Therapist conducting a telehealth session on laptop
Back to BlogTelehealth

HIPAA Compliant Telehealth Platforms for Therapists 2026

June 28, 2026
13 min read
Mozu Health

Mozu Health

The Definitive Guide to HIPAA Compliant Telehealth Platforms for Therapists (2026)

If you're a therapist, LPC, LCSW, LMFT, or psychiatrist delivering care remotely, you already know that telehealth isn't going away. What you might not fully realize is how much your choice of platform directly affects your HIPAA liability, your ability to bill major payers like Aetna, BCBS, and Cigna, and whether you'd survive a compliance audit.

This guide cuts through the noise. We'll cover exactly what makes a telehealth platform HIPAA compliant, compare the most widely used options, flag the documentation pitfalls that put behavioral health practices at risk, and show you how to pair your video platform with bulletproof clinical documentation.

Let's get into it.


Why HIPAA Compliance in Telehealth Isn't Optional — Or Simple

HIPAA's Security Rule and Privacy Rule don't just apply to your EHR. They apply to every tool that touches protected health information (PHI) — including your video conferencing platform, your patient intake forms, your scheduling software, and your billing system.

When you conduct a therapy session over video, PHI is being transmitted in real time. If your platform doesn't encrypt that data end-to-end, store session metadata securely, and sign a Business Associate Agreement (BAA) with your practice, you're technically in violation — even if nothing bad ever happens.

The stakes are real:

  • OCR (HHS Office for Civil Rights) fines range from $141 to $71,162 per violation, with annual caps up to $2.1 million per violation category
  • A single data breach involving unsecured PHI can trigger mandatory patient notification, federal investigation, and reputational damage your practice may not recover from
  • Several payers, including UnitedHealthcare and Cigna, now require documentation that telehealth services were delivered on a HIPAA-compliant platform as part of audit response

The COVID-era enforcement discretion that allowed platforms like Zoom (standard) and FaceTime is gone. The relaxation was temporary. Today, using a non-compliant platform is an active liability.


What Actually Makes a Telehealth Platform HIPAA Compliant?

Not all "HIPAA compliant" claims are equal. Here's what to look for — and verify:

1. Business Associate Agreement (BAA)

This is non-negotiable. A BAA is a legally binding contract in which the vendor agrees to safeguard PHI according to HIPAA standards. If a vendor won't sign one, walk away — no matter how good the product looks.

2. End-to-End Encryption (E2EE)

Session video and audio must be encrypted in transit and at rest. Look for AES-256 encryption as the standard. Some platforms advertise encryption but only encrypt in transit, not at rest — that's not sufficient.

3. Access Controls and Authentication

The platform should support multi-factor authentication (MFA), role-based access controls, and unique user logins. Shared logins across a group practice are a HIPAA violation.

4. Audit Logs

HIPAA requires covered entities to track who accessed PHI and when. Your platform should generate automatic access logs that you can produce in an audit.

5. Data Storage Policies

Where is session data stored? For how long? Under what conditions? Ensure the vendor's data retention and deletion policies align with your state's clinical records retention requirements (which vary — California requires 10 years post-termination for adults; many states require 7).

6. No Third-Party Data Sharing for Marketing

Some "free" platforms monetize user data. That is a direct HIPAA violation in a clinical context. Read the terms of service carefully.


HIPAA Compliant Telehealth Platforms: Head-to-Head Comparison

Here's how the most widely used telehealth platforms for behavioral health stack up:

PlatformBAA AvailableE2EEEHR IntegrationBilling FeaturesBest ForMonthly Cost (Solo)
SimplePractice✅ Yes✅ YesBuilt-inYes (claims, ERA)Solo/small group practices~$79–$99
Doxy.me✅ Yes✅ YesLimitedNoTherapists wanting video-onlyFree–$35
TherapyNotes✅ Yes✅ YesBuilt-inYes (claims)Documentation-heavy practices~$59–$99
TheraNest✅ Yes✅ YesBuilt-inYesGroup practices~$39+
Zoom for Healthcare✅ Yes✅ YesVia APINoPractices with existing Zoom workflows~$14.99+/user
VSee✅ Yes✅ YesLimitedNoHigh-security clinical environments$49+
Spruce Health✅ Yes✅ YesPartialNoMulti-modal communication (text+video)~$24–$44/user
Telehealth by SimplePractice✅ Yes✅ YesFull (SP)YesSP users onlyIncluded in SP plan

Key takeaway: If you're billing insurance, a video-only platform like Doxy.me or Zoom for Healthcare is not enough. You need documentation and billing infrastructure alongside it — and that's where most compliance failures happen.


The Billing Side of Telehealth Compliance That Most Therapists Miss

Getting your video platform right is step one. Step two — and where most compliance gaps actually live — is your clinical documentation and billing codes.

Here's what payers are auditing right now:

Telehealth CPT Codes for Behavioral Health (2026)

  • 90837 – Individual therapy, 53+ minutes (most audited code in behavioral health)
  • 90834 – Individual therapy, 38–52 minutes
  • 90832 – Individual therapy, 16–37 minutes
  • 90847 – Family therapy with patient present
  • 90846 – Family therapy without patient present
  • 99213 / 99214 – E/M visits (psychiatry, with or without psychotherapy add-ons)
  • 90833 / 90836 / 90838 – Psychotherapy add-on codes for E/M visits

For telehealth delivery, most payers require one of these place of service (POS) codes:

  • POS 02 – Telehealth provided other than in patient's home
  • POS 10 – Telehealth provided in patient's home (added in 2022; now required by Medicare and many commercial payers)

Submitting POS 11 (office) for a telehealth session is a billing error that can trigger a recoupment demand. Aetna and BCBS have both flagged this in provider audits.

Modifier Requirements Vary by Payer

  • Medicare: No longer requires the "95" modifier for most telehealth services (post-2024 rule changes), but documentation of real-time audio-visual delivery is still required
  • Medicaid: Varies by state — some still require modifier 95 or GT
  • Commercial payers: Check your individual contract; Cigna, UnitedHealthcare, and BCBS plans often have payer-specific telehealth policy pages

Failing to apply the right modifier — or applying one when not required — creates a claim error that delays payment and flags your account for closer scrutiny.


Documentation Red Flags That Get Telehealth Claims Denied or Audited

Beyond the platform and billing codes, your session notes are your primary defense in a payer audit. Here are the documentation failures that auditors target:

1. No Statement of Telehealth Modality

Your progress note must explicitly state that the session was conducted via telehealth, the platform used, and that the patient was located in a HIPAA-appropriate setting. Something like: "Session conducted via HIPAA-compliant video platform; client located at home in [state]."

2. Missing Patient Consent for Telehealth

Every payer — and HIPAA — requires documented informed consent for telehealth services. This includes risks, limitations, and the patient's right to in-person care. It should be in your chart before the first telehealth session, not retroactively.

3. Copy-Paste Notes (Clone Notes)

Using the same or nearly identical language across multiple session notes is one of the biggest audit red flags in behavioral health. Medicare Recovery Audit Contractors (RACs) specifically scan for this pattern. Each note must reflect the unique clinical content of that session.

4. Time Mismatch

If you bill 90837 (53+ minutes) but your note documents a 45-minute session, that's a billing discrepancy. Document your start and stop times and ensure they align with the billed code.

5. Lack of Medical Necessity Language

Payers — especially Cigna and Anthem — are increasingly denying claims that lack explicit medical necessity documentation. Your note should connect the diagnosis (ICD-10 code) to the intervention used and the patient's treatment goals.


State Licensing and Cross-State Telehealth: The Rule Nobody Talks About Enough

Here's a compliance issue that's separate from HIPAA but equally important: you must be licensed in the state where your patient is physically located at the time of the session — not where your practice is located.

This means:

  • A therapist in New York seeing a patient who has relocated to Florida needs a Florida license (or must comply with Florida's telehealth registration requirements)
  • The PSYPACT compact allows licensed psychologists to practice across 42+ member states with a single compact privilege
  • The Counseling Compact is expanding, currently covering LPCs in 30+ states
  • Social work and MFT compacts are in progress but not yet as widely adopted

Billing a claim for a session delivered across state lines without proper licensure is fraud, regardless of whether your video platform is HIPAA compliant.


How to Build a Fully Compliant Telehealth Practice Stack in 2026

Here's a practical framework:

Layer 1 — Video Platform Choose a HIPAA-compliant platform with a signed BAA. Doxy.me (free tier is sufficient for most solo practitioners), Zoom for Healthcare, or the telehealth module built into your EHR.

Layer 2 — EHR / Practice Management Use a platform that handles scheduling, telehealth consent, and clinical documentation in one place (SimplePractice, TherapyNotes, TheraNest). Avoid stitching together too many disconnected tools — every integration point is a potential PHI exposure.

Layer 3 — Clinical Documentation This is where most practices bleed time and introduce compliance risk. Your notes need to be timely (most payers require same-day or next-day completion), clinically specific, and free of clone language. This is exactly where AI-powered documentation tools like Mozu Health can transform your practice — more on that below.

Layer 4 — Billing and Coding Either use your EHR's billing module or a dedicated behavioral health billing service. Ensure correct POS codes, modifiers, and ICD-10 codes on every claim.

Layer 5 — Compliance Monitoring Conduct an annual HIPAA Security Risk Assessment (SRA). The HHS provides a free SRA Tool. Document it. Update your policies when you add new vendors.


FAQ: HIPAA Compliant Telehealth for Therapists

Q1: Is Zoom HIPAA compliant for therapy sessions?

Standard Zoom (the free or business plan) is not HIPAA compliant because Zoom won't sign a BAA on those tiers. Zoom for Healthcare, however, is a separate product that includes BAA signing and enhanced security features. If you're using regular Zoom for therapy sessions, you need to either upgrade or switch platforms.

Q2: Can I use Google Meet or FaceTime for telehealth?

Google Meet (standard) and Apple FaceTime are not HIPAA compliant for ongoing clinical use. Google does offer a HIPAA-compliant tier through Google Workspace with a BAA, but FaceTime has no BAA option at all. The COVID-era HHS enforcement discretion that temporarily permitted these platforms has ended.

Q3: Does HIPAA compliance of my video platform protect me from a payer audit?

No — HIPAA compliance and payer audit readiness are two different things. A payer audit focuses on whether your documentation supports the CPT codes you billed, whether medical necessity is established, and whether your notes are specific and non-duplicative. Your video platform being HIPAA compliant doesn't address any of that. Your clinical documentation quality is what protects you in a billing audit.

Q4: What should a telehealth therapy progress note include to be audit-safe?

At minimum: (1) explicit statement that the session was via telehealth, (2) the patient's location/state, (3) start and stop times, (4) presenting concerns and patient status, (5) intervention(s) used with clinical rationale, (6) response to intervention, (7) connection to treatment goals, (8) plan/next steps, and (9) the treating provider's credentials and signature. Avoid vague language like "client discussed feelings" — be specific.

Q5: Are free telehealth platforms like Doxy.me truly HIPAA compliant?

Doxy.me's free tier does include a BAA and uses encrypted video, which meets the baseline HIPAA requirements for a video conferencing platform. It's a legitimate option for solo practitioners. However, it does not include documentation, billing, or scheduling features — you'll need to pair it with compliant tools for those functions.

Q6: What's the most common HIPAA violation in telehealth practices?

The most common violations found in OCR investigations of telehealth practices are: (1) using platforms without a signed BAA, (2) sharing login credentials across staff members, (3) failing to conduct an annual Security Risk Assessment, and (4) storing session recordings in non-encrypted locations (e.g., a personal Google Drive or Dropbox without a BAA).

Q7: Do I need separate telehealth consent for each payer?

You need one comprehensive telehealth informed consent form signed by the patient — but the content of that form may need to address payer-specific requirements. Some state Medicaid programs, for example, require specific language about the patient's right to request in-person care. One well-drafted consent form that covers all requirements is typically sufficient; consult with a healthcare attorney in your state to confirm.


The Documentation Layer Is Your Biggest Risk — And Your Biggest Opportunity

Here's the truth that most telehealth platform comparisons won't tell you: your video platform is the least of your compliance worries.

The real risk lives in your notes. Specifically:

  • Notes written hours or days after the session (memory gaps = documentation gaps)
  • Copy-pasted language across sessions (RAC audit magnet)
  • Notes that document a session length inconsistent with the billed code
  • Missing medical necessity language that payers are increasingly requiring
  • Unsigned or late-signed notes that fail state board and payer standards

For a busy therapist seeing 20–30 clients a week via telehealth, keeping up with documentation and keeping it clinically specific and keeping it audit-safe is genuinely hard. That's not a character flaw — it's a workflow problem.


Try Mozu Health: AI-Powered Documentation Built for Behavioral Health Compliance

That's exactly the problem Mozu Health was built to solve.

Mozu Health is an AI-powered clinical documentation platform designed specifically for therapists, psychiatrists, LPCs, LCSWs, LMFTs, and group practices. It doesn't just help you write notes faster — it helps you write notes that are clinically specific, billing-accurate, and audit-defensible.

Here's what that looks like in practice:

  • AI-assisted progress notes that reflect the actual clinical content of each session — no clone notes, no vague language
  • Built-in compliance checks that flag documentation gaps before you sign a note
  • Billing accuracy support that aligns your documentation with the CPT codes you're submitting — so your 90837 note actually supports a 90837
  • Audit defense documentation that gives you a clean, organized record trail if a payer or OCR comes knocking
  • HIPAA-compliant infrastructure throughout — because your documentation platform is PHI-handling software too

Whether you're a solo practitioner trying to reclaim your evenings or a group practice trying to standardize documentation quality across 15 clinicians, Mozu Health gives you a compliance foundation that your video platform alone never could.

Ready to see how it works?

👉 Try Mozu Health free at mozuhealth.com — no credit card required. See how AI-powered documentation can protect your practice, improve your billing accuracy, and give you back hours every week.

Your telehealth platform keeps your sessions secure. Mozu Health keeps your practice compliant.

Ready to try Mozu?

Start documenting smarter with your first 20 sessions free.

Sign Up Free

Related Posts

Telehealth Audio-Only Billing for Mental Health 2026
Telehealth

June 27, 2026

Telehealth Audio-Only Billing for Mental Health 2026

Read More
GT Modifier Telehealth Billing Guide 2026
Telehealth

June 26, 2026

GT Modifier Telehealth Billing Guide 2026

Read More
95 Modifier Telehealth Billing Guide 2026
Telehealth

June 25, 2026

95 Modifier Telehealth Billing Guide 2026

Read More
Telehealth Parity Laws for Mental Health by State 2026
Telehealth

June 24, 2026

Telehealth Parity Laws for Mental Health by State 2026

Read More
BCBS Telehealth Billing for Therapy & Mental Health 2026
Telehealth

June 23, 2026

BCBS Telehealth Billing for Therapy & Mental Health 2026

Read More
UnitedHealthcare Telehealth Billing Mental Health 2026
Telehealth

June 22, 2026

UnitedHealthcare Telehealth Billing Mental Health 2026

Read More