, or personal email) for patient communication
  • Payment processing (Stripe or Square) for copayments or self-pay billing
  • Video conferencing (Zoom, Google Meet) for sessions outside SimplePractice’s telehealth
  • Scheduling tools for new patient intake before they are in SimplePractice

Each of these requires its own compliance evaluation. SimplePractice’s strong HIPAA posture does not extend to any of these adjacent tools. A practice that uses SimplePractice plus Gmail for patient communication has a HIPAA gap at the Gmail layer — unless Gmail is configured under a Google Workspace for Healthcare BAA.

Compliance operations alongside SimplePractice

SimplePractice handles the clinical software layer. The compliance program operations — tracking training completion, conducting and documenting risk assessments, managing policies, running breach response — are a separate administrative function.

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.

Sources

FAQ

Questions clinics ask before using this software with PHI

Does SimplePractice's BAA apply automatically when I subscribe?

SimplePractice provides its BAA as part of its terms of service for paid subscribers. Review SimplePractice's current terms and security documentation to confirm how the BAA is executed under your subscription — the process may vary. Retain documentation that shows when you accepted the BAA terms.

Does SimplePractice's HIPAA compliance extend to its telehealth feature?

SimplePractice includes a built-in telehealth feature that is covered under the platform's BAA. This is one of the advantages of SimplePractice's integrated approach — you are not adding a separate telehealth tool with its own separate BAA requirement.

If I use SimplePractice plus other tools (billing software, email, scheduling), are those covered too?

No. SimplePractice's BAA covers SimplePractice. Any other tool in your practice that handles PHI — a separate billing service, an email tool with patient data, a scheduling tool — requires its own BAA evaluation. Having SimplePractice does not create HIPAA coverage for your broader technology stack.

What compliance program work does my practice still need to do even with SimplePractice?

A signed BAA with SimplePractice satisfies the business associate agreement requirement for that tool. Your practice still needs: a documented risk assessment, written HIPAA policies, an annual workforce training program, a sanctions policy, physical safeguards (workstation security, mobile device policy), and a breach notification and incident response plan.

Operational assurance

Turn vendor research into a system your clinic can actually run.

PHIGuard gives small clinics a BAA-ready operating layer, recurring compliance work, and a safer home for patient-adjacent tasks.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.