Yundra
← All articlesTools & Vendors

Can Therapists Use a Virtual Assistant? The HIPAA Rules You Need to Know

10 min read

You've been thinking about it for months. The admin is eating your evenings, your inbox is a low-grade panic attack, and someone in a therapist Facebook group just raved about the virtual assistant who handles all their scheduling and billing follow-ups for a few hundred dollars a month. It sounds like the answer. It sounds like getting your life back.

And then a quieter voice in the back of your head goes: wait — is that even allowed? They'd be seeing my clients' names. Is there a HIPAA thing here?

There is. But the good news is that it's completely workable, and once you understand the rules, hiring a VA stops feeling like a gamble and starts feeling like the smart business move it actually is.

Let's walk through exactly when you're fine, when you need to be careful, and how to set it up so you can hand off the admin without lying awake about it.

Why VAs are everywhere in solo practice right now

It's not a fad. A virtual assistant solves the exact problem most solo therapists are drowning in: there's too much non-clinical work for one person, and hiring a full employee is overkill.

A good VA can take over:

  • Booking, rescheduling, and no-show follow-ups
  • Insurance claim follow-up and billing chases
  • Inbox triage and routine client emails
  • Intake coordination and paperwork wrangling
  • Calendar management and reminders

Any one of those gives you back real hours. The catch is that almost all of them involve your VA touching information about real, identifiable clients — and that's where HIPAA quietly enters the room.

The line that changes everything: does the VA touch PHI?

Here's the single question that determines everything else. Does your VA have access to protected health information?

Protected health information (PHI) is, broadly, any information that identifies one of your clients and relates to their care, treatment, or payment for that care. Crucially, the fact that someone is your client at all is itself protected — being in therapy is health information.

So let's make this concrete.

When a VA counts as a business associate (you need a BAA)

If your VA handles tasks like these, they are creating, receiving, maintaining, or transmitting PHI on your behalf, which makes them a business associate under HIPAA:

  • Scheduling appointments. A name attached to a therapy appointment is PHI. This alone puts you over the line.
  • Billing and insurance follow-up. Client names, dates of service, diagnoses, insurance details — all PHI.
  • Managing your client email inbox. Even reading and sorting messages from clients means handling PHI.
  • Coordinating intakes. Names, contact details, and the fact of seeking treatment.

In all of these cases, you must have a signed business associate agreement (BAA) in place before they start. No exceptions, no "we'll sort the paperwork later."

When a VA is not a business associate (no BAA needed)

If the work genuinely never touches PHI, a BAA isn't required. For example:

  • Designing or posting marketing graphics that contain no client information.
  • Writing blog content or general practice descriptions with no real client data.
  • Building a website that doesn't connect to any system holding PHI.
  • Generic research — finding a good bookkeeping tool, comparing telehealth platforms — with no client data involved.

The principle: it's not the job title that matters, it's the access. A "social media VA" who only ever sees public-facing content is not a business associate. The moment that same person is asked to "just quickly confirm Tuesday with the client who emailed," they are.

When in doubt, assume PHI is involved and get the BAA. It costs you nothing to be covered and a great deal to be wrong.

How to set up a BAA with your VA

A BAA is a contract that obligates your VA to safeguard PHI and to use it only for the purposes you specify. It's required under the HIPAA Privacy and Security Rules whenever you share PHI with a business associate.

A solid BAA should:

  • Spell out the permitted uses and disclosures of PHI
  • Require the VA to implement appropriate safeguards
  • Require them to report any security incident or breach to you, promptly
  • Address what happens to PHI when the engagement ends (return or destruction)
  • Bind any subcontractors they use to the same obligations

Some professional VA companies that work with healthcare clients will already have a BAA template ready to sign — that's a great sign. If you're hiring an independent VA who's never heard of a BAA, you can use a vetted template, but you'll need to walk them through what it means and confirm they can actually meet the obligations.

Get it signed and stored before you grant any access. Then keep it where you can find it — because a BAA you can't locate during an audit might as well not exist.

Give the least access that gets the job done

HIPAA's minimum necessary standard is your best friend here, and it's also just good security hygiene. The rule is simple: a business associate should only have access to the minimum PHI needed to do their specific job.

Your VA almost certainly does not need:

  • Access to your full clinical notes or treatment records
  • Diagnoses, when their job is just calendar management
  • Your entire historical client database

Your VA probably does need a narrow slice — upcoming appointments, contact details for the clients they're coordinating, billing status. Modern EHR and scheduling systems often let you create restricted, role-based logins precisely for this. Use them. Give the scheduling VA a scheduling view, not the keys to everything.

Practical safeguards to put in place:

  • Individual login credentials, never shared passwords. You want an audit trail showing who did what.
  • Role-based permissions that limit them to the relevant module.
  • Multi-factor authentication on every account they touch.
  • Prompt access removal the moment the engagement ends.

Training is part of the deal

A BAA on paper doesn't protect anyone if your VA doesn't know how to handle PHI in practice. Before they start, make sure they understand:

  • What counts as PHI and why even a client's name is sensitive
  • Not to discuss client information over unsecured channels (personal text, random chat apps)
  • How to recognize and report a potential breach to you immediately
  • Your specific rules — which systems to use, how to store anything, what's off-limits

You don't need to run a formal seminar. But you should be able to document that they were trained on your expectations. A short written acknowledgment goes a long way if anyone ever asks how you safeguarded PHI.

The offshore VA question

A lot of the most affordable VAs are based outside the US, and this comes up constantly in therapist groups. Can you use them?

There's no rule in HIPAA that flatly bans offshore business associates. But there are real, practical complications you need to weigh honestly:

  • Enforceability. A BAA is only as useful as your ability to enforce it. If your VA is in another country, pursuing a breach of contract becomes far harder and far more expensive. The legal protection is partly theoretical.
  • Data leaving the US. Once PHI sits on devices or services in another jurisdiction, you have less visibility and less control over how it's protected and who can access it.
  • Local privacy laws. Some clients — and some of your other vendors' policies — may have expectations about data staying domestic. It's worth knowing where your data actually lives.

None of this makes offshore VAs automatically off-limits. It does mean the bar for vetting them — their security practices, their willingness to sign and honor a real BAA, the systems they'll work within — should be higher, and you should be clear-eyed about the residual risk.

How to vet a VA who actually gets healthcare

The single best move is to hire someone — or a company — that already understands therapy practices and HIPAA. It changes the entire dynamic. Look for:

  • They bring up the BAA before you do. This is the green flag.
  • Experience with mental health or healthcare clients specifically.
  • Familiarity with the EHR or scheduling tools you actually use.
  • Clear answers about their security: how they store data, what devices they use, whether they have their own safeguards.
  • A professional setup — not "I'll do your billing from a shared family laptop."

A VA who can speak fluently about minimum necessary access and breach reporting is worth more than a cheaper one you have to train from zero on why a client list is sensitive.

The bottom line

Yes — you can absolutely use a virtual assistant, and for most overwhelmed solo therapists, you probably should. It's one of the highest-leverage ways to get your evenings back.

You just have to do it deliberately: figure out whether they'll touch PHI (they usually will), get a signed BAA in place first, limit their access to the minimum necessary, confirm they're trained, and vet them like the trusted insider they're about to become. Do that, and a VA becomes one of the safest, smartest investments in your practice — not a liability.

Not sure if your practice is covered?

Situations like these are exactly why having documented HIPAA policies matters. Yundra's free risk assessment identifies the specific gaps in your compliance — so you're prepared before something unexpected happens.

Check your compliance score →

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly