Limited-time offer: LAUNCH50 gives 50% off forever. Auto-applied at checkout.See pricing

TherapyNotes

Is TherapyNotes HIPAA Compliant for Medical Clinics?

TherapyNotes is a behavioral health EHR that includes a Business Associate Agreement for all paying subscribers. It is purpose-built for mental health and supports a HIPAA-compliant practice when staff route all client communication through the platform.

Short answer

TherapyNotes includes a BAA for all subscribers and is purpose-built for behavioral health, including a separate psychotherapy notes structure. It is HIPAA-appropriate when configured correctly for multi-provider practices.

Short answer

Yes, TherapyNotes is HIPAA-appropriate for behavioral and mental health clinics. The BAA is included for paid subscribers, the product was designed around psychotherapy notes from the start, and it supports the role separation a multi-provider practice needs. The qualifier — as with every EHR — is that the BAA only covers TherapyNotes, not the email or texting tools clinics sometimes use alongside it.

BAA availability by plan tier

TherapyNotes includes a Business Associate Agreement for all paying subscribers. There is no premium tier or enterprise contract required to get one. That said:

  • Confirm the executed BAA is on file before any client information is entered, including during onboarding.
  • Verify the contracting entity name on the BAA matches the legal name of your practice.
  • Verify current terms with TherapyNotes before signing if you are coming from a different EHR mid-year, because data migration may involve a separate addendum.

Keep the signed BAA stored with your other vendor agreements and your HIPAA risk assessment.

What TherapyNotes’ BAA does and does not cover

The BAA covers TherapyNotes’ core platform: the chart, scheduling, billing, secure messaging, telehealth, the client portal, and the document upload area. It does not cover:

  • Email sent from non-TherapyNotes accounts.
  • SMS reminders sent through unauthorized tools or personal phones.
  • Outside file storage where you might be tempted to “back up” charts.
  • Third-party billing or analytics tools that have not signed their own BAA with you.

If a tool sits outside TherapyNotes, you need its own BAA before any PHI flows through it.

Shared responsibility: what the clinic must do

The clinic owns the configuration and operational layer:

  • Create individual logins for every clinician, supervisor, intern, and administrator. No shared accounts.
  • Configure roles so front-desk staff see only what they need for scheduling and billing, and clinicians see only their assigned caseload unless supervision requires otherwise.
  • Set psychotherapy notes permissions so only the treating clinician can read them, with documented exceptions for required supervision.
  • Route all client messaging through the TherapyNotes portal.
  • Enable two-factor authentication for every user.
  • Train staff on what counts as PHI and which channels are sanctioned.
  • Document your access reviews and incident response procedures.

Common mistakes clinics make with TherapyNotes

  1. Leaving default permissions in place in a group practice, so clinicians can read each other’s psychotherapy notes by accident.
  2. Emailing intake paperwork from Gmail instead of sending it through the TherapyNotes portal.
  3. Texting appointment changes from personal phones rather than using compliant reminders.
  4. Letting interns and supervisors share a login during training instead of assigning role-appropriate accounts.

Each of these moves PHI to a place TherapyNotes’ BAA does not reach, or breaks the audit trail you need to prove appropriate access.

Bottom line for small clinics

TherapyNotes is one of the most HIPAA-appropriate EHRs in the behavioral health category for small and mid-sized practices. The BAA is included, the product matches the way mental health clinics actually document care, and the platform is opinionated enough that the right defaults are usually nearby.

The work that remains is yours: configure user roles correctly, route every client communication through the portal, train staff to stay on-platform, and document the policies that back those choices. For a structured way to track BAAs, vendor scope, and staff training across your tools, see PHIGuard’s compliance platform.

Frequently Asked Questions

PHIGuard commercial baseline

PHIGuard uses flat per-clinic pricing rather than per-user fees. A Business Associate Agreement is included on every public plan. The primary trial path is a 30-day free trial with no credit card required. See current PHIGuard pricing for plan names, monthly list prices, annual totals, and current launch details.

Sources

FAQ

Questions clinics ask before using this software with PHI

Is the BAA automatic with TherapyNotes?

TherapyNotes includes a BAA for paying subscribers. Confirm the executed copy is on file in your compliance documentation before you enter PHI.

Does TherapyNotes handle psychotherapy notes correctly?

Yes. TherapyNotes separates psychotherapy notes from the rest of the medical record, which mirrors the heightened protection HIPAA gives those notes. Permissions still need to be configured so only the treating clinician can see them.

Can I use TherapyNotes for a multi-provider group practice?

Yes, but you must configure user roles, supervisor relationships, and chart-access permissions deliberately. Default settings may not match the access boundaries you want between clinicians.

Operational assurance

Turn vendor research into a system your clinic can actually run.

PHIGuard gives small clinics a BAA-ready operating layer, recurring compliance work, and a safer home for patient-adjacent tasks.

BAA included Legal baseline available on every plan.
Audit history Compliance actions stay reviewable later.
No card upfront Start evaluation before billing setup.
Start free trial

No credit card required. Add billing details later if you want service to continue after the trial.