HIPAA-Compliant Telehealth for Therapists — 2026 Complete Guide
Which telehealth platforms are actually HIPAA-compliant, what to look for, and how to run HIPAA-safe video sessions.
The Core Rule: Your Telehealth Platform Must Sign a BAA
Under HIPAA, any video platform you use to conduct therapy sessions transmits and may store Protected Health Information (PHI). That makes the vendor a Business Associate, which means they must sign a Business Associate Agreement (BAA) with you. If a platform will not sign a BAA — or has no process for it — you cannot use it for telehealth with your clients, regardless of how secure it claims to be. This rules out standard FaceTime, standard Zoom (free or basic), Skype, Google Meet (personal accounts), and WhatsApp for clinical use.
Platforms That Sign BAAs for Telehealth
As of 2026, the following platforms have established HIPAA BAA processes for healthcare providers: SimplePractice (integrated telehealth + EHR, BAA included), Doxy.me (free plan includes BAA — unusual and worth noting), Zoom for Healthcare (not standard Zoom — requires a separate healthcare subscription and BAA addendum), VSee, Theranest, and TherapyNotes (integrated with their EHR). Platforms that do NOT offer BAAs for standard users: FaceTime (Apple does not offer healthcare BAAs), standard Zoom free/pro, Google Meet personal, Microsoft Teams personal, WhatsApp, Signal. Note: during the COVID-19 public health emergency, OCR exercised enforcement discretion for non-BAA platforms. That enforcement discretion ended in 2023 — you are no longer covered by it.
What Makes a Telehealth Session HIPAA-Compliant Beyond the Platform?
Signing a BAA with your platform is necessary but not sufficient. You also need: a private physical space where clients cannot be overheard (waiting rooms, shared offices, coffee shops are not acceptable), a secure network — public Wi-Fi without a VPN is not HIPAA-safe, client consent for telehealth documented in your records, encrypted recording storage if you record sessions (most therapists do not — but if you do, recordings are PHI), and a policy for what to do if the secure connection drops and you need to switch to a backup communication method.
Interstate Telehealth Compliance
HIPAA is federal and applies uniformly, but state therapy licensing laws vary significantly. Most states do not allow you to provide therapy to a client in another state unless you are licensed in that state or the state has a reciprocity compact. As of 2026, the Counseling Compact and PSYPACT cover many states for LPCs and psychologists respectively — but not all professions and not all states participate. For the HIPAA piece: if your client is physically in Florida, New York, or Illinois, the state-specific mental health privacy laws of that state also apply to your telehealth session, even if you are not licensed there.
Documenting Your Telehealth Compliance
OCR expects you to be able to demonstrate that your telehealth practice is HIPAA-compliant. You should maintain: a copy of your BAA with your telehealth platform, written documentation of your telehealth policies (in your HIPAA policies binder), client consent forms acknowledging they are participating in telehealth and understand the privacy limitations, and a log or configuration proof that your platform settings meet HIPAA requirements (e.g., recording is disabled, waiting rooms are enabled, session links are unique per client).
Trusted by 225,000+ Therapists — Recommended for Therapist in
Get Your Practice 100% HIPAA Compliant in 2026
SimplePractice is the #1 HIPAA-compliant practice management platform built specifically for therapists. Includes secure messaging, telehealth, billing, and a signed BAA — everything you need to stay compliant and protect your clients.
Start Free Trial with SimplePractice →30-day free trial · No credit card required
Need HIPAA-compliant email only? See Hushmail for Healthcare →
Frequently Asked Questions
Is the free version of Doxy.me HIPAA compliant?
Yes — Doxy.me is one of the few platforms that offers HIPAA compliance including a BAA on their free tier. This makes it popular among solo therapists starting out. However, if you use Doxy.me only for telehealth and a separate EHR for records, you still need a BAA with your EHR separately.
Can I use standard Zoom if I get my client to sign a consent form?
No. A client consent form does not substitute for a HIPAA-compliant platform and BAA. The consent form addresses the client's rights — it does not create the technical and contractual safeguards that HIPAA requires from your vendor. You need Zoom for Healthcare with a BAA, not just client consent.
What about AI note-taking tools like Otter.ai or Fireflies?
These tools listen to your sessions and create transcripts — they are clearly handling PHI. Most do not offer healthcare BAAs on standard plans. You must either (a) use only AI note tools that offer a HIPAA BAA, (b) inform clients that a third-party tool is recording, or (c) avoid them entirely for clinical sessions. SimplePractice's built-in AI note features are covered under their existing BAA.
Does the location of my client affect my HIPAA obligations?
HIPAA obligations are the same regardless of location, but state privacy laws follow the client. If your client is physically in New York, the NY SHIELD Act may apply. If they are in Florida, Florida's FIPA applies. This can impose stricter breach notification timelines than HIPAA alone.