Telehealth has become a normal part of private practice, and clients increasingly expect the option. But the video tool you use casually with friends isn’t necessarily safe for clinical sessions. This guide explains, in plain language, what makes telehealth HIPAA-compliant for therapists and how to set yourself up correctly.
The core requirement: a Business Associate Agreement (BAA)
If a company handles protected health information (PHI) on your behalf — and a video platform carrying your sessions does — HIPAA generally requires a signed Business Associate Agreement with that company. The BAA is a contract in which the vendor commits to safeguarding PHI and accepts responsibility for doing so. No BAA, no compliant telehealth. This is the first question to ask any tool: “Will you sign a BAA?”
This is exactly why everyday consumer video apps are risky for sessions: many won’t sign a BAA for typical users, which leaves you exposed regardless of how secure the call “feels.”
What a compliant telehealth setup looks like
- Signed BAA with the platform carrying the session.
- Encryption of the video/audio in transit (and of any recordings or notes at rest).
- Access controls — only you and the client in the session; unique logins on your side.
- No unnecessary PHI in reminders or links — a join link and a time, not a diagnosis.
- A private setting on both ends — your own environment matters as much as the software.
Common mistakes to avoid
Using a consumer tool “just this once”
One-off use of a non-compliant app still carries PHI. Pick a compliant default and use it every time so you never have to make a judgment call mid-week.
Putting clinical details in reminders
Appointment reminders and emails should be minimized — a date, a secure link, an amount due. Diagnoses, session content, and assessment results don’t belong in email. A good platform is designed to keep PHI out of outbound messages by default.
Recording without a clear reason and consent
Recording sessions adds storage, consent, and retention obligations. If you don’t have a clear clinical or legal reason, the simplest compliant choice is not to record.
Do you need an all-in-one platform or a standalone video tool?
Both can be compliant. The practical difference is friction. A standalone HIPAA-compliant video tool works, but you’ll juggle it alongside your scheduling, notes, and billing. An all-in-one practice platform keeps the telehealth link tied to the appointment, the notes attached to the client, and PHI out of reminders — with a single BAA covering it all. Fewer tools usually means fewer ways to slip up.
A simple compliance checklist
- ☐ Signed BAA with your telehealth provider
- ☐ Encryption in transit and at rest
- ☐ Reminders contain a link + time only — no clinical detail
- ☐ Unique, protected logins on your side; private space for sessions
- ☐ A clear recording policy (often: don’t, unless you must)
- ☐ Client consent to telehealth captured at intake
How Theraflow handles it
Theraflow is built HIPAA-conscious from the ground up: encryption in transit and at rest, a private per-practice database, audit logging, and a BAA included at no extra cost. Telehealth links attach to the appointment, intake captures telehealth consent, and reminders are deliberately PHI-minimized — a secure link and a time, never clinical details. It’s all part of the flat $29.99/month plan, so compliant telehealth isn’t a premium add-on.
Related reading: Best practice management software for solo therapists and The best SimplePractice alternatives.