Choosing a telehealth platform isn't just a tech decision - it's a legal one. With video sessions now a permanent part of most mental health practices, therapists need to know exactly what "HIPAA-compliant" means before trusting a platform with protected health information (PHI). Not every platform that claims compliance actually delivers it.

Key Takeaways

• A truly HIPAA-compliant telehealth platform must offer encryption for data in transit, sign a Business Associate Agreement (BAA), and provide administrative controls for access management and audit logging.

• Not all platforms marketed as "HIPAA-compliant" meet the full requirements - you need to verify BAA availability, encryption standards, data storage practices, and breach notification protocols before committing.

• The right platform balances compliance, usability, and fit with your existing workflow - including your EHR, scheduling tools, and documentation process.

What Does HIPAA Compliance Actually Mean for Telehealth?

HIPAA compliance isn't a certification that a vendor can simply claim. It's a set of federal requirements under the Health Insurance Portability and Accountability Act that govern how PHI is handled, stored, transmitted, and protected. For telehealth, that means every video session, message, and recording involving a client must meet specific technical, physical, and administrative safeguards.

The HHS Office for Civil Rights (OCR) enforces these rules. Understanding what compliance actually requires helps you avoid platforms that look the part but fall short.

The Role of the Business Associate Agreement (BAA)

A Business Associate Agreement is a legally required contract between you and any vendor that handles PHI on your behalf. Without a signed BAA, using a platform for telehealth - even briefly - puts you in violation of HIPAA, regardless of how secure that platform actually is.

Some platforms offer a BAA only on higher-tier plans or charge extra for it. Before using any platform with a client, confirm a BAA is available and that you've actually signed one. A platform that won't sign a BAA is a platform you can't legally use for therapy sessions.

Read the BAA terms, not just the headline. An agreement that limits the vendor's liability heavily, or doesn't specify breach notification obligations, may not offer you meaningful protection.

Encryption Standards: End-to-End vs. In-Transit

Encryption protects data by scrambling it so only authorized parties can read it. Two terms come up often: in-transit encryption and end-to-end encryption (E2EE).

In-transit encryption protects data as it moves between a client's device and a server - but the platform itself can still access the unencrypted data on that server. End-to-end encryption means only the sender and recipient can decrypt the communication.

Most telehealth platforms use in-transit encryption, which can meet the HIPAA Security Rule's technical safeguard requirements when properly implemented. True E2EE is less common in telehealth because it complicates features like recording. When evaluating a platform, ask what encryption standard is used and where data is decrypted.

Access Controls, Audit Logs, and Breach Notification

Beyond encryption, HIPAA requires platforms to support access controls (limiting who can view PHI), audit logging (tracking who accessed what and when), and clear breach notification processes.

Under the HIPAA Breach Notification Rule, business associates must notify you of a breach without unreasonable delay and no later than 60 days from discovery. You are then responsible for notifying affected individuals within the same timeframe. When evaluating a platform, ask:

• Can you set role-based access for staff or supervisors?

• Does the platform maintain audit logs you can review?

• What is their documented breach notification process?

Key Features to Evaluate in a Telehealth Platform

Compliance is the baseline. Once you've confirmed a platform meets HIPAA requirements, you can evaluate whether it actually fits how you work.

Video Quality, Reliability, and Client Accessibility

A platform your clients can't figure out will cost you sessions. Look for platforms that work across devices without requiring app downloads, load reliably on lower-bandwidth connections, and let clients join with a simple link.

Before committing, run a test session that mirrors real conditions - a client on a phone with average home internet. Video and audio quality directly affect therapeutic rapport, and that's worth testing before signing up.

EHR and Scheduling Integration

Switching between multiple platforms to run a session, document it, and close out the day adds unnecessary friction. Platforms that integrate with your EHR or scheduling system keep your workflow cleaner. Key questions:

• Does the platform sync with your existing scheduling tool?

• Can attendance or session data be pushed to your EHR?

• Is there a client-facing portal for scheduling or intake?

Session Recording Policies and Data Storage

Some platforms allow session recording, which introduces additional compliance obligations. If you record sessions, you'll need written client consent, secure storage with access controls, and a documented retention and deletion policy. Ask platforms:

• Where are recordings stored, and who controls deletion?

• How long are recordings retained by default?

• Are data and recordings stored on servers in the United States?

Pricing Models: Per-Provider, Per-Session, and Bundled Plans

Common pricing structures include per-provider monthly fees, per-session charges, and bundled plans where telehealth is included in a broader practice management subscription. Factor in the full cost - a lower base price that requires separate HIPAA-compliant scheduling tools and a third-party BAA process may end up costing more than a higher-priced bundled solution once everything is accounted for.

Types of HIPAA-Compliant Platforms

Telehealth platforms fall into a few broad categories, each with different tradeoffs.

Dedicated Telehealth Platforms

These platforms are built specifically for healthcare video visits. They typically offer BAAs as standard, HIPAA-compliant infrastructure by default, and features like waiting rooms, provider dashboards, and session management. They tend to offer flexibility across practice types, but may require separate tools for scheduling and documentation.

EHR-Integrated Video Solutions

Some practice management systems built for mental health providers include built-in telehealth. This reduces context-switching and keeps session-related data in one place. The tradeoff is that you're relying on the EHR vendor's video reliability and features, which can vary. These solutions are often the best fit for therapists who want one system for everything.

General Video Platforms With BAA Options

Platforms like Zoom can be used for HIPAA-compliant telehealth - but only on specific paid plans with a signed BAA. The free version of Zoom is not HIPAA-compliant and should never be used for client sessions. When using a general platform with a BAA, you're also responsible for configuring the account correctly: enabling waiting rooms, managing recordings appropriately, and ensuring only authorized users have access. The platform provides the infrastructure; compliance depends on how you use it.

How to Choose the Right Platform for Your Practice

The right choice comes down to your practice structure, your workflow, and how much technical management you're willing to take on.

Solo Practice vs. Group Practice Considerations

Solo practitioners benefit most from simplicity - a platform that's easy to use, easy for clients to navigate, and doesn't require IT support. EHR-integrated video or a straightforward dedicated telehealth platform often fits best.

Group practices have more complex needs: multiple provider accounts, role-based access controls, centralized billing, and the ability to manage clients across clinicians. Look for platforms that explicitly support multi-provider workflows and give administrators meaningful oversight.

In-Person, Hybrid, and Fully Remote Workflows

If you see clients both in-person and via video, your platform needs to fit a mixed workflow without creating parallel systems. A platform that integrates with your scheduling and documentation tools prevents double-entry and reduces compliance gaps.

Fully remote practices can optimize more heavily for telehealth-specific features, since video is the primary modality for every session.

Evaluating Total Cost of Ownership

Build a realistic cost comparison before deciding. Include monthly fees at your expected provider count, any add-ons needed for BAA access, the cost of separate tools you'd still need, and the time involved in setup and ongoing management.

A useful decision framework: use compliance as a hard filter first, then evaluate workflow fit, then compare costs among platforms that clear both of those hurdles.

How Berries AI Fits Into Your Telehealth Workflow

Once your telehealth setup is in place, documentation is often the next time drain. Berries AI is a HIPAA-compliant AI scribe that generates session notes in real time - whether you're seeing clients in person or via video.

Berries partners with HIPAA-compliant vendors and offers a BAA, so it fits cleanly into a compliant workflow. Rather than writing progress notes after every session, Berries handles documentation automatically, giving you more time for actual clinical work.

Try Berries free for 20 sessions at heyberries.com.

Frequently Asked Questions

Is Zoom HIPAA-compliant for therapy? The free version of Zoom is not HIPAA-compliant and should not be used for client sessions. Zoom can be used compliantly when you're on an eligible paid plan, have signed a BAA with Zoom, and have correctly configured the account - including enabling waiting rooms and managing recordings appropriately. Compliance depends on both the plan and how you use it.

Do I need a BAA with every vendor that handles client data? Yes. Any vendor that creates, receives, maintains, or transmits PHI on your behalf is a business associate under HIPAA and must sign a BAA. This includes telehealth platforms, scheduling software, cloud storage, and documentation tools.

Can I use FaceTime or Google Meet for therapy sessions? No. Standard FaceTime and Google Meet do not offer BAAs and are not HIPAA-compliant for telehealth. During the COVID-19 public health emergency, OCR temporarily exercised enforcement discretion for certain non-compliant platforms used in good faith - but that flexibility fully ended on August 9, 2023. Using these platforms for therapy sessions now creates real compliance risk.

What's the difference between a platform being "secure" and being HIPAA-compliant? A platform can have strong security features and still not be HIPAA-compliant. Compliance requires a signed BAA, specific administrative controls, audit logging, and documented breach notification procedures - not just encryption. Never assume security equals compliance.

Choosing a HIPAA-compliant telehealth platform is both a clinical and legal responsibility. Do your due diligence on BAAs, encryption, and data practices - so you can focus on delivering quality care rather than managing compliance problems after the fact.

This article is for educational purposes and professional development only. It does not constitute clinical supervision or replace professional judgment in therapeutic practice.

Sources

1. U.S. Department of Health and Human Services. HIPAA Security Rule. hhs.gov/hipaa/for-professionals/security

2. U.S. Department of Health and Human Services. HIPAA Breach Notification Rule. hhs.gov/hipaa/for-professionals/breach-notification

3. U.S. Department of Health and Human Services. Business Associate Contracts. hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates

4. U.S. Department of Health and Human Services. HIPAA and Telehealth. hhs.gov/hipaa/for-professionals/special-topics/telehealth

5. Zoom Video Communications. Health Data and HIPAA Compliance. zoom.com/en/trust/legal-compliance/hipaa-ready

6. Centers for Medicare & Medicaid Services. Telehealth. cms.gov/Medicare/Medicare-General-Information/Telehealth