HIPAA Compliance for Telehealth Therapists in New York City, New York — 2026 Guide
Telehealth therapists who cross state lines face the HIPAA laws of both states simultaneously. This guide covers what telehealth therapists in New York City must do before the February 16, 2026 HIPAA deadline — including state-specific legal requirements, the most common violations that trigger OCR audits in New York, step-by-step fixes for each violation, and a full compliance checklist tailored to your practice type.
NYC telehealth therapists represent one of the highest-risk practice configurations for HIPAA violations — they serve clients across multiple states, rely heavily on technology platforms, and often use consumer video tools that look professional but lack proper HIPAA protections. Average HIPAA fines in New York are $52,000 — among the highest of any state.
$52,000
Average HIPAA fine in New York
Post-COVID telehealth enforcement has increased dramatically.
Source: HHS Office for Civil Rights enforcement data, 2025
New York Law Requirements for Telehealth Therapists
New York City telehealth therapists face HIPAA, the New York SHIELD Act, and New York Mental Hygiene Law — three overlapping frameworks with different enforcement mechanisms. The SHIELD Act requires telehealth therapists to implement reasonable data security safeguards for any New York resident's health information, regardless of where the therapist is licensed. When a NYC telehealth therapist serves clients in other states, they must comply with the stricter of the two states' requirements. The surge in telehealth services post-COVID has led OCR to significantly increase enforcement attention on video therapy — specifically on practices using consumer-grade video platforms without proper BAAs. Post-2023 enforcement actions have included fines specifically for telehealth-related violations.
OCR Region 2 (New York) has significantly increased telehealth-specific enforcement since 2022, focusing on practices using consumer video platforms — and New York's Attorney General enforces the SHIELD Act through a separate channel.
Top HIPAA Violations for Telehealth Therapists in New York City — and How to Fix Them
These are the violations OCR most frequently cites for telehealth therapists in New York. Each one is fixable — most in under an hour. The cost of not fixing them is significantly higher than the cost of the solution.
Using Zoom standard (not Zoom for Healthcare)
HOW TO FIX IT
Upgrade to Zoom for Healthcare or switch to SimplePractice's integrated telehealth (included in Essential plan at $69/month). Zoom for Healthcare requires a Business or Enterprise plan and a separately executed BAA — standard Zoom Business does not automatically include the BAA.
No BAA with video platform
HOW TO FIX IT
Move any session recordings from personal Google Drive or Dropbox to a BAA-covered storage system. SimplePractice's platform stores recordings under its BAA. For external storage, use Box for Healthcare or Google Workspace Business with BAA configured.
Session recordings stored without encryption
HOW TO FIX IT
Create a written multi-state compliance log: list each client's state and whether that state has additional telehealth requirements. Consult each state's licensing board website for current interstate telehealth requirements.
The #1 Tech Compliance Gap for Telehealth Therapists in New York City
Consumer video apps used for therapy sessions without HIPAA BAA
SimplePractice solves this with a signed BAA, encrypted messaging, and HIPAA-compliant telehealth — all in one platform used by 225,000+ therapists.
Trusted by 225,000+ Therapists — Recommended for Telehealth Therapist in New York City
50% Off Your First 4 Months of SimplePractice
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Limited-time summer offer · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
Telehealth Therapist HIPAA Compliance Checklist — New York City
Work through this checklist to confirm your practice meets the baseline HIPAA requirements for telehealth therapists in New York. Every item marked incomplete is a potential OCR audit finding.
Replace consumer Zoom with Zoom for Healthcare (Business or Enterprise plan with a signed HIPAA BAA) or SimplePractice's built-in HIPAA telehealth
Store all session recordings in a BAA-covered system — not in personal cloud storage
Map your multi-state client list: identify clients in states with stricter telehealth privacy laws (California, Washington, Illinois) and ensure you meet those states' requirements
Sign BAAs with every telehealth-adjacent vendor: video platform, client portal, session recording storage, and AI note-taking tools
Obtain written informed consent for any session recording and store consents in client files
Verify your professional liability insurance covers multi-state telehealth
Implement a written remote work policy covering home office security: locked screens, private sessions, no family access to work devices
Post an updated 2026 NPP on your website and send it to all telehealth clients electronically
This checklist covers the most common compliance gaps for telehealth therapists in New York City. It is not a substitute for a full HIPAA Security Risk Assessment or legal advice specific to your practice.
Frequently Asked Questions — Telehealth Therapists in New York City
Does a telehealth therapist in New York City need to comply with HIPAA?
Telehealth therapists who cross state lines face the HIPAA laws of both states simultaneously.
What is the average HIPAA fine for therapy practices in New York?
The average HIPAA fine for therapy practices in New York is $52,000. Post-COVID telehealth enforcement has increased dramatically.
What are the most common HIPAA violations for telehealth therapists?
Using Zoom standard (not Zoom for Healthcare). No BAA with video platform. Session recordings stored without encryption.
What is the February 2026 HIPAA deadline?
By February 16, 2026, all covered entities including therapy practices must update their Notice of Privacy Practices (NPP) to reflect the new HIPAA Privacy Rule requirements around patient rights and data access. Failure to update is an automatic violation.
What is SimplePractice and does it solve HIPAA compliance?
SimplePractice is a HIPAA-compliant practice management platform used by 225,000+ therapists. It includes a signed Business Associate Agreement (BAA), encrypted client messaging, HIPAA-compliant telehealth, and documentation tools. It does not replace a full Security Risk Assessment but covers most day-to-day compliance gaps.
Is standard Zoom HIPAA-compliant for therapy sessions?
No. Standard Zoom is not HIPAA-compliant. To use Zoom for therapy sessions, you must have a Zoom for Healthcare account at Business or Enterprise level and execute a separate HIPAA Business Associate Agreement with Zoom. Free Zoom and standard Business accounts do not include a BAA. SimplePractice's built-in telehealth and Doxy.me's paid plan are HIPAA-compliant alternatives that include BAAs automatically.
What happens if I serve clients in California while licensed in New York?
When you serve clients in other states, you must comply with the stricter of the two states' requirements. California CMIA requires breach notifications within 5 business days versus HIPAA's 60 days, gives patients stronger access rights, and is enforced by both California OCR and the California BBS. Any telehealth therapist serving California clients must meet California's 5-day notification requirement and maintain CMIA-compliant authorization forms.