Important: HIPAApropriateness reviews, including their summaries, are for informational purposes only. They are neither consultation nor legal advice. Be aware that while we do our best to be thorough and complete, information may be missing or possibly even inaccurate. Products also change quickly, and the review may become out of date. By continuing to read, you agree to use the information in HIPAApropriateness reviews and their summaries at your own risk.

Vital Stats

HIPAA compliance with this product appears possible?: Yes.
Recommend for your HIPAA risk management needs?: Yes. Be sure to read the notes and the one caveat for some important points.
# of Caveats: 1 view caveats→
# of Usage Notes: 9 view notes→

Relevant Product Characteristics

  • This product is designed specifically with mental/behavioral health professionals in mind.

What Is This Product?

The CounSol logo

CounSol is a practice management system designed only for solo practitioners, although it does support multiple office locations. If you’re looking for a tool that provides a client scheduling portal, forms, payment, client reminder via e-mail/SMS/voice, videoconferencing, and secure messaging, CounSol has it all.

One thing that stood out about CounSol was how configurable it was – something you don’t often see in small-scale practice management solutions. In general the default options were good, and our notes below can help guide you to making informed decisions about changing any of them.

Several of the features we really appreciate were the ability to view provider and client logins to CounSol, an option to change the login timeout, and the option of including trans* and non-binary as client gender options. They also have tool-tip pop-ups on most fields which tell you more information about fields and settings without cluttering up the display.

Our Impressions:

CounSol appears to put a lot of thought into security and many of the default configurations are set in a way that help providers stay committed to best privacy practices.

This product has also been reviewed by:

  • Tame Your Practice: Rob Reinhardt of Tame Your Practice does highly-respected reviews of EHR products. While we review them primarily for risk management appropriateness, Rob reviews them for features and quality. Read Rob’s review of this product→


Caveats are criticsms of the company or product that we feel are relevant to your risk management or other important considerations.

1) Don’t delete or edit your progress notes!

CounSol allows you to edit or delete a signed client progress note. This could allow you to delete medical records. Don’t do it!

There is at least an audit trail that is kept, so you can see that notes were deleted, but you still shouldn’t be deleting records.


Notes cover points where the product can’t ensure compliance or ethical action for you. These help you know what your part of the compliance puzzle looks like when using this product. A high note count usually correlates with a feature-rich product, and not necessarily with a product that has problems.

1) Change your initial password immediately

CounSol sends your password to your e-mail address. Change this as soon as you receive it, which CounSol will prompt you to do as your first step in the configuration walk-through. They also have refreshingly complex password requirements, which is always a plus.

2) Complete the Business Associate Agreement

CounSol does not automatically execute a BAA with you. We were prompted to download the BAA, sign it, and send it in when we logged into CounSol for the second time. If that doesn’t happen automatically for you, reach out to your account manager at CounSol.

3) Turn on two-factor authentication

Two Factor Authentication in Counsol

Two Factor Authentication in Counsol

CounSol has support for two-factor authentication — where you enter another code after you enter your normal password. This requires that you have an Android smartphone or tablet or an Apple iPhone or iPad, and that you install the Google Authenticator app. We strongly recommend you use two-factor authentication.

4) Consider turning on passwords for downloaded files

CounSol allows the provider to set a password for all files it sends. The benefit of this is that if you work with a client or clients who live with an abuser or who are unhoused, it might be unsafe for them to download bills to a computer where someone else might have access to that information. Consider turning this on if a risk assessment warrants it.

5) Be mindful of how you use the secure messaging portal

CounSol includes integrated secure messaging; this is where you send a client an email that doesn’t contain the actual message and they have to log into a portal to retrieve it. Be aware that the message does include the name of your practice. So, as we mentioned earlier, determine if your client could be harmed by someone seeing the name of your practice in an e-mail.

An email from an imaginary practice

A sample e-mail from Imaginary Practice 1.

Additionally, the portal sends your client an e-mail when their account is first created. This e-mail contains a password to access their account. Gently urge your clients to log in and change their password as soon as they receive it.

6) Pay attention to what information is shared outside of CounSol

It is possible to share your CounSol calendar with such tools as Google Calendar or iCal. If you do that, first make sure you have a BAA with that other organization and that you are using appropriate device security measures for whatever devices might have access to that calendar.

CounSol has several options to help restrict what PHI is shared with external calendar providers. You can choose what information you want to show in notifications and synced calendar items. For example, you can show only the “Client Number” instead of the client’s name.

There’s a setting to receive an email each time a session is scheduled and we’d recommend against that; lucky for you it’s turned off by default.

7) Be sure you are following simple security measures like using appropriate passwords and computer/device security

It’s important to make sure whatever device you’re using to access CounSol is secured against threats to privacy. Our Device Security Instruction Center covers smartphone security in detail. Our video on how to use the security features of your smartphone is also quite helpful.

8) Avoid sending unsecured appointment reminders or payment notifications without proper collaborative risk analysis

We know you hear us say this in many other reviews, but it bears repeating no matter the tool we’re discussing.

Counsol offers appointment reminders by email, SMS text message, and voice. It can also send other notifications with the option of including specific diagnostic information.

Be sure to have an informed consent discussion with your clients before sending them email, SMS text, or voice notifications. We recommend being very explicit with your clients around contact methods for both appointment reminders and billing.

In the image below you’ll see the degree of granularity that can be achieved with notifications in CounSol. These settings can be made at the global level and at the client level. Be aware, though, that the settings at the global level only affect how each new client’s communication preferences are set. Changing the global notification settings will not change or override any existing client’s settings.

CounSol Notification Settings - a list of items to check

CounSol Notification Settings

Remember that when using conventional email or text messaging, you need to determine if simple opt-out is sufficient for your ethical and legal needs. Read our article on unsecured communications here for some guidance to help you decide what you need to do to around appointment reminders to stay legal and ethical in your practice. It is also covered in Engaging in HIPAA Security and Digital Confidentiality as a Mental Health Professional, Module 4: Using Email, Text, Phone, and Video in a HIPAA-Compliant Manner.

If it turns out that unsecured email or text communications are legally-ethically workable for you, CounSol executes a Business Associate Agreement with you, which makes it legal for them to send those emails or texts on your behalf.

CounSol allows you to send the client’s diagnosis in the invoices it sends. This option is disabled by default and we recommend you leave it disabled unless there’s a reason to enable it.

9) If you use the client journal feature, be aware that it becomes part of the client’s medical record

CounSol has a feature where clients can write in a journal and then have the option of sharing it with you. If the client shares their journal with you, it becomes part of their record. Complete a risk/benefit analysis of doing so with the client, and be sure to inform them that it will become part of their record if they share it with you.


Scheduled Maintenance

We will be temporarily taking the website offline at 10:00 PM Pacific (1:00 AM Eastern) tonight, July 6, in order to make some improvements. We plan to be back online by midnight Pacific (3:00 AM Eastern). We apologize for any inconvenience this may cause. Dismiss