← How to Start a Private Therapy Practice (2026 Step-by-Step Guide)
Guide
The 7 Documents Every New Therapy Practice Needs
Before you schedule your first client, seven documents need to be in place. Get them wrong — or skip them entirely — and you expose yourself to HIPAA violations, billing disputes, licensing board complaints, and uncollectible fees. Get them right and your practice runs on a solid administrative foundation from day one.
This article covers every document in plain terms, explains what each one must contain, and points you to the authoritative sources. For the broader launch checklist, see the complete guide to starting a private therapy practice.
The 7 Essential Documents
1. Notice of Privacy Practices (NPP)
The Notice of Privacy Practices is a HIPAA-mandated document that every covered health care provider must give clients before — or on the date of — their first service. It tells clients exactly how you may use and disclose their protected health information (PHI).
HHS requires your NPP to include:
- A description of every type of use and disclosure you may make of PHI
- Your legal duties to protect that information
- Clients’ rights (access, amendment, accounting of disclosures, restrictions)
- How to file a complaint with HHS and with your practice
- A contact point for privacy questions
You must also make a good-faith effort to get written acknowledgment that the client received it. HHS publishes a model NPP for health care providers you can adapt. Keep signed acknowledgments for at least six years (the HIPAA documentation retention floor).
Mental health note: Psychotherapy notes — your personal session notes kept separate from the medical record — receive heightened protection under HIPAA and generally require a separate authorization before disclosure, beyond the standard NPP.
2. Informed Consent for Treatment
Informed consent is both an ethical requirement and, in most states, a legal one. Your licensing board likely has specific language requirements — check your state’s mental health practice act before finalizing this document.
At minimum, a solid informed consent for therapy should cover:
- Your credentials, license number, and supervisor (if pre-licensed)
- The nature, goals, and limits of therapy
- Alternatives to therapy
- Confidentiality and its exceptions (mandatory reporting, imminent danger, court orders)
- How to file a complaint with your licensing board
- Fee structure and billing process
- Electronic communication and telehealth policies
The APA offers informed consent guidance for psychologists that translates broadly to LCSWs, LPCs, and MFTs as well. Because requirements vary by state, always cross-reference with your own licensing board’s rules. New York’s Office of the Professions, for example, publishes practice guidelines for mental health practitioners that spell out disclosure obligations explicitly.
A ready-made template can accelerate this, but have your state-specific requirements reviewed before you use it.
3. Client Intake Form
The intake form is your clinical and administrative baseline. It gathers the information you need to provide care and to bill accurately. Unlike the NPP and consent form (which are largely compliance-driven), this document is also a clinical tool.
| Section | What to capture |
|---|---|
| Demographics | Full legal name, DOB, address, emergency contact |
| Insurance & billing | Carrier, member ID, group number, guarantor |
| Presenting concerns | Chief complaint in client’s own words |
| Medical/psychiatric history | Current medications, prior hospitalizations, current providers |
| Safety history | Prior self-harm, suicidal ideation, current risk factors |
| Release of information | Who you’re authorized to speak to and about what |
Keep the form concise — long intake packets cause no-shows before session one — but never cut the safety history section. If you accept insurance, accurate demographic and insurance capture here prevents claim rejections downstream.
4. Financial Policy & Fee Agreement
This is the document that protects your revenue. It should be signed before or at the first session, and it should spell out every financial term in unambiguous language.
Include:
- Your session fee and the fee for each service type (assessment, phone consult, etc.)
- Sliding scale criteria, if applicable
- Accepted payment methods
- When payment is due (typically at time of service)
- Your cancellation and no-show policy — including the exact fee charged and the notice window required (see the no-show and cancellation policy deep dive for how to write one that holds up)
- Your policy on returned checks or declined cards
- Your billing process for insurance clients, including what the client owes if a claim is denied
- Superbill and receipt availability
A signed financial policy is your primary leverage if a client disputes a charge or if you need to send an account to collections. Without it, you have no documented agreement to stand on.
5. Business Associate Agreements (BAAs)
Every vendor who touches your clients’ PHI — your EHR, your billing software, your video platform, your e-fax service — is a business associate under HIPAA. Before transmitting any PHI to them, you must have a signed BAA in place.
HHS is explicit: a covered entity must obtain satisfactory written assurances that its business associate will appropriately safeguard PHI. HHS even publishes model BAA contract provisions you can reference.
The BAA must:
- Describe permitted uses and disclosures of PHI by the associate
- Prohibit uses beyond what the contract allows
- Require appropriate safeguards
- Require breach notification back to you
Most major EHRs and telehealth platforms will countersign a BAA on request; some send one automatically during onboarding. Keep copies. If a vendor refuses to sign a BAA, find a different vendor.
If you want to know which billing documents must meet HIPAA standards on the other side of the transaction, see what makes a superbill HIPAA-compliant.
6. Credentialing Application Documents
If you plan to accept insurance — even one panel — you need a credentialing packet ready before you apply. Delays here are the number-one reason new practices lose weeks of billable time.
Your core credentialing file should contain:
- NPI (National Provider Identifier): Register at the NPPES NPI Registry. This is required before any Medicare enrollment or payer application.
- CAQH ProView profile: Most commercial payers pull from CAQH. Your profile must include current license, DEA (if applicable), malpractice insurance, work history, and education. Documents uploaded to CAQH are reviewed within three business days.
- CMS-855I (for Medicare): Individual practitioners enroll in Medicare via the CMS-855I form or through PECOS online.
- Malpractice insurance certificate: Payers require a current certificate of professional liability insurance before they credential you.
- State license copy: Every payer will want a legible copy of your current, unencumbered license.
- DEA certificate: Required if you have prescribing authority.
The full step-by-step CAQH and payer process is covered in insurance credentialing for therapists. If you’re still deciding whether to panel at all, weigh the tradeoffs first in cash pay vs. insurance panels.
7. Release of Information (ROI) Forms
A Release of Information form is how you legally share client PHI with third parties — a psychiatrist co-managing medication, a primary care physician, a school, a court, an EAP. You need signed ROI forms before every such disclosure that isn’t covered by a HIPAA treatment exception.
Each ROI should specify:
- The name of the individual or entity receiving information
- Exactly what information is being disclosed (session notes? diagnosis? dates of service?)
- The purpose of the disclosure
- An expiration date or event
- The client’s right to revoke at any time (and how)
Keep signed ROIs in the client record alongside the documents they authorized. Per HHS guidance on the Privacy Rule, authorizations for disclosures beyond treatment, payment, and operations must meet specific content requirements. A generic “permission to talk to someone” note does not meet this standard.
Quick-Reference Summary
| # | Document | Legally required by | When to get it signed |
|---|---|---|---|
| 1 | Notice of Privacy Practices | HIPAA (federal) | At or before first session |
| 2 | Informed Consent for Treatment | State licensing law | Before first session |
| 3 | Client Intake Form | Best practice / payers | Before first session |
| 4 | Financial Policy & Fee Agreement | Best practice | Before first session |
| 5 | Business Associate Agreements | HIPAA (federal) | Before using the vendor |
| 6 | Credentialing Application Docs | Payer requirement | Before applying to panels |
| 7 | Release of Information | HIPAA (federal) | Before each applicable disclosure |
Frequently Asked Questions
Does HIPAA set a minimum time I must keep client records?
No. HIPAA does not set medical record retention periods — that is governed by your state’s law. HIPAA does require you to retain HIPAA-related policies and documentation (including signed NPP acknowledgments and BAAs) for six years from creation or the date last in effect, whichever is later. Check your state’s mental health practice act for patient record retention minimums, which commonly range from 5 to 10 years for adults and longer for minors.
Can I combine the informed consent and financial policy into one document?
Yes, many solo practices use a single “Practice Policies and Informed Consent” packet that clients sign once. The advantage is fewer forms; the risk is that a very long document gets skimmed. If you combine them, use clear section headers, and make sure each legally required element is easy to find. Some licensing boards specify the form’s content must be in plain language — dense combined packets can raise questions if a complaint is ever filed.
Do I need a BAA with my bank or accountant?
Generally no. Your bank does not access PHI; neither does a general accountant reviewing aggregate revenue. A BAA is required only when a vendor creates, receives, maintains, or transmits PHI on your behalf. A medical billing company, however, does — and needs a signed BAA before you send any claim data.
What happens if a client refuses to sign the Notice of Privacy Practices acknowledgment?
You can still provide services. HIPAA requires a good-faith effort to obtain acknowledgment, but does not require you to withhold treatment if the client refuses to sign. Document the attempt and the refusal in the client record.
Getting these seven documents in order is the administrative foundation your practice is built on. From here, your next operational priorities are building audit-proof progress notes — covered in how to write audit-proof therapy progress notes — and making sure your session-by-session documentation holds up to payer scrutiny.
Disclaimer: Folio publishes general information about the operational and administrative side of running a private practice. It is not legal, medical, clinical, tax, or compliance advice, and it does not create a professional relationship. Rules vary by state, payer, and profession and change over time. Verify requirements with the primary sources cited, your licensing board, and your own qualified advisors before acting.