HIPAA Compliance for Telehealth and Online Therapy

HIPAA applies in full to telehealth and online therapy delivered by covered entities and their business associates. The OCR COVID-19 enforcement discretion that briefly allowed consumer tools has ended, so practices now need a HIPAA-eligible platform under a signed Business Associate Agreement, plus the Security Rule safeguards that protect ePHI in transit.

HIPAA applies to telehealth — fully, and without a size exemption

When a covered entity delivers care over video, phone, secure messaging, or an app, HIPAA applies exactly as it does in the exam room. Telehealth changes the channel, not the law. The same Privacy Rule, Security Rule, and Breach Notification Rule that govern an in-person encounter govern a remote one, because the protected health information (PHI) involved is the same patient information, simply moving across a network instead of across a desk. There is no separate, lighter "telehealth HIPAA," and there is no headcount or revenue floor: a solo therapist running sessions from a laptop is as much a covered entity as a multi-site clinic.

The consequence is that every choice you make about how a session is delivered is a HIPAA choice. The platform that carries the video, the device the clinician uses, the network the patient connects over, the way appointment reminders and intake forms are sent — each is a place where electronic PHI (ePHI) is created, received, maintained, or transmitted, and each is therefore in scope for the Security Rule's safeguards. Telehealth does not narrow your obligations; it widens the surface area you have to protect.

This article is general information, not legal, compliance, or audit advice, and it creates no professional relationship. HIPAA is detailed and fact-specific, and telehealth guidance has shifted over time, so confirm the current rules for your situation at hhs.gov and, where it matters, with a qualified professional.

The video platform is usually a business associate — and the COVID-19 discretion has ended

A telehealth or video platform that creates, receives, maintains, or transmits ePHI on a practice's behalf is generally a business associate, and HIPAA requires a signed Business Associate Agreement (BAA) before any patient information flows through it. This is the same logic that governs your EHR or billing vendor: the relationship — handling ePHI on your behalf — creates the requirement, not whether the vendor's staff ever watch a session. A platform that merely transports a session is not a passive "conduit" the way the postal service is; it has the kind of persistent access to ePHI that makes it a business associate, so the BAA is not optional.

During the COVID-19 public health emergency, this picture was temporarily relaxed. In March 2020, the HHS Office for Civil Rights (OCR) announced a Notification of Enforcement Discretion that allowed clinicians, in good faith, to use everyday consumer video tools — including non-public-facing apps that would not normally meet HIPAA's bar — without OCR imposing penalties. That discretion was always a pause on enforcement, not a change to the law itself; HIPAA's requirements never went away.

That discretion has now ended. OCR tied the telehealth enforcement discretion to the public health emergency, which expired at 11:59 p.m. on May 11, 2023, and then provided a 90-calendar-day transition period that expired at 11:59 p.m. on August 9, 2023. Since then, practices are back to ordinary enforcement. In plain terms: you must use a HIPAA-eligible telehealth platform under a signed BAA, and you can no longer rely on the pandemic-era allowance for consumer tools. If a video vendor will not sign a BAA, that is a clear signal it is not an appropriate place for patient sessions.

Security Rule safeguards for telehealth

The Security Rule expects administrative, physical, and technical safeguards for ePHI, and several map directly onto how telehealth is delivered. Access controls matter first: each workforce member should have a unique login, multi-factor authentication is strongly advisable for anything reachable from the open internet, and automatic logoff should close idle sessions on shared or mobile devices. Audit controls — logging who accessed which record and when — let you reconstruct activity after an incident, and a clean trail is exactly what an OCR investigator or a breach assessment will ask for.

Encryption deserves a precise word, because it is widely misstated. Under the Security Rule as it currently stands, encryption in transit and at rest is an addressable implementation specification, not a flat mandate. "Addressable" means you must assess whether it is reasonable and appropriate and, if you decline it, document why and put an equivalent measure in its place. In practice, for ePHI traveling across the public internet during a video session, there is rarely a defensible reason to omit strong encryption — so encrypted transmission is effectively the expected baseline for telehealth even though the rule frames it as addressable. (Note that OCR has issued a proposed rule, published in January 2025, that would make encryption a required specification and largely eliminate the addressable category; as of this writing it has not been finalized, so the addressable framing remains the operative law. Confirm the current status at hhs.gov.) Secure messaging for follow-ups and document exchange should run inside the same protected, BAA-covered channel rather than over personal email or a free chat app.

This is also why the tooling choice is so consequential. Consumer FaceTime, a free Zoom account with no BAA, or a personal messaging app are not appropriate for clinical telehealth, because there is no BAA, you cannot demonstrate the required safeguards, and the vendor may mine or repurpose the data. A HIPAA-eligible platform is one that will sign a BAA and is configured to support these controls. The platform supplies the capability; you still have to turn the controls on and operate them.

Patient-side privacy and the limits of your control

Telehealth introduces a privacy variable you do not have in your office: the patient's own environment, which you cannot directly control. A session may be perfectly secured on your end and still be overheard by a family member in the next room, captured on an unsecured home network, or joined on a borrowed device. HIPAA holds you responsible for safeguarding ePHI within your control, not for policing the patient's living room — but good practice means helping patients protect themselves and documenting that you did.

A few habits address most of this. Confirm the patient's identity at the start of each session, especially for new patients or anyone you have not seen on video before, so you are not disclosing PHI to the wrong person. Connect from a private location yourself, with your screen and audio shielded from anyone nearby, and encourage patients to do the same. Make telehealth's nature and risks part of your consent conversation — many states require specific telehealth consent — and note it in the record. Avoid recording sessions unless you have a clear, documented clinical and legal basis and a secure, BAA-covered place to store the recording, because a recording is high-value ePHI that has to be protected for its entire life.

None of this requires elaborate technology. It requires a repeatable routine — identity check, private setting, informed consent, careful handling of anything recorded — applied to every encounter and written down, so that what you actually do matches what your policies say.

Mental and behavioral health: psychotherapy notes and highly sensitive ePHI

Behavioral-health telehealth carries an extra layer of sensitivity. The ePHI involved — diagnoses, session content, substance-use history — is among the most damaging information a person can have disclosed, capable of causing stigma, employment harm, and lasting damage to the therapeutic relationship. That heightened harm is a reason to apply the Security Rule's safeguards rigorously, treating teletherapy security as a clinical-quality obligation rather than a box to tick.

HIPAA also gives a specific, narrowly defined category extra protection: psychotherapy notes. Under 45 CFR 164.501, psychotherapy notes are the provider's notes documenting or analyzing a counseling session that are kept separate from the rest of the record. The definition deliberately excludes a lot — medication prescription and monitoring, session start and stop times, the modalities and frequency of treatment, results of clinical tests, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress to date. For that narrow set of separately maintained notes, most disclosures require the individual's specific written authorization, even some that HIPAA would otherwise permit without one. The practical takeaway is to keep psychotherapy notes genuinely separate, control access to them tightly, and recognize that the rest of the behavioral-health record does not get this special carve-out even though it is still highly sensitive.

A further federal overlay can apply: records from federally assisted substance-use-disorder programs are governed by 42 CFR Part 2, which is stricter than HIPAA in important respects. If your practice falls under Part 2, confirm its current requirements separately rather than assuming HIPAA covers the field.

State law, choosing a HIPAA-eligible platform, and where documentation fits

HIPAA is a federal floor, not a ceiling. More stringent state laws are generally not preempted, so a state privacy statute, a stricter telehealth consent requirement, or special rules for minors or for behavioral-health records can impose obligations beyond HIPAA. California's Confidentiality of Medical Information Act is one well-known example of a tougher state regime. Treat HIPAA as your baseline and then check what your state — and the state where your patient is located — requires, because telehealth can straddle multiple jurisdictions.

When evaluating a platform, look for concrete, verifiable signals. It must be willing to sign a BAA. It should support encrypted transmission, unique user accounts with multi-factor authentication, role-based access, audit logging, and automatic logoff. It should commit, in writing, not to use, sell, or mine ePHI for advertising or other unrelated purposes. And it should give you the configuration controls to actually enforce least-privilege access. "HIPAA-eligible" is the honest way to describe such a tool: no platform is "HIPAA compliant" in the abstract, because compliance depends on how you configure and operate it.

This is where documentation does real work. The ComplianceDocs HIPAA Compliance Toolkits — for mental and behavioral health practices, and for medical practices — give you an editable starting point for the policies a telehealth program needs, including an Encryption and Transmission Security Policy, an ePHI access control policy, a Business Associate Management Policy, and (in the mental-health edition) teletherapy security and psychotherapy-notes handling written for behavioral-health practices, alongside the Security Risk Assessment workbook (current list price $79 each; a launch discount code may apply at checkout). Be clear about the boundary: a toolkit is the documentation layer that removes the slowest part, drafting, and gives you a structured framework to tailor. It does not make your practice HIPAA compliant and confers no certification — compliance comes from executing the BAAs, configuring the platform, training your team, and operating the controls every day. Confirm the current rules at hhs.gov and with a qualified professional for your situation.

Frequently asked questions

Does HIPAA apply to telehealth and online therapy sessions?

Yes, fully. When a covered entity provides care remotely — by video, phone, secure messaging, or an app — the Privacy Rule, Security Rule, and Breach Notification Rule apply exactly as they do in person, because the same protected health information is involved. There is no separate, lighter set of rules for telehealth and no exemption for small or solo practices. Telehealth widens the surface area you must protect — platform, devices, networks, reminders, intake forms — rather than narrowing your obligations.

Can I still use regular Zoom or FaceTime for patient sessions like during COVID-19?

No. OCR's COVID-19 telehealth enforcement discretion, which temporarily allowed everyday consumer tools, was tied to the public health emergency that expired on May 11, 2023, followed by a 90-day transition period that expired at 11:59 p.m. on August 9, 2023. That discretion only paused penalties; it never changed HIPAA itself. Practices are now back to ordinary enforcement and must use a HIPAA-eligible platform under a signed Business Associate Agreement. A free, consumer-grade tool with no BAA is not appropriate for clinical telehealth.

Does my telehealth video platform need a Business Associate Agreement?

Generally yes. A telehealth or video platform that creates, receives, maintains, or transmits ePHI on your behalf is a business associate, and HIPAA requires a signed BAA before any patient information flows through it. The requirement comes from the relationship — handling ePHI for you — not from whether the vendor's staff ever view a session. Such a platform is not a passive conduit like the postal service; it has persistent access to ePHI. If a vendor will not sign a BAA, treat that as a clear signal it is not a suitable place for patient sessions.

Does HIPAA require encryption for telehealth?

Under the Security Rule as it currently stands, encryption in transit and at rest is an addressable implementation specification, not a flat mandate. "Addressable" means you must assess whether it is reasonable and appropriate, and if you decline it, document why and deploy an equivalent alternative. In practice, for ePHI moving across the public internet during a video session, there is rarely a defensible reason to omit strong encryption, so encrypted transmission is effectively the expected baseline for telehealth. Note that OCR has issued a proposed rule (published January 2025) that would make encryption a required specification; as of this writing it has not been finalized, so the addressable framing remains the operative law — confirm the current status at hhs.gov.

What extra protection do psychotherapy notes get in teletherapy?

Psychotherapy notes are a narrowly defined category under 45 CFR 164.501: the provider's notes documenting or analyzing a counseling session, kept separate from the rest of the record. The definition deliberately excludes medication prescription and monitoring, session start and stop times, treatment modalities and frequency, test results, and any summary of diagnosis, functional status, treatment plan, symptoms, prognosis, and progress. For that separately maintained set of notes, most disclosures require the individual's specific written authorization, even some HIPAA would otherwise permit. Keep psychotherapy notes genuinely separate and tightly access-controlled; the rest of the behavioral-health record is still highly sensitive but does not get this particular carve-out.

Related guides: HIPAA

Toolkits that help

← All articles