What does TherapyNotes provide for HIPAA compliance?

TherapyNotes provides a BAA for all paid plans, HIPAA-compliant encrypted storage and transmission, audit logs, secure messaging, and an integrated telehealth platform. It offers intake document templates — but these are consent and policies forms, not a 45 CFR § 164.520-compliant Notice of Privacy Practices.

Does TherapyNotes sign a HIPAA BAA?

Yes. TherapyNotes executes a Business Associate Agreement with covered entities. The BAA governs how TherapyNotes handles PHI on your behalf — it does not substitute for the patient-facing NPP that your practice must produce under 45 CFR § 164.520.

What do I still need if I use TherapyNotes?

You still need a HIPAA-compliant NPP (45 CFR § 164.520), posted on your public practice website, displayed at your physical location, provided to each patient at first service, and updated to the HHS February 2026 model by the February 16, 2026 deadline. TherapyNotes does not produce or maintain this document.

Can I upload my NPP to TherapyNotes for patient signature?

Yes. Once you have a compliant NPP PDF, you can add it to your TherapyNotes intake packet as a required document for new clients to review and acknowledge electronically. TherapyNotes does not generate the NPP — you must produce it separately and then upload it.

EHR & Vendor

Does TherapyNotes Provide a Notice of Privacy Practices?

Q: Does TherapyNotes provide a Notice of Privacy Practices?

No. TherapyNotes does not provide a HIPAA-compliant Notice of Privacy Practices for your practice. TherapyNotes offers a Business Associate Agreement, HIPAA-compliant data hosting, and intake form templates, but the NPP — required by 45 CFR § 164.520 — is your practice's responsibility to create, post, and distribute.

By NPP Generator Research Team · Published Apr 24, 2026 · Last reviewed Apr 24, 2026 · 5 min read

Key Takeaways

✓ TherapyNotes does not produce a HIPAA-compliant Notice of Privacy Practices for your practice
✓ TherapyNotes does sign a BAA — but that is a vendor contract, not a patient-facing notice
✓ TherapyNotes intake templates are consent and policies forms, not a 45 CFR § 164.520 NPP
✓ The NPP obligation belongs to your practice regardless of which EHR you use
✓ You can upload your NPP to TherapyNotes as an intake document after you produce it

Quick answer: No — TherapyNotes does not provide a HIPAA Notice of Privacy Practices. It signs a BAA and provides HIPAA-compliant infrastructure for your practice, but the NPP — the patient-facing document required by 45 CFR § 164.520 — is your practice's responsibility to create, post, and keep current.

TherapyNotes is one of the most widely used EHRs for mental health practices — therapists, psychologists, counselors, and psychiatric providers. It's known for its clean interface, integrated billing, and HIPAA-compliant infrastructure. But "HIPAA-compliant EHR" doesn't mean "HIPAA-complete." The Notice of Privacy Practices is one piece of HIPAA compliance that no EHR produces for you.

What TherapyNotes Provides

TherapyNotes covers the infrastructure side of HIPAA compliance:

Business Associate Agreement (BAA). TherapyNotes executes a BAA with covered entities, committing to HIPAA obligations for the PHI it stores and processes on your behalf.
Encrypted, HIPAA-compliant data storage. All patient records, notes, and messages are encrypted at rest and in transit.
Secure messaging and telehealth. HIPAA-compliant communication channels between therapist and client.
Intake form templates. Customizable consent and policies documents that clients sign before their first session — but not a Notice of Privacy Practices.
Billing and claims management. Electronic claims submission through HIPAA-compliant clearinghouses.

Why TherapyNotes' Intake Templates Aren't an NPP

TherapyNotes' default intake documents include informed-consent forms, practice policies, and release of information forms. These are practice-management documents — not the patient-facing HIPAA notice required by 45 CFR § 164.520(b).

A compliant NPP must include specific mandated elements:

The HHS-prescribed header statement
Permitted uses and disclosures of PHI for treatment, payment, and healthcare operations
Uses requiring separate patient authorization (psychotherapy notes, marketing, PHI sale)
All eight individual rights under HIPAA
Covered entity duties to safeguard PHI
Complaint procedures (internal and to HHS OCR)
Privacy Officer contact information
Effective date — and the HHS February 2026 model language for Part 2 SUD disclosures if applicable

TherapyNotes' consent forms do not contain these elements. See what is a Notice of Privacy Practices for the full content requirements.

The BAA vs. the NPP

These two documents solve different HIPAA problems:

A BAA is a contract between your practice and TherapyNotes (a vendor). It binds the vendor to HIPAA. Required by 45 CFR § 164.504(e).
An NPP is a notice from your practice to your patients. It informs patients of their rights and your data practices. Required by 45 CFR § 164.520.

TherapyNotes handles the BAA. Your practice handles the NPP. See NPP vs. BAA — what's the difference for more detail.

What You Still Need if You Use TherapyNotes

A compliant NPP aligned with the HHS February 2026 model (the February 16, 2026 deadline has passed — pre-2026 NPPs are out of compliance)
Public website posting of the NPP — not just inside TherapyNotes' client portal
Physical posting at your office
An acknowledgment-of-receipt process for each new patient (TherapyNotes can collect this via its intake system once you upload your NPP)
NPP redistribution whenever a material change occurs (Privacy Officer change, new PHI uses, regulatory update)

How to Add Your NPP to TherapyNotes

Generate your compliant NPP PDF (TherapyNotes does not offer this — use NPP Generator or the HHS model template)
In TherapyNotes, navigate to Settings → Documents and upload the NPP PDF
Add the NPP to your intake packet as a required document with acknowledgment
Post the same PDF on your public practice website and at your physical office

Frequently Asked Questions

Does TherapyNotes provide an NPP?▼

No. TherapyNotes provides a BAA and HIPAA-compliant infrastructure but does not produce a Notice of Privacy Practices. The NPP is required by 45 CFR § 164.520 and must be produced and maintained by your practice.

Does TherapyNotes sign a BAA?▼

Yes. TherapyNotes executes a Business Associate Agreement with covered entity practices. The BAA governs TherapyNotes' handling of your patients' PHI. It does not satisfy the NPP requirement.

Is my TherapyNotes consent form the same as an NPP?▼

No. TherapyNotes consent and intake forms are practice-management documents covering fees, policies, and scope of practice. An NPP is a separate HIPAA-mandated document with prescribed content under 45 CFR § 164.520(b). Both are needed; neither substitutes for the other.

Does my practice need an NPP if I only see private-pay clients?▼

Possibly not — if your practice never transmits health information electronically in standard transactions, you may not be a HIPAA covered entity. But most TherapyNotes practices use electronic billing or referrals, which triggers covered-entity status. See do I need an NPP to check.

Generate your NPP in under 5 minutes.

Upload the PDF to TherapyNotes, post it on your practice website, and you're covered. Built on the HHS February 2026 model with Part 2 SUD language. $49 one-time — no subscription.

Start your NPP — $49

Free watermarked preview available. See sample →