Vertical stack
Solo Therapist Tech Stack
The HIPAA-aware tool stack for solo psychologists, counselors, and therapists in private practice — with honest picks on EHR choice and the compliance trap other lists ignore.
Last verified:
Compliance caveat: Everything involving Protected Health Information (PHI) must be covered by a Business Associate Agreement (BAA) with the vendor. Tools without a signed BAA are HIPAA violations for PHI — period. This page is not legal or compliance advice; consult a healthcare-compliance attorney for your jurisdiction and specialty. Lists that recommend consumer-tier Zoom, Dropbox Personal, or free Calendly for PHI are wrong and will get you in trouble.
TL;DR — the stack at a glance
| Category | Day-1 pick | Alternative |
|---|---|---|
| EHR / practice management | SimplePractice | TheraNest or TherapyNotes |
| Telehealth | SimplePractice Telehealth (built-in) or Doxy.me (BAA) | Zoom for Healthcare (BAA) |
| Accounting | QuickBooks Online + bookkeeper | Xero |
| Password manager | 1Password Business (BAA available) | Bitwarden Teams |
| Secure email | Google Workspace with BAA or Microsoft 365 with BAA | Paubox |
| Scheduling | Calendly with HIPAA add-on or EHR’s built-in scheduling | — |
| Document signing | PandaDoc with BAA or DocuSign with BAA | — |
| Digital fax | SRFax (HIPAA-compliant) | eFax Protect |
Total day-1 cost: ~$180–270/mo for a solo therapist.
Who this stack is for
You’re a licensed therapist, psychologist, counselor, or similar in private practice. You see 15–30 clients per week either in-office, online, or hybrid. You bill clients directly, through insurance, or both. You’re responsible for your own HIPAA compliance.
If you’re in a group practice with shared infrastructure, your tools are largely decided by the practice. If you’re pre-licensure or under supervision, your supervisor likely mandates specific software. Either way, this isn’t your stack.
The essential stack (Day 1)
EHR / practice management: SimplePractice, TheraNest, or TherapyNotes
This is the spine. Notes, scheduling, billing, insurance claims, telehealth, intake forms, e-signature — all in one tool with a signed BAA.
- SimplePractice — the market leader. Strongest telehealth, best client portal, $74–129/mo. Our default recommendation.
- TheraNest — more affordable for small practices, slightly more dated UI, from $42/mo.
- TherapyNotes — deepest clinical documentation features, popular with more complex cases, $59–99/mo.
None of these are on our affiliate networks. That’s fine — the right EHR is the right EHR regardless of commission. Pick based on clinical documentation style, insurance workflow, and telehealth quality, in that order.
Telehealth
SimplePractice and TherapyNotes both include HIPAA-compliant telehealth. If your EHR’s built-in video is good enough, use it — one less vendor relationship to maintain.
If you need an external tool: Doxy.me Pro ($35/mo) with a BAA is the most common standalone option. Zoom for Healthcare works but requires the Healthcare tier (significantly more expensive than regular Zoom Pro) and a signed BAA.
Never use consumer Zoom, FaceTime, or Google Meet for telehealth. No BAA = HIPAA violation.
Accounting: QuickBooks Online + bookkeeper
Books separate from the EHR. Run all personal-pay invoicing through the EHR; book the deposits in QBO. Insurance reimbursements, when they come, also book in QBO. Hire a bookkeeper with healthcare experience from day one — budget $300–800/mo part-time. Full QBO review here.
Password manager: 1Password Business (BAA)
1Password offers a BAA on Business tier. Don’t use consumer 1Password for anything touching PHI credentials. See the full review.
Bitwarden Teams offers a BAA as an alternative at lower cost.
Secure email: Google Workspace with BAA or Microsoft 365 with BAA
Critical: standard Gmail and standard Outlook.com do NOT cover you. You need Google Workspace Business Standard or higher with a signed BAA (request through Google Admin) or Microsoft 365 Business Standard or higher with a signed BAA.
Alternative: Paubox ($29/user/mo) — built specifically for HIPAA-compliant email, drops into existing email workflows, BAA included by default.
Scheduling: Calendly with HIPAA add-on OR EHR’s built-in scheduling
If you use Calendly, you need the HIPAA-compliant add-on (requires the Teams or Enterprise tier plus a signed BAA). Otherwise use your EHR’s scheduling — most of them are adequate, and you get the benefit of not fragmenting client data across systems.
Digital fax: SRFax (or eFax Protect)
Referrals, insurance pre-auth, records releases — healthcare still faxes everything. SRFax offers an explicit HIPAA-compliant tier with a BAA ($18.95/mo+). eFax Protect is the alternative with similar pricing.
Our affiliate network (CJ) covers both; commissions do not change our recommendation. SRFax is slightly favored in healthcare communities for BAA clarity.
Document signing: DocuSign (BAA) or PandaDoc (BAA)
Intake forms, consent-to-treat, release-of-information. Both offer BAAs on Business tier and above. SimplePractice and TheraNest have this built in — use theirs unless you have a specific reason not to.
Add these at established-practice scale (20+ weekly clients)
- A bookkeeper, upgraded from part-time to weekly — insurance-reimbursement accounting has enough complexity that weekly review prevents compounding errors.
- A HIPAA-compliant note-dictation tool — Nuance Dragon Medical (expensive), Freed AI ($99/mo), or Abridge — if documentation is eating your clinical time.
- A supervision / peer-consultation platform — if you provide or receive supervision formally.
- Professional liability insurance — required in most states, $150–300/yr through CPH & Associates or similar.
Skip these (but everyone recommends them)
- Consumer Zoom / consumer Google Meet for any session involving PHI. Full stop.
- General-purpose CRMs (HubSpot, Salesforce) — your EHR is your CRM. Adding HubSpot creates PHI sprawl and BAA gaps.
- Consumer Dropbox or Google Drive (without BAA) for any PHI. If you must use cloud storage outside the EHR, use the BAA-covered version of Google Drive / OneDrive.
- Slack for client communication — without the Slack Enterprise BAA, this is a HIPAA violation. Use your EHR’s secure messaging.
Total monthly cost
| Line item | Solo practice |
|---|---|
| SimplePractice Plus | $99 |
| Google Workspace Business Standard (w/ BAA) | $14 |
| Bookkeeper (part-time, healthcare-familiar) | $500 |
| QuickBooks Online Simple Start | $35 |
| 1Password Business (BAA) | $20 |
| SRFax HIPAA | $19 |
| Malpractice insurance (monthly) | $25 |
| Total | ~$712/mo |
Compare this to renting an office or employing an admin. Software is the cheapest infrastructure a solo therapist buys.
The three compliance mistakes that create real risk
- Treating BAAs as optional. They aren’t. Every vendor that touches PHI must have a signed BAA in your files. If you can’t produce it in an audit, you don’t have it.
- Using the consumer tier of a tool that has a BA-eligible business tier. Consumer Gmail is not Google Workspace with BAA — they are different products under similar branding. Verify you’re on the right tier.
- Leaving PHI in personal email or personal cloud storage. A single client name in a personal inbox is a breach. Route everything through the EHR or BAA-covered channels.
Stack variations
Budget-conscious new practice (~$200/mo, ex-bookkeeper)
TheraNest ($42) + Google Workspace Business Starter with BAA ($7) + SRFax ($19) + 1Password Business ($20) + DIY bookkeeping. Works for the first 6 months while caseload is under 10 clients/week.
Group-practice-ready
SimplePractice Plus ($99/clinician) + Google Workspace Business Plus (BAA) + 1Password Business + dedicated billing service (Headway, Alma, or a medical billing company) + Paubox + employed part-time admin. Becomes relevant at 2+ clinicians or 30+ weekly clients.
FAQ
SimplePractice or TherapyNotes?
Start with SimplePractice if your workflow is telehealth-heavy or you bill a mix of private pay + insurance. Start with TherapyNotes if your clinical documentation needs are complex (treatment planning, outcome measures, detailed progress notes) or if your state’s documentation requirements are especially rigorous.
Do I really need a BAA for every tool?
For every tool that could touch PHI. Google Workspace — yes, if you email anything client-related. 1Password — yes, if you store credentials for PHI-containing systems. Your accounting tool — usually no, unless you’re putting client notes in transaction memos (don’t).
Can I use Calendly for client appointments?
For initial consults / prospective clients only, on standard Calendly. For existing clients with active PHI, either upgrade to Calendly Teams with HIPAA add-on + BAA, or use the EHR’s scheduling. Read Calendly’s BAA requirements carefully.
What about AI note-taking assistants?
HIPAA-compliant AI note tools exist (Freed AI, Abridge, Heidi) with BAAs. Consumer ChatGPT, Claude, and Gemini do NOT have BAAs (at time of writing). Do not paste session notes into a consumer LLM.
The stack
