HIPAA Compliance for Telehealth: The Complete 2026 Guide for Therapists

Everything solo therapists need to know about HIPAA-compliant telehealth — from platform selection and BAAs to encryption standards and state regulations.

Telehealth has become a permanent fixture in mental health care. What started as a pandemic accommodation is now how many therapists conduct 40–60 percent of their sessions. But with the end of COVID-era enforcement discretion, the rules around HIPAA-compliant telehealth have tightened considerably — and the consequences of getting it wrong have increased.

If you're a solo therapist offering virtual sessions, this guide walks through everything you need to have in place: the technology requirements, the legal documentation, the state-level nuances, and the practical workflows that keep you compliant without slowing you down.

Why HIPAA compliance matters more now

During the pandemic, the HHS Office for Civil Rights (OCR) issued a blanket enforcement discretion notice. This meant therapists could use consumer-grade tools like FaceTime, Zoom (non-HIPAA version), and Google Meet without facing penalties. That grace period ended in 2023, and enforcement has been ramping up steadily since.

In 2025 alone, OCR settled several cases involving telehealth-related HIPAA violations, with penalties ranging from $50,000 to over $1 million. While these cases typically involved larger organizations, solo practitioners are not exempt. A single complaint — from a client, a disgruntled former employee, or even a competitor — can trigger an OCR investigation.

What's at stake

• •Financial penalties — $100 to $50,000 per violation, with annual maximums up to $1.5 million per violation category
• •Criminal penalties — knowingly violating HIPAA can result in fines up to $250,000 and imprisonment
• •Professional licensing — state boards can take action independent of federal enforcement
• •Malpractice exposure — HIPAA violations can be cited as evidence of negligence in malpractice claims
• •Reputational damage — OCR publishes enforcement actions publicly (the "Wall of Shame")

The bottom line: HIPAA compliance isn't optional, and "I didn't know" isn't a defense.

The technical requirements

HIPAA doesn't prescribe specific technologies, but it does require specific security standards. Here's what your telehealth setup must include.

End-to-end encryption

All video and audio data must be encrypted in transit. This means the data is unreadable to anyone who intercepts it between your computer and your client's device. Technical standard: AES 256-bit encryption for data at rest and TLS 1.2+ for data in transit.

What this means practically: consumer video tools like standard Zoom, Google Meet, Skype, and FaceTime do not meet this standard by default. You need either a HIPAA-specific version (like Zoom for Healthcare) or a platform that was built for clinical use from the ground up.

Access controls

Your telehealth platform must support:

• •Unique user identification — each user has their own login credentials
• •Automatic session timeout — inactive sessions lock or disconnect after a defined period
• •Audit logging — the system records who accessed what, when, and from where
• •Role-based access — clients can only see their own data, not other clients' information

Transmission security

Beyond encryption, the platform must protect against unauthorized access during transmission:

• •Secure waiting rooms that prevent unauthorized users from joining
• •Session links that expire after use
• •No recording without explicit consent mechanisms
• •Secure screen sharing that doesn't expose other desktop content

Business Associate Agreements: the legal foundation

A Business Associate Agreement is a legal contract between you (the covered entity) and any vendor that handles Protected Health Information (PHI) on your behalf. For telehealth, this includes your video platform, your practice management software, your AI documentation tools, and any other service that transmits, stores, or processes client data.

Who needs a BAA?

Every vendor in your telehealth workflow:

• •Video platform — the company providing your telehealth infrastructure
• •Practice management system — where you store notes, schedules, and billing data
• •Email provider — if you ever send PHI via email (even appointment confirmations with client names)
• •Cloud storage — if you store any clinical documents in the cloud
• •AI tools — any service that processes session data for notes or documentation
• •Payment processor — if they handle insurance information or clinical billing data
• •Phone/messaging service — including text appointment reminders

What a BAA must include

A valid BAA isn't just a signature on a generic form. It must specify:

• •How the vendor will safeguard PHI
• •Permitted uses and disclosures of PHI
• •Requirements to report breaches
• •Requirements to return or destroy PHI at contract termination
• •The vendor's responsibility for their own subcontractors

Red flags to watch for

• •Vendor refuses to sign a BAA — immediate disqualifier, no exceptions
• •BAA is a single paragraph — legitimate BAAs are typically 3–10 pages covering specific obligations
• •"HIPAA-compliant" marketing without a BAA — some vendors claim compliance in marketing materials but won't actually execute a BAA. Marketing claims are not legal protections.
• •No mention of breach notification — a BAA without breach notification procedures is incomplete

Your telehealth environment

HIPAA compliance isn't just about software — it's about the physical space where you conduct sessions.

For your office

• •Use a private room with a closed door — no shared office spaces during sessions
• •Position your screen so it's not visible from windows or doorways
• •Use headphones, not speakers, for client audio
• •Disable notifications from other apps during sessions (client names in email previews = a violation)
• •Lock your computer when stepping away, even briefly

For remote/home sessions

If you sometimes work from home — and most therapists do — the same standards apply:

• •Dedicate a private room for sessions, not a shared living space
• •Ensure household members cannot overhear sessions
• •Use a VPN on shared or public networks
• •Don't conduct sessions from coffee shops, co-working spaces, or other public locations
• •Use a virtual background to prevent inadvertent disclosure of personal information

Client-side considerations

You're not responsible for your client's environment, but you should:

• •Advise clients to join from a private location
• •Document that you've discussed environmental privacy with clients
• •Have a plan for when a client's environment isn't appropriate (e.g., they join from a car with other passengers)
• •Include telehealth-specific language in your informed consent

State-by-state telehealth regulations

HIPAA is federal, but telehealth practice is regulated at the state level — and the rules vary significantly. This is one of the most commonly overlooked aspects of telehealth compliance.

Licensing requirements

In most states, you must be licensed in the state where your client is physically located at the time of the session, not where your office is. If your client goes on vacation to another state and wants to have their regular session, you may need a license in that state.

Some states offer exceptions:

• •PSYPACT — a multi-state compact for psychologists (currently 42 member states)
• •Counseling Compact — a similar agreement for licensed professional counselors (growing membership)
• •Social Work Compact — for licensed clinical social workers (newer, fewer member states)

Check your specific license type and the compacts available to you. Practice across state lines without proper licensure can result in disciplinary action from both states.

Informed consent requirements

Many states have specific requirements for telehealth informed consent that go beyond standard clinical informed consent:

• •Explanation of how telehealth works and its limitations
• •Description of the technology being used and its security measures
• •Discussion of what happens during technical failures
• •Client's right to refuse telehealth and receive in-person services
• •How emergency situations will be handled when the client is remote
• •Statement about recording policies

Prescriptive authority and limitations

If your scope of practice includes prescriptive authority (e.g., psychiatric nurse practitioners), additional telehealth rules may apply regarding initial assessments, DEA registration, and state prescribing regulations.

Documentation requirements for telehealth sessions

Telehealth sessions have the same documentation requirements as in-person sessions, plus additional telehealth-specific elements. Your session notes should include:

• •Session modality — clearly document that the session was conducted via telehealth
• •Platform used — identify the specific HIPAA-compliant platform
• •Client location — the state where the client was physically present
• •Provider location — the state where you were physically present
• •Consent confirmation — that telehealth consent is on file
• •Technology issues — note any connectivity problems, dropped connections, or audio/video quality issues that affected the session
• •Clinical appropriateness — your assessment that telehealth was appropriate for this session's content

This documentation protects you in the event of an audit, a complaint, or a malpractice claim. Using AI documentation tools that include telehealth-specific fields can ensure you never miss these elements.

Building a compliant telehealth workflow

Compliance shouldn't be a separate checklist you manage alongside your clinical work. The best approach is building compliance into your workflow so it happens automatically.

Before you start seeing clients

1. Choose a HIPAA-compliant platform — verify encryption, BAA, and security features
2. Execute BAAs with all vendors — video, practice management, email, cloud storage
3. Create telehealth-specific consent forms — include all state-required elements
4. Update your [Notice of Privacy Practices](/notice-of-privacy-practices) — add telehealth data handling
5. Set up your physical environment — private space, headphones, screen positioning
6. Document your security procedures — what you'll do in case of a breach, technical failure, or emergency

For each session

1. Verify client's location — confirm which state they're in at the start
2. Confirm consent — especially for new clients or clients in a new state
3. Use the approved platform — never switch to a non-compliant alternative for "convenience"
4. Document telehealth-specific elements — modality, platform, locations, consent
5. Secure your notes — store in your HIPAA-compliant practice management system

Annually

1. Conduct a risk assessment — HIPAA requires regular evaluation of risks to PHI
2. Review and update BAAs — especially when vendors change their terms or pricing
3. Update training — even as a solo practitioner, document your HIPAA training
4. Test your incident response plan — know exactly what to do if a breach occurs
5. Review state regulations — telehealth laws change frequently, especially post-pandemic

Common compliance mistakes

Even well-intentioned therapists make these errors:

Using personal email for client communication

That Gmail account isn't HIPAA-compliant. Even a simple "See you at 3 PM on Thursday, Sarah" contains PHI (client name + appointment information). Use your practice management platform's secure messaging or a HIPAA-compliant email service with a BAA.

Texting appointment reminders from your personal phone

Same principle. Your personal phone's text messaging isn't encrypted or auditable. Use your platform's automated reminder system or a HIPAA-compliant texting service.

Not tracking client location

If your regular client mentions they're "visiting family in California" and you proceed with the session without verifying your California licensing status, you may be practicing without a license in that state.

Keeping session recordings without a retention policy

If you offer session recording (with consent), you need a documented retention and destruction policy. How long are recordings kept? Where are they stored? How are they destroyed? Indefinite storage of session recordings creates unnecessary risk.

Assuming your vendor is compliant because their website says so

Marketing language is not a legal guarantee. Verify: Do they have a BAA? What encryption do they use? Where is data stored? Have they had any breaches? Do they have SOC 2 certification?

What this means for your practice

HIPAA compliance for telehealth is not as overwhelming as it first appears. Most of the requirements are one-time setup tasks — choosing the right platform, executing BAAs, creating consent forms, and documenting your procedures. Once that foundation is in place, day-to-day compliance is largely automatic if your workflow is built correctly.

The key insight is this: when your practice management platform handles encryption, access controls, audit logging, documentation, and BAAs — all in one integrated system — compliance stops being a separate burden and becomes a natural part of your clinical workflow.

If you're starting a new practice or evaluating alternatives to your current platform, make HIPAA compliance a first-tier evaluation criterion. The cheapest platform is never cheap if it leaves you exposed to a six-figure penalty.

Need a platform that handles HIPAA compliance end-to-end? Tendly is built for solo therapists with encryption, BAAs, and compliant telehealth — all included. Join the waitlist for early access.