Theraflow
← All articles

Is Zoom HIPAA-Compliant for Therapy? (And Other Video Tools Compared)

The honest answer for therapists: it depends entirely on one thing most people overlook — a signed agreement. Here's what actually makes a video tool safe for sessions.

Updated June 2026 · 8 min read

It's one of the most common questions in private practice: can I just use Zoom (or FaceTime, or Google Meet) for my therapy sessions? The short answer is that the everyday, free version of these tools is generally not safe to use with clients — but some of them can be, under specific conditions. This guide explains, without the legalese, exactly what makes the difference and how the popular options stack up in 2026.

This is general educational information, not legal advice. Your obligations depend on your practice and state; confirm specifics with a healthcare attorney or your liability carrier.

The one thing that actually decides it: the BAA

Under HIPAA, if a company transmits or stores your clients' protected health information (PHI) — and a video platform carrying your sessions does exactly that — you generally need a signed Business Associate Agreement (BAA) with that company. The BAA is a contract where the vendor formally commits to protecting PHI and accepts legal responsibility for it. No BAA, no compliant telehealth — no matter how secure the call feels or how good the encryption is.

So the real question isn't "is Zoom secure?" It's "will this company sign a BAA with me, and am I using the specific version of their product that the BAA covers?" That distinction is where most therapists trip up.

The popular tools, honestly compared

Zoom

Regular consumer Zoom is not HIPAA-compliant. However, Zoom offers a separate healthcare-oriented plan (often called "Zoom for Healthcare") that will sign a BAA and disables certain features that would otherwise store data unsafely. If — and only if — you're on that plan with a signed BAA, Zoom can be used for therapy. The free or standard business Zoom you'd use for a team meeting is not appropriate for sessions.

FaceTime

Apple does not sign BAAs for FaceTime with typical practitioners. Calls are encrypted end-to-end, which sounds reassuring, but without a BAA it doesn't meet HIPAA's requirements for a covered telehealth tool. Treat FaceTime as not compliant for sessions.

Google Meet

Google will sign a BAA, but only under Google Workspace plans and only for the services it lists as covered. A personal/free Google account does not get a BAA. So Meet can be compliant if you're on an eligible Workspace plan with a signed BAA and you've enabled it correctly — otherwise not.

Doxy.me and purpose-built telehealth tools

Tools built specifically for healthcare (Doxy.me is a common one) are designed around HIPAA from the start and will sign a BAA — often even on free tiers. Because they're purpose-built, there are fewer ways to accidentally misconfigure them. This is why many solo therapists default to a dedicated telehealth tool rather than repurposing a general video app.

Quick rule of thumb: a tool is usable for sessions only if (1) the vendor will sign a BAA, (2) you're on the specific plan/version that BAA covers, and (3) you've actually signed it. Miss any one of those and it's not compliant — regardless of encryption.

"But the call is encrypted" — why that isn't enough

Encryption protects the data in transit, and it matters — but HIPAA compliance is broader than encryption. It also covers the legal accountability (the BAA), access controls, where recordings and metadata are stored, and how the vendor handles breaches. A tool can have excellent encryption and still leave you non-compliant because there's no BAA and no contractual responsibility on the vendor's side. Encryption is necessary, not sufficient.

Other things therapists overlook

  • Recording. Recording a session adds storage, consent, and retention obligations. If you don't have a clear reason, the simplest compliant choice is not to record.
  • What's in your reminders. The appointment email or text should carry only a join link and a time — never a diagnosis, note, or anything clinical.
  • Your own environment. A private, secure space on your end (and encouraging the client to find one on theirs) is part of protecting the session.
  • Telehealth consent. Capture the client's consent to meet by video, ideally at intake.

The simpler path: keep telehealth inside your practice software

Juggling a separate video tool alongside your scheduling, notes, and billing means more places to slip up — and more BAAs to track. An all-in-one practice platform keeps the telehealth link tied to the appointment, the notes attached to the client, PHI out of reminders, and everything under one agreement. Fewer moving parts usually means fewer compliance mistakes.

Theraflow is built HIPAA-conscious from the ground up — encryption in transit and at rest, a private per-practice database, audit logging, and a BAA included at no extra cost. Telehealth links attach to each appointment, intake captures telehealth consent, and reminders are deliberately PHI-minimized. It's all part of the flat $29.99/month plan. (For the deeper dive on what to look for, see our HIPAA-compliant telehealth guide.)

Bottom line

Is Zoom HIPAA-compliant for therapy? Only on its healthcare plan with a signed BAA — not the version most people already have. FaceTime: no. Google Meet: only on an eligible Workspace plan with a BAA. Dedicated telehealth tools: usually yes, by design. When in doubt, ask the one question that settles it: "Will you sign a BAA, and does it cover the exact plan I'm using?"

Related reading: HIPAA-compliant telehealth for therapists and How to start a private therapy practice.

Try Theraflow free for 14 days

Every feature included · $29.99/month flat · Cancel anytime

Start your free trial