Telehealth is now a permanent part of mental health practice—but many therapists are still using non-compliant platforms or unclear about what HIPAA actually requires for video sessions. The COVID-era enforcement discretion that allowed FaceTime and Skype ended in August 2023. If you're providing telehealth, you need compliant systems.
This guide covers exactly what HIPAA requires for telehealth: platform requirements, documentation, and how to avoid the compliance gaps that put your practice at risk.
HIPAA Telehealth Requirements at a Glance
| Requirement | What It Means |
|---|---|
| HIPAA-compliant platform | End-to-end encryption, access controls, audit logs |
| Business Associate Agreement | Signed BAA with platform vendor |
| Secure transmission | Encrypted video/audio during session |
| Access controls | Only authorized users can access sessions |
| Client verification | Confirm client identity at session start |
| Appropriate environment | Private space on provider's end |
| Documentation | Record telehealth-specific elements in notes |
Platform Requirements
What Makes a Platform HIPAA-Compliant?
Technical safeguards:
- End-to-end encryption (data encrypted during transmission)
- Access controls (unique user IDs, passwords)
- Automatic session timeout
- Audit logging (tracks who accessed what, when)
Administrative safeguards:
- Business Associate Agreement available
- Security policies and procedures
- Breach notification procedures
- Workforce training requirements
Operational:
- Data stored securely (encryption at rest)
- Clear data retention and deletion policies
- US-based servers (typically required for compliance)
Compliant Platforms
| Platform | BAA Available | Notes |
|---|---|---|
| Doxy.me | Yes | Free tier available; popular with solo practitioners |
| SimplePractice Telehealth | Yes | Integrated with SimplePractice EHR |
| TherapyNotes Telehealth | Yes | Integrated with TherapyNotes EHR |
| Zoom for Healthcare | Yes | Requires healthcare plan (not free/standard Zoom) |
| VSee | Yes | Telehealth-focused platform |
| Thera-LINK | Yes | Mental health specific |
| Google Meet (Enterprise) | Yes | Requires Workspace with BAA |
Non-Compliant Platforms
| Platform | Why Not Compliant |
|---|---|
| Standard Zoom | No BAA available (need Healthcare plan) |
| FaceTime | Apple doesn't offer BAA |
| Skype (consumer) | No BAA available |
| Google Meet (free) | No BAA without Enterprise |
| No BAA; data sharing concerns | |
| Facebook Messenger | No BAA; not designed for healthcare |
| Standard phone | Audio-only may not meet requirements |
The COVID Exception Is Over
During the pandemic (March 2020 - August 2023), HHS announced enforcement discretion for telehealth platforms. Therapists could use FaceTime, Skype, or Zoom without penalty.
That period ended. Since August 2023, standard enforcement applies. Using non-compliant platforms now risks HIPAA violations.
Business Associate Agreement (BAA)
You must have a signed BAA with your telehealth platform vendor before using it for client sessions.
What the BAA Covers
- Vendor's obligations to protect PHI
- Permitted uses and disclosures
- Breach notification requirements
- Return or destruction of PHI at contract end
- Your right to terminate for violations
How to Get a BAA
Most compliant platforms offer BAAs through their account setup:
- Doxy.me: Available in account settings
- SimplePractice: Part of subscription agreement
- Zoom Healthcare: Provided with healthcare plan
Keep documentation: Save a copy of signed BAAs. You may need to produce them for compliance audits.
Business Associate Agreements: Complete Guide →
Session Security
Before the Session
Your environment:
- Private room with door closed
- No one can overhear or see your screen
- Professional, confidential setting
Client verification:
- Confirm client identity at session start
- Verify client's location (state matters for licensing)
- Confirm client is in private space
Technology check:
- Stable internet connection
- Platform functioning properly
- Backup plan if technology fails
During the Session
Maintain confidentiality:
- No recording without explicit consent and documentation
- Screen sharing only with caution
- Mute/disable waiting room appropriately
Handle disruptions:
- If connection drops, have reconnection protocol
- If security concern arises, end session and follow up securely
- Document any significant technology issues
After the Session
Documentation:
- Note that service was via telehealth
- Record platform used
- Document client location
- Note any technology issues
Data handling:
- Don't save recordings on unsecured devices
- Clear any local cache if applicable
- Maintain platform security (logout, secure passwords)
Documentation Requirements
Telehealth sessions require the same documentation as in-person sessions, plus telehealth-specific elements.
Standard Documentation
All the usual clinical documentation:
- Date and time
- Presenting concerns
- Interventions used
- Client response
- Treatment progress
- Plan
HIPAA Compliant Documentation →
Telehealth-Specific Documentation
Add to your notes:
Service provided via [platform name] HIPAA-compliant video platform.
Business Associate Agreement on file with vendor.
Client identity verified at session start.
Client location: [city/state] - private residence.
Client confirmed private, confidential environment.
No technology disruptions. [OR: Brief audio disruption at [time], resolved within [X] minutes, did not significantly impact session.]
Why Location Matters
Documenting client location serves two purposes:
- Licensing: You must be licensed in the state where the client is located
- Emergency response: If crisis occurs, you need to know where the client is
Client Communication About Telehealth
Informed Consent
Before beginning telehealth services, obtain informed consent addressing:
- How telehealth works
- Privacy and security measures in place
- Risks (technology failures, potential for interception despite encryption)
- Client responsibilities (private environment, technology requirements)
- Alternatives to telehealth
- Emergency procedures
Many therapists use a telehealth-specific consent form in addition to general consent.
Client Instructions
Provide clients with:
- How to access the platform
- Technical requirements (internet speed, device, browser)
- What to do if connection fails
- Reminder to use private space
- Emergency contact information
Telehealth Billing and HIPAA
When billing for telehealth sessions, you're transmitting PHI. The same HIPAA billing requirements apply.
Billing Requirements
- Submit claims through secure, compliant channels
- Use appropriate telehealth modifiers (95, GT, 93)
- Use correct Place of Service codes (POS 10 for patient at home)
- Maintain secure billing records
Documentation Supporting Claims
Your notes should support the telehealth billing:
- Evidence that session occurred via video/audio
- Time documentation (start/stop times)
- Clinical content justifying the CPT code
Telehealth Billing for Therapists →
Special Situations
Audio-Only Sessions
HIPAA doesn't prohibit audio-only telehealth, but:
- Standard telephone isn't encrypted
- Some payers require video for reimbursement
- Audio-only may have different billing codes/rates
If using audio-only:
- Understand payer requirements
- Document that session was audio-only and why
- Consider HIPAA-compliant audio platforms
Client in Public Space
If a client joins from a non-private location:
- Discuss confidentiality limitations
- Client assumes some privacy risk
- Document that client was informed
- Consider rescheduling if sensitive content planned
Technology Failures
Have a protocol for when technology fails:
- Attempt to reconnect (give it 5 minutes)
- Try backup method (phone call to reschedule)
- Document what happened
- Reschedule if session cannot continue
- Determine billing implications
Emergency During Telehealth
Know your client's location and have emergency resources ready:
- Local emergency services contact
- Crisis line numbers
- Client's emergency contact
- Protocol for wellness check if needed
Document emergency procedures in treatment planning.
Compliance Checklist
Platform Setup
- Using HIPAA-compliant platform
- BAA signed and on file
- Unique login credentials
- Strong password and/or 2FA enabled
- Familiar with platform security features
Environment
- Private office space for telehealth
- Door can be closed/locked
- Screen not visible to others
- Audio not audible to others
- Professional background
Documentation
- Telehealth consent form in place
- Session notes include telehealth elements
- Client location documented each session
- Technology issues documented when they occur
Policies
- Written telehealth policies
- Client instructions documented
- Emergency procedures established
- Technology failure protocol in place
Frequently Asked Questions
- Can I use my personal phone for telehealth?
- If your phone is secured (encrypted, passcode protected, automatic lock) and you're using a HIPAA-compliant app (not FaceTime), it can be acceptable. However, using a dedicated work device is preferable for maintaining boundaries and security.
- What if my client wants to use FaceTime?
- Explain that HIPAA requires compliant platforms. Offer your compliant platform option. Most platforms (like Doxy.me) are free and easy for clients to use—they just click a link.
- Do I need a BAA with Zoom?
- If using Zoom for Healthcare (the paid healthcare plan), yes—and they provide it. If using standard/free Zoom, you can't get a BAA and shouldn't use it for telehealth.
- Can clients join from their car?
- They can, but discuss confidentiality limitations. A parked car in a private location may be acceptable; driving is not. Document the situation.
- What about group telehealth?
- Same requirements apply. Ensure all participants understand confidentiality expectations with multiple people on the call. Platform must handle multiple participants securely.
HIPAA-compliant telehealth isn't complicated once you have the right platform and processes. Get a compliant platform, sign your BAA, document properly, and maintain a secure environment. Your clients trust you with their most sensitive information—telehealth should protect that trust just as well as in-person sessions.