Mozu logoMozu
HIPAA Compliant Telehealth Platforms for Therapists 2026
Back to BlogTelehealth

HIPAA Compliant Telehealth Platforms for Therapists 2026

May 19, 2026
13 min read
Mozu Health

Mozu Health

The Definitive Guide to HIPAA Compliant Telehealth Platforms for Therapists (2026)

If you're a therapist, LPC, LCSW, LMFT, or psychiatrist running a telehealth practice — or even just adding virtual sessions to your in-person caseload — you already know the stakes are high. One wrong platform choice and you're looking at potential HIPAA violations, payer audit exposure, and client trust issues that can take years to rebuild.

But here's the thing: finding a truly HIPAA compliant telehealth platform isn't as simple as Googling "HIPAA video chat." Lots of platforms slap the word "HIPAA" on their marketing. Fewer actually deliver the Business Associate Agreements (BAAs), encryption standards, access controls, and audit logs that regulators and payers actually look for.

This guide cuts through the noise. We'll cover what HIPAA compliance actually requires for telehealth, what features to demand from any platform, how major payers like Aetna, UnitedHealthcare, BCBS, and Medicaid treat telehealth documentation, and how to protect yourself when things go sideways.

Why HIPAA Compliance in Telehealth Is Non-Negotiable (Not Just a Checkbox)

Let's get real about the risk. The HHS Office for Civil Rights (OCR) resolved over 800 HIPAA cases in 2023 alone, and telehealth-related breaches have grown steadily since 2020. The average cost of a HIPAA breach settlement? $1.2 million — and that's before you factor in reputational damage and potential state licensing board consequences.

The COVID-19 public health emergency created an enforcement discretion period where HHS temporarily relaxed some telehealth platform requirements. That period ended. As of May 2023, full HIPAA compliance standards are back in effect. If you're still using FaceTime, Zoom's free tier, or Skype for therapy sessions, you need to stop — today.

Under HIPAA's Security Rule, any platform transmitting or storing Protected Health Information (PHI) must meet these minimum standards:

  • End-to-end encryption (AES-256 is the gold standard)
  • Signed Business Associate Agreement (BAA) with your practice
  • Access controls — unique logins, role-based permissions
  • Audit logs — who accessed what, when
  • Data backup and disaster recovery protocols
  • Breach notification procedures within 60 days of discovery

No BAA = No HIPAA compliance. Period.

What Payers Actually Want to See for Telehealth Claims

HIPAA compliance isn't just about protecting client data — it directly affects whether you get paid. Here's what the major payers require when you bill telehealth CPT codes:

Common Telehealth CPT Codes for Behavioral Health:

  • 90837 (60-min psychotherapy) with modifier 95 for synchronous telehealth
  • 90834 (45-min psychotherapy) with modifier 95
  • 90791 (psychiatric diagnostic evaluation) via telehealth
  • 99213–99215 (E/M codes for psychiatrists) with modifier 95 or GT
  • G2012 (virtual check-in, Medicare) — 5–10 min synchronous communication
  • G0071 (audio-only communication technology, Medicare Advantage plans)

What Aetna requires: Aetna mandates real-time, two-way audio-visual communication for most behavioral health telehealth codes. Audio-only is covered only for specific diagnoses and only when the member lacks video capability.

What UnitedHealthcare requires: UHC follows CMS guidelines closely and requires that your documentation explicitly state the session was conducted via interactive audio-video technology. Missing that one line? Claim denied.

What BCBS requires: Varies significantly by state plan, but most BCBS plans require the POS code 02 (telehealth provided other than in patient's home) or 10 (telehealth in patient's home) on your claim — a detail that trips up a surprising number of therapists.

Medicaid: Each state has its own rules. Some state Medicaid programs still require a specific telehealth consent form to be on file before the first session and periodically renewed.

The bottom line: your telehealth platform needs to support the kind of documentation that satisfies these payer requirements — not just connect you to clients.

The 6 Features Every HIPAA Compliant Telehealth Platform Must Have

Before we get to the comparison table, here's your non-negotiable checklist:

1. Business Associate Agreement (BAA)

Every platform must provide a signed BAA. This is a legal document making the platform vendor a "business associate" under HIPAA and holding them accountable for safeguarding PHI. If a vendor won't sign a BAA, walk away.

2. End-to-End Encryption

Look for AES-256 encryption at rest and TLS 1.2 or higher in transit. Some platforms encrypt data in transit but not at rest — that's a compliance gap.

3. Waiting Rooms

Virtual waiting rooms prevent clients from entering sessions accidentally or early, maintaining confidentiality between sessions.

4. Session Recording Controls

If the platform allows recording, you need the ability to control, restrict, and securely store recordings. Uncontrolled recording of therapy sessions creates massive PHI exposure.

5. Audit Logs

Regulators love audit trails. Your platform should log session initiation times, participants, and any data access events.

6. Multi-Factor Authentication (MFA)

With credential stuffing attacks on the rise, MFA on clinician accounts is essential — and increasingly expected by payers during audits.

HIPAA Compliant Telehealth Platforms: Head-to-Head Comparison

| Platform | BAA Available | Encryption | Waiting Room | EHR Integration | Behavioral Health Focus | Approx. Monthly Cost | |---|---|---|---|---|---|---| | Doxy.me | ✅ Yes | AES-256 / TLS | ✅ Yes | Limited | Partial | Free–$35/mo | | SimplePractice | ✅ Yes | AES-256 / TLS | ✅ Yes | Built-in EHR | ✅ Strong | $69–$149/mo | | TherapyNotes | ✅ Yes | AES-256 / TLS | ✅ Yes | Built-in EHR | ✅ Strong | $49–$149/mo | | Zoom for Healthcare | ✅ Yes | AES-256 / TLS | ✅ Yes | API-based | ❌ General use | $200+/mo | | Spruce Health | ✅ Yes | AES-256 / TLS | ✅ Yes | Limited | Partial | $24–$149/mo | | VSee Clinic | ✅ Yes | AES-256 / TLS | ✅ Yes | Limited | Partial | Free–$49/mo | | Theranest | ✅ Yes | AES-256 / TLS | ✅ Yes | Built-in EHR | ✅ Strong | $39–$114/mo | | Google Meet (HIPAA) | ✅ (Workspace) | AES-256 / TLS | ❌ No | Manual | ❌ General use | $6–$18/user/mo |

Note: Prices as of early 2026. Always verify BAA availability directly with the vendor before signing up. "Free" tiers almost never include a BAA.

Our Take on Each:

Doxy.me is the go-to for solo therapists who want a simple, browser-based video tool with no downloads required for clients. The free tier doesn't include a BAA — you need the paid "Professional" or "Clinic" plan. It lacks robust EHR integration, so you'll need to document elsewhere.

SimplePractice is probably the most popular all-in-one for private practice therapists. Telehealth is built in, documentation lives in the same system, and billing is integrated. The learning curve is manageable and the BAA is standard.

TherapyNotes is the preferred platform for therapists who want rock-solid clinical notes and billing in one place with telehealth as an add-on. It's particularly strong for group practices.

Zoom for Healthcare is enterprise-grade but not behavioral-health-specific. You'll pay a premium and still need to handle clinical documentation and billing separately. It makes more sense for large health systems than solo or small-group practices.

Theranest is worth considering for practices that do a lot of Medicaid billing — it has some state-specific Medicaid EDI billing support that competitors lack.

Common HIPAA Telehealth Mistakes That Get Therapists in Trouble

Even therapists using the "right" platform make compliance errors. Here are the ones we see most often:

1. No written telehealth consent in the client file Most state licensing boards AND payers require documented informed consent for telehealth services. This should be in your chart before session one — not assumed from a verbal agreement.

2. Conducting sessions from unsecured locations Your platform can be fully HIPAA compliant, but if you're running sessions from a coffee shop on public Wi-Fi, you've created a breach risk. Use a VPN or a dedicated, secured network.

3. Documenting the wrong Place of Service (POS) code Using POS 11 (office) instead of POS 02 or 10 for telehealth sessions is one of the fastest ways to trigger a payer audit. Medicare and most commercial payers consider this a billing error at minimum and fraud at worst.

4. Not specifying telehealth modality in progress notes Your notes need to explicitly state: "Session conducted via synchronous audio-visual telehealth platform." If you're billing audio-only codes like G0071, your note needs to reflect why video wasn't available.

5. Forgetting state-specific requirements Some states require therapists to be licensed in the state where the client is located at the time of the session — not just where you're licensed. The Psychology Interjurisdictional Compact (PSYPACT) and the Counseling Compact help with this for some disciplines, but coverage is still incomplete.

How AI-Powered Documentation Closes the Telehealth Compliance Gap

Here's a reality check most telehealth guides skip: your telehealth platform handles the video. Your documentation platform determines whether you get paid and stay compliant.

Think about what happens after every telehealth session:

  • You need a compliant progress note that reflects the telehealth modality
  • You need the right CPT code and modifiers applied to your claim
  • You need documentation that would survive a payer audit
  • You need all of this done efficiently so you're not charting until midnight

This is exactly where AI-powered clinical documentation tools have changed the game for telehealth practices. Instead of staring at a blank SOAP note template after your eighth session of the day, AI-assisted documentation can help you generate clinically accurate, payer-compliant notes in a fraction of the time — with built-in prompts to ensure telehealth-specific documentation requirements are met every time.

For group practices especially, the consistency and audit-readiness of AI-generated documentation is a significant compliance advantage. When BCBS or UHC sends a records request for 50 claims, you want every note to reflect the same standard of care — not 12 different interpretations of what a telehealth progress note should look like.

FAQ: HIPAA Compliant Telehealth for Therapists

Q1: Can I use regular Zoom for telehealth with therapy clients?

No. The free version of Zoom does not provide a BAA and is not HIPAA compliant. Zoom for Healthcare (a separate, paid product) does offer a BAA and can be HIPAA compliant, but it's expensive and lacks behavioral health-specific features. Most therapists are better served by a behavioral-health-specific platform.

Q2: Is FaceTime HIPAA compliant for therapy?

No. Apple does not provide a BAA for FaceTime. Despite the end-to-end encryption, without a BAA you cannot legally use FaceTime for telehealth sessions involving PHI.

Q3: What's the difference between POS 02 and POS 10 for telehealth billing?

POS 02 (Telehealth Provided Other Than in Patient's Home) is used when the client is at a location other than their home — like a clinic or employer site. POS 10 (Telehealth Provided in Patient's Home) is used when the client is receiving services from their residence. Using the wrong code can result in claim denials, especially for Medicare.

Q4: Do I need a separate telehealth consent form even if clients signed a general consent?

Yes, in most cases. The American Counseling Association, APA, and most state licensing boards recommend — and many require — a separate informed consent specifically addressing telehealth: its limitations, privacy risks, what happens if technology fails, and emergency protocols. This should be documented in the client's record.

Q5: Can I provide telehealth to a client who moves to another state temporarily?

This is one of the trickiest areas in telehealth law. Generally, you must be licensed in the state where the client is physically located at the time of service. Some compacts (PSYPACT for psychologists, Counseling Compact for LPCs) allow multi-state practice for participating disciplines and states. Always verify before the session, not after.

Q6: How long do I need to retain telehealth session records?

HIPAA requires a minimum of 6 years from the date of creation or last effective date. Many states require longer retention periods — some up to 10 years. For minors, many states require records to be retained until the client reaches adulthood plus the standard retention period. Always follow the more stringent requirement (federal vs. state).

Q7: What should I do if my telehealth platform experiences a data breach?

Under HIPAA's Breach Notification Rule, your Business Associate (the platform) must notify you within 60 days of discovering a breach. You then have obligations to notify affected clients and potentially HHS OCR. This is why the BAA isn't just a formality — it defines breach notification responsibilities. Review your BAA carefully so you know what to expect from your vendor.

Choosing the Right Platform: A Decision Framework

Solo private pay practice with few clients: Doxy.me Pro or SimplePractice. Low overhead, easy client experience, solid HIPAA compliance.

Solo practice billing insurance: SimplePractice or TherapyNotes. You need integrated billing with clearinghouse connections and modifier support baked in.

Group practice (5+ clinicians): TherapyNotes, SimplePractice for Groups, or Theranest. Look for user permission controls, group billing dashboards, and multi-clinician audit trail support.

Psychiatric practice billing E/M codes: Look for platforms that support both telehealth AND the complexity of E/M documentation requirements. Most behavioral health EHRs have room to improve here — which is where an AI documentation layer becomes especially valuable.

High Medicaid volume: Theranest or a state-specific solution. Medicaid billing rules vary enormously — you need a platform that can handle state-specific EDI requirements.

The Bottom Line

Your telehealth platform is the foundation, but it's only one piece of a compliant, profitable behavioral health practice. The platforms in this guide all provide solid HIPAA compliance fundamentals — BAAs, encryption, audit logs, waiting rooms. Where they differ is in how well they integrate documentation, billing, and clinical workflow.

The therapists and group practices that thrive in 2026's telehealth environment aren't just picking the right video platform. They're building systems where every session generates compliant documentation, every claim has the right codes and modifiers, and every audit response is backed by airtight records.

That's exactly what Mozu Health is built to do.

Start Documenting Smarter with Mozu Health

Mozu Health is an AI-powered clinical documentation platform purpose-built for behavioral health — therapists, psychiatrists, LPCs, LCSWs, LMFTs, and group practices.

Here's what Mozu Health does that your telehealth platform doesn't:

  • AI-assisted progress notes that are payer-compliant and telehealth-specific
  • Built-in CPT code and modifier guidance (including modifier 95, GT, POS 02/10)
  • Audit defense documentation — every note is structured to survive a records request
  • HIPAA-compliant infrastructure with BAA, AES-256 encryption, and full audit logs
  • Billing accuracy checks that flag missing telehealth documentation before claims go out
  • Group practice support with role-based access and supervisor review workflows

Stop losing revenue to preventable claim denials. Stop dreading audit letters. Stop spending your evenings writing notes that should take minutes.

Try Mozu Health free at mozuhealth.com →

Your clients deserve your full attention during sessions. Mozu Health handles the rest.

Ready to try Mozu?

Start documenting smarter with your first 20 sessions free.

Sign Up Free

Related Posts

BIRP Note Examples for Mental Health Therapy (2026 Guide)
Clinical Documentation

June 5, 2026

BIRP Note Examples for Mental Health Therapy (2026 Guide)

Read More
DAP Note Examples for Behavioral Health Therapy (2025)
Clinical Documentation

June 4, 2026

DAP Note Examples for Behavioral Health Therapy (2025)

Read More
TRICARE Mental Health Billing Documentation Guide 2026
Payer Guides

June 3, 2026

TRICARE Mental Health Billing Documentation Guide 2026

Read More