Security Basics for Small Therapy Practices (That You Can Actually Do)

Most therapists didn't go to grad school to become IT security experts. When you hear "HIPAA Security Rule," you probably picture expensive consultants, complicated firewalls, and servers in a basement.

But if you are a solo practitioner or a small group, security doesn't have to be rocket science. In fact, complex systems are often less secure because you avoid using them. The best security is simple, effective, and invisible once set up.

Who this is for

This guide is for mental health clinicians who are "not techy" but want to ensure they are ethically and legally protecting their client data without hiring an expensive IT firm.

What you’ll walk away with

You’ll get a prioritized checklist covering the three main domains of security: Physical, Technical, and Administrative. You’ll learn exactly which settings to turn on today to sleep better tonight, and why "Shared Computers" are your biggest enemy.

Domain 1: Physical Security (The Overlooked Layer)

We often obsess over hackers in hoodies, but the most common breach is a stolen laptop or a wandering eye in a coffee shop.

Start with your screens. Position your monitor so it cannot be seen from a window or an open door. If you work in a shared space, use a privacy filter—a polarized screen protector that makes the screen look black from the side. For paper files, ensure they are double-locked, meaning they are stored in a locked cabinet inside a locked office.

Follow the "Coffee Shop" Rule: Never leave your laptop unattended in public, even for "just a second" to grab your latte. A thief needs only 5 seconds to grab it. If you have to pee, the laptop goes with you. Also, maintain a Clean Desk Policy. Do not leave sticky notes with passwords or client names on your desk. Buy a shredder and use it.

Domain 2: Device Security (Your Digital Castle)

Your laptop and phone are the keys to your practice. You must protect them.

Full-Disk Encryption is mandatory. This is your "Get Out of Jail Free" card. If your laptop is encrypted and it gets stolen, HHS generally considers it a "non-breach" (safe harbor) because the data is unreadable. On a Mac, turn on FileVault in System Settings under Privacy & Security. On Windows, turn on BitLocker (available on Pro versions). On mobile, ensure you have a passcode (FaceID/TouchID) enabled.

You also need strong passwords and managers. Stop reusing passwords like "Therapy2024!". If one site gets hacked, they all get hacked. The solution is to use a Password Manager like 1Password, Bitwarden, or Apple Keychain. Generate unique, 20-character random passwords for every site. The result is that you only need to remember one master password.

The "Shared Computer" danger is real. Do not let your partner, child, or roommate use your work laptop "just for a minute." Malware from a gaming site or a phishing email clicked by a family member can compromise your entire practice. Best practice is to have separate devices. Acceptable practice is to have separate user accounts, creating a "Work" profile and a "Home" profile on the computer, each with different passwords.

Domain 3: Network Security (Where the Data Travels)

Your home WiFi needs attention. Change the default admin password on your router (the one printed on the sticker). Use WPA2 or WPA3 encryption, which is standard on modern routers. Crucially, create a separate "Guest" network for smart devices like your fridge, Alexa, or Ring doorbell so they aren't on the same network as your work computer. Smart devices are notoriously insecure.

Public WiFi poses risks. Open public WiFi at a library or cafe allows others on the network to potentially see your traffic. The fix is to use a VPN (Virtual Private Network), which creates a secure, encrypted tunnel for your internet traffic. Alternatively, tether to your phone’s hotspot, as cellular data is generally more secure than public WiFi.

Domain 4: Communication Security

Standard email (Gmail, Yahoo, Outlook) is not secure. It is like sending a postcard; anyone handling the mail can read it. Do not email clinical details or intake forms via standard email. Instead, send messages through your EHR’s secure portal. If you must use email, use an encrypted email service like Hushmail or Google Workspace with encryption mode turned on, and get a BAA.

Texting is also not secure as standard SMS is stored by the phone carrier. Use a secure messaging app like Signal for internal team comms. For clients, use a HIPAA-compliant texting service like Spruce or your EHR’s app. If clients text you, redirect them with a script: "I received your message. To protect your privacy, please log in to the portal for a secure reply."

Common Mistakes

One common mistake is believing the "Free BAA" myth. Assuming that the free version of a tool like Zoom or Gmail is compliant is dangerous; it almost never is. You usually have to pay for the "Business" tier to get the Business Associate Agreement (BAA). Another mistake is ignoring updates. Clicking "Remind Me Later" on software updates is risky because those updates often contain critical security patches for vulnerabilities hackers are actively exploiting. Finally, ignoring backups is a security failure. Security includes "Availability." If your hard drive crashes and you lose your records, that is a security incident. Ensure you have an encrypted, automated backup like Backblaze or Soli's sync.

Practical Next Steps

First, turn on Encryption today. Check FileVault or BitLocker right now. It takes 2 minutes. Second, get a Password Manager. Spend one hour changing your banking and EHR passwords to random strings. Third, sign your BAAs. Log in to your email, EHR, and backup provider. Download the signed Business Associate Agreement and save it in a "Compliance" folder on your computer.

The bottom line

Security is not a product you buy; it's a process you follow. By taking these basic technical steps, you are protecting your clients just as much as you do in the therapy room.

Sources

• HHS Security Rule: Technical Safeguards
• NIST Guide: Small Business Information Security: The Fundamentals
• HealthIT.gov: Guide to Privacy and Security of Electronic Health Information