HIPAA-Compliant Telehealth Therapy for Therapists — Complete 2026 Guide
Running a HIPAA-compliant telehealth therapy practice means choosing the right platform, getting a signed Business Associate Agreement, obtaining proper informed consent, and following state licensing rules. Telehealth now accounts for a significant portion of all mental health sessions in the US — and the compliance requirements are stricter than most therapists realize.
This guide covers every requirement for HIPAA-compliant telehealth therapy in 2026: platform selection, what makes a therapy platform HIPAA-compliant, state laws, informed consent, emergency protocols, and a compliance checklist you can use right now.
Updated June 2026 · Covers HIPAA, state laws, platform selection, and informed consent
The #1 Rule for HIPAA-Compliant Telehealth Therapy
Your telehealth platform must sign a HIPAA Business Associate Agreement.
The moment a client connects to a video therapy session, their name is linked to the fact that they are receiving mental health treatment. That is Protected Health Information. Any HIPAA-compliant telehealth platform transmitting that connection must sign a BAA — otherwise, every session is a potential HIPAA violation. This single requirement rules out standard Zoom, Google Meet, FaceTime, and Skype.
Best HIPAA-Compliant Telehealth Platform for Therapists in 2026
SimplePractice
HIPAA-compliant telehealth included with EHR · From $29/mo · BAA included
SimplePractice includes HIPAA-compliant telehealth therapy in all paid plans. No separate platform, no extra cost, no second BAA to sign. Clients join from any browser — no download required. Sessions are documented in the same system as your notes and billing, making it the most complete HIPAA-compliant therapy platform available.
- ✓Built-in waiting room
- ✓No client download required
- ✓BAA covers telehealth automatically
- ✓Session notes and billing in same platform
- ✓Works on mobile and desktop
- ✓HIPAA-compliant telehealth and EHR under one subscription
See the full comparison: all HIPAA-compliant telehealth platforms for therapists →
HIPAA-Compliant Telehealth Platforms for Therapists Compared
Not every video platform qualifies as a HIPAA-compliant telehealth therapy platform. Here are the four main options therapists actually use in 2026, with an honest breakdown of who each one is right for.
| PLATFORM | TYPE | BAA | PRICE | CLIENT DOWNLOAD |
|---|---|---|---|---|
| SimplePractice | EHR with built-in telehealth | ✓ Included | From $29/mo | Not required |
| TherapyNotes | EHR with built-in telehealth | ✓ Included | From $49/mo | Not required |
| Doxy.me | Standalone telehealth only | ✓ Available on paid plans | Free–$49/mo | Not required |
| Zoom for Healthcare | Standalone video platform | ✓ BAA available (healthcare plan only) | From $200/mo (healthcare plan) | Often required |
SimplePractice — EHR with built-in telehealth
All-in-one: telehealth + EHR + billing under one BAA
TherapyNotes — EHR with built-in telehealth
Therapists who need complex insurance billing alongside telehealth
Doxy.me — Standalone telehealth only
Therapists with an existing EHR who only need a video platform
Zoom for Healthcare — Standalone video platform
Large practices already using Zoom enterprise — standard Zoom is NOT HIPAA-compliant
⚠ Not HIPAA-Compliant for Telehealth Therapy
Standard Zoom, Google Meet, FaceTime, Skype, and WhatsApp are not HIPAA-compliant telehealth therapy platforms. They do not sign BAAs for individual or standard accounts. Using them for therapy sessions puts you at risk of HIPAA violations. Zoom for Healthcare (a separate, expensive healthcare plan) is the only Zoom product that qualifies.
HIPAA-Compliant Telehealth for Behavioral Health
Behavioral health telehealth — including therapy, psychiatry, counseling, and substance use treatment — carries stricter HIPAA requirements than standard medical telehealth. Mental health records are among the most sensitive PHI categories, and behavioral health providers face heightened enforcement.
Psychotherapy notes get extra protection
Under HIPAA, psychotherapy notes (process notes) are protected separately from the rest of the medical record. Even other healthcare providers cannot access them without explicit patient authorization. Your telehealth platform must not store session content — only the scheduling and connection metadata.
Substance use disorder records: 42 CFR Part 2
If you treat substance use disorders, a separate federal law (42 CFR Part 2) applies — stricter than standard HIPAA. Telehealth with SUD clients requires additional consent and limits on what information can be shared, even in emergencies. Many standard HIPAA-compliant therapy platforms are compliant with standard HIPAA but you should verify 42 CFR Part 2 handling separately.
State mental health confidentiality laws
Most states have mental health confidentiality laws that are stricter than HIPAA. For telehealth, you must follow the laws of the state where your client is located — not just where you practice. California, New York, and Illinois have especially broad mental health privacy protections that exceed standard HIPAA requirements.
Minor clients in telehealth behavioral health
Treating minors via telehealth adds complexity: most states require parental consent for minors to receive mental health treatment, but many states also give minors the right to consent to their own mental health treatment (typically at 12–14 years old). These rules vary by state and apply fully to telehealth sessions.
Telehealth Informed Consent Requirements
HIPAA requires informed consent for telehealth before the first session. Many states have additional requirements. Your telehealth consent should cover:
Description of the technology used and its limitations
Explanation of HIPAA protections and potential risks
Client's right to stop telehealth and switch to in-person
Emergency procedures if the connection fails or client is in crisis
Confirmation that the client is in a private location
Client's current physical location (required in some states)
Telehealth Compliance Checklist
Choose a HIPAA-compliant telehealth platform with a signed BAA
Obtain telehealth informed consent from every client
Verify client's state license requirements for telehealth
Confirm client's location at the start of each session
Document telehealth sessions as video/phone in your notes
Have an emergency protocol for clients in crisis during telehealth
Ensure your workspace is private with no background audio
Do not record sessions without explicit written consent
State-Specific Telehealth Rules
California
Telehealth parity law requires insurers to cover telehealth at the same rate as in-person. HIPAA + California Consumer Privacy Act (CCPA) both apply.
Texas
Must be licensed in Texas to practice telehealth with Texas clients. Informed consent required in writing before first telehealth session.
New York
Strong telehealth parity law. Therapists must hold a NY license to treat NY residents via telehealth, even if practicing from another state.
Florida
Must hold a Florida license to treat Florida clients via telehealth. Baker Act involuntary commitment laws apply to telehealth clients in crisis.
Illinois
MHDDCA privacy protections apply to telehealth records. Informed consent must include description of telehealth technology used.
Trusted by 225,000+ Therapists
50% Off Your First 4 Months + Free Credentialing
SimplePractice is the #1 HIPAA-compliant practice management platform for therapists. Includes a signed BAA, encrypted messaging, telehealth, and full insurance billing.
Offer valid through July 15, 2026 · No credit card required for trial
Need HIPAA-compliant email only? See Hushmail for Healthcare →
FAQ — HIPAA-Compliant Telehealth Therapy
What makes a telehealth platform HIPAA-compliant for therapy?
A HIPAA-compliant telehealth therapy platform must: (1) sign a Business Associate Agreement (BAA) with your practice, (2) encrypt data in transit and at rest, (3) provide access controls so only authorized users can access session data, and (4) have breach notification procedures. The platform itself does not need to be certified — HIPAA certification does not officially exist — but it must meet all technical and administrative safeguard requirements and be willing to sign a BAA.
Can I use a HIPAA-compliant therapy platform across state lines?
Generally no — you must be licensed in the state where your client is physically located at the time of the session, not where they live or where you are located. Most states require a license to practice telehealth with clients in that state. The Psychology Interjurisdictional Compact (PSYPACT) and Counseling Compact provide exceptions for participating states — check if your state participates.
What is the best free HIPAA-compliant telehealth platform for therapists?
Doxy.me offers a free tier that includes basic HIPAA-compliant video. However, the free plan does not include a Business Associate Agreement — you need a paid plan (starting around $35/mo) to get BAA coverage. For a fully free option with a BAA, some therapists use SimplePractice's free trial period, but there is no permanently free HIPAA-compliant telehealth therapy platform that includes a BAA.
What do I do if a telehealth client is in crisis?
Have a written emergency protocol before starting telehealth practice. Know your client's physical location before each session. Have local emergency numbers for the client's location (not just your own area). If a client is in immediate danger and you cannot reach emergency services in their location, call 911 in your jurisdiction and provide the client's address.
Does my malpractice insurance cover telehealth?
Most professional liability insurers cover telehealth, but coverage details vary. Verify with your insurer that your policy specifically covers telehealth services and confirm which states you are covered to practice in. Some policies require a rider or endorsement for telehealth coverage.
How do I verify a client's identity for telehealth?
Best practice is to verify client identity at the start of each telehealth session, especially for new clients. Ask them to show government-issued ID on camera, or verify through your EHR's client portal login. Some insurance companies have specific identity verification requirements for telehealth billing.