Yundra
← All articlesTools & Vendors

HIPAA-Compliant Telehealth Platforms for Therapists in 2026

10 min read

During COVID-19, HIPAA's rules for telehealth effectively went on hold. In March 2020, the Office for Civil Rights announced that it would exercise "enforcement discretion" — meaning OCR would not impose penalties against covered health care providers for HIPAA violations when they used everyday communication technologies, in good faith, to provide telehealth during the public health emergency. FaceTime, consumer Zoom, Skype, Google Hangouts, even Facebook Messenger video — all of it was tolerated. For three years, therapists could use whatever their patients already had installed, and they did.

That enforcement discretion ended in August 2023. It did not get extended. It did not get quietly renewed. It ended, and the full Security Rule requirements for telehealth came back into force the same day — with a brief 90-day transition period that also expired. In 2026, the baseline is unambiguous: any platform used for remote patient sessions must be covered by a signed Business Associate Agreement and must meet the Security Rule's transmission security requirements under 45 CFR §164.312(e).

The problem is that many solo therapists are still operating under the pandemic-era assumption that "anything goes" for telehealth. It doesn't. Some never updated their setup after the waiver expired. Some are on consumer tools they never realised required a BAA. Some switched to a platform that looks healthcare-branded but is actually still on the wrong tier.

The practical question for a solo therapist in 2026: which platforms are actually compliant, what does "compliant" specifically require, and which popular platforms should you avoid?

What "HIPAA compliant" actually means for a telehealth platform

"HIPAA compliant" isn't a single checkbox. For a telehealth platform specifically, three things have to be true:

1. The platform must offer a BAA (Business Associate Agreement). A BAA is a legally binding contract in which the vendor accepts specific responsibilities for protecting your patients' data, agrees to notify you of any breach, and promises to abide by HIPAA's safeguards. Without a signed BAA, using the platform for patient sessions is a violation regardless of how secure the technology is. This is the same principle we covered in our Gmail article — the legal relationship matters, not just the technical security. You can have perfect encryption and zero compliance.

2. End-to-end encryption for video and audio. The Security Rule under §164.312(e) requires encryption of ePHI in transit. A live telehealth video session contains ePHI by definition — the patient's face, the patient's voice, what they're saying, and the fact that they're seeing you (a mental health provider) at all. That last piece is worth pausing on: the mere fact that a person is receiving care from a therapist is itself protected health information. So even a platform with a great reputation for security is inadequate if its encryption story isn't watertight in transit.

3. Access controls and audit logging. The platform should control who can join a session — no random third parties walking into your video room through a recycled link — and should maintain logs of session activity. For a solo practice, this usually means unique meeting links, a virtual waiting room, and the ability to see a record of who connected and when.

One piece of terminology to get straight: "the platform is HIPAA compliant" is technically incorrect. Platforms aren't inherently compliant or non-compliant. Your use of them is compliant or not. The platform provides the tools (BAA, encryption, access controls); you provide the correct usage (signing the BAA, configuring settings properly, not posting session links publicly). A BAA-covered platform used carelessly is still a violation. This framing matters because it puts the responsibility where it actually lives.

Platforms that are compliant (with a signed BAA)

A tour of the major options relevant to solo therapists. Yundra has no affiliate relationships with any of these — the summaries below are factual, not promotional, and the limitations are as honest as the strengths.

SimplePractice Telehealth

Built into SimplePractice, the most popular EHR among solo mental health practitioners. The BAA is included with all paid plans. Telehealth is available on the Essential tier (about $69/month) and the Plus tier (about $99/month) — it is not included on the Starter tier (about $29/month, recently raised from $49).

Strength: it's all-in-one. EHR, telehealth, billing, client portal, secure messaging, calendar — you launch a session with one click from the calendar view, and everything stays inside a single BAA-covered system. If you're already on SimplePractice, telehealth is included and there is effectively no decision to make.

Limitation: if you're not already on SimplePractice, you're paying for the full EHR, not just telehealth. The price tag reflects that. For a therapist who wants telehealth alone and has a separate EHR workflow, this is overkill.

TherapyNotes Telehealth

Built into TherapyNotes, the other major EHR in private practice mental health. BAA included. Telehealth is bundled on all plans, which start at roughly $49/month.

Strength: stable pricing — TherapyNotes hasn't had the dramatic price increases SimplePractice pushed through in 2024 and 2025. Documentation features are strong, and the clinical workflow is well thought out.

Limitation: the interface is less polished than SimplePractice's, and the telehealth experience specifically is more utilitarian. It works, but it doesn't feel modern in the way SimplePractice's does.

Doxy.me

A standalone telehealth-only platform — not an EHR, not a billing tool, just video sessions. And unusually for healthcare software, the BAA is included on every tier, including the free tier. Doxy.me is one of the very few platforms where a solo therapist can have a legitimately BAA-covered telehealth setup at zero cost. The Professional tier (around $35/month) adds custom branding, group rooms, and a few quality-of-life features, but the free tier is genuinely usable for a small caseload.

Doxy.me is browser-based with no downloads for patients. They click a link, grant camera access, and they're in. This is a major UX advantage — downloads are the single biggest friction point in every other telehealth onboarding.

Strength: if you already have an EHR without built-in telehealth (say, an older or more specialised system), Doxy.me is the simplest compliant add-on in the market. The free tier with a BAA is a genuine outlier.

Limitation: it's telehealth only. No scheduling, no billing, no notes, no client portal, no EHR features. You still need the rest of your stack.

Zoom for Healthcare

This is not regular Zoom. Zoom for Healthcare is a separate, paid tier of Zoom specifically designed for covered entities, and the BAA is available only on that healthcare-specific plan. Consumer Zoom — whether free or on a standard paid business plan — does not come with a BAA and is not compliant for patient sessions.

Pricing for the healthcare tier varies and generally starts somewhere around $15.99 per host per month for the base plan; the specific healthcare-configured package costs more and is quoted per organisation.

Strength: most patients already know how to use Zoom. The interface is familiar, the video quality is good, and breakout rooms and recording features are robust.

Limitation: it requires patients to download the Zoom app (unlike Doxy.me). And you have to be very careful that you're actually on the healthcare plan with the BAA signed — the most common "is Zoom HIPAA compliant therapist" mistake is using ordinary Zoom and assuming the BAA is implied somewhere. It isn't. Consumer Zoom is not compliant, full stop.

Google Meet (via Google Workspace with BAA)

Compliant only if you're on a paid Google Workspace plan and have signed the BAA via the Admin Console. Not compliant on free Gmail or personal Google accounts, because Google does not sign BAAs for those accounts in the first place.

We covered Google Workspace's BAA process in detail in our guide to whether Gmail is HIPAA compliant. The short version: a super administrator signs into admin.google.com, navigates to Account Settings → Legal & Compliance, and clicks to accept the Business Associate Addendum. Once accepted, the BAA covers Meet along with Gmail, Drive, Calendar, and the other core Workspace services.

Strength: if you're already on Workspace for your email (which you should be per the Gmail article), Meet is included at no extra cost and sits inside the same BAA you already signed.

Limitation: Meet isn't designed specifically for healthcare. There's no true virtual waiting room, no clinical workflow features, no intake routing. It's a general-purpose video conferencing tool that happens to be BAA-covered. Fine for a solo therapist who wants a simple bundled setup; not ideal if you want a healthcare-specific experience.

Platforms that are NOT compliant (avoid for patient sessions)

Being direct and specific here matters more than being diplomatic:

  • Consumer Zoom (free or basic paid) — no BAA available. "I use Zoom" is not the same as "I use Zoom for Healthcare."
  • FaceTime — Apple does not offer a BAA. FaceTime is end-to-end encrypted, which is genuinely good security, but no BAA means no compliance.
  • WhatsApp video — Meta does not offer a BAA for WhatsApp. The encryption is strong; the legal relationship does not exist.
  • Skype — Microsoft does not offer a BAA for consumer Skype. (Microsoft Teams on an enterprise plan with a healthcare BAA is a different product entirely, and has its own setup requirements.)
  • Google Meet on a free Gmail account — no BAA available on free accounts, as established above.
  • Standard phone calls — phone calls themselves aren't a HIPAA violation (the telephone network is treated as a conduit under HIPAA). But if you're using a VoIP service that processes or records the call digitally, that service may need a BAA. Google Voice is covered under Workspace's BAA; many other consumer VoIP apps are not.

The framing to hold onto: these platforms may be technically secure. FaceTime in particular has excellent encryption. Security and compliance are different things. Without a BAA, your use of them for patient sessions is a violation.

How to check if your current platform is compliant

A three-step check for the reader who already has a platform in place and isn't sure about it:

1. Do they offer a BAA? Log into your platform's admin settings and look for a section labelled BAA, Legal, or Compliance. If you can't find one, contact their support and ask directly: "Do you offer a Business Associate Agreement for HIPAA compliance?" If the answer is no, or they have to ask someone else, or they send you a generic privacy policy link instead of a BAA, the answer is effectively no.

2. Have you actually signed it? Having a BAA available is different from having signed one. Most platforms make it a click-through in the admin portal — it's on you to actually click accept. Log in and verify that the BAA is not just offered but executed against your account.

3. Is it the right tier? Some platforms (Zoom most notably) only offer BAAs on specific paid tiers. Verify that your current plan level includes the BAA. A downgrade at renewal, or a trial that expired into a different tier, can quietly take you out of compliance.

If the answer to any of these three is no, you have a compliance gap that needs to be addressed immediately.

What happens if you're using a non-compliant platform right now

Practical guidance, not fear-mongering:

  1. Switch platforms. Don't wait, don't phase it in — switch completely. Every additional session on a non-compliant platform is another incident of non-compliance.
  2. If cost is the barrier, Doxy.me's free tier with a BAA is available right now, today. Sign up, accept the BAA, and you have a compliant telehealth setup in under an hour. You can always upgrade later.
  3. Notify scheduled patients of the change. A simple message works: "I'm moving our video sessions to [new platform] for security and compliance reasons. Here's how to connect: [link]." Patients don't need a long explanation — most appreciate that you're taking their privacy seriously.
  4. Document the change in your Security Risk Analysis as a "significant change." A platform swap is exactly the kind of change that should trigger a risk analysis update. If you don't have a Security Risk Analysis yet, this article walks through how to do one.
  5. Don't retroactively notify patients about the previous non-compliant platform use. This one is counterintuitive, but there is no clear regulatory guidance supporting a mass retroactive notification, and doing so opens a can of worms (worried patients, ambiguous breach reporting questions) without a clear regulatory benefit. Fix it going forward. If OCR asks, you can show the date you switched and the steps you took.

Where Yundra fits in

Telehealth platform compliance is one of 40 questions in Yundra's free HIPAA Risk Assessment. Question 33 specifically asks whether you have a signed BAA with your telehealth platform — and if you answer "no" or "not sure," the report flags it as a critical gap with specific steps to fix it, in plain English.

But telehealth is just one piece of the puzzle. Your EHR, your email, your billing service, your transcription tools, your cloud storage, any AI notes tool you've added recently — every vendor that touches patient information needs a BAA, and every one of them belongs in your risk analysis. The assessment covers all of them systematically, in the same structured format, so you come out the other side with a clear picture of where the gaps actually are.

For the broader picture of what HIPAA requires of solo practices in 2026, see our complete 2026 guide. For the detailed walkthrough of the Security Risk Analysis itself, see how to do a HIPAA Security Risk Analysis for your therapy practice. And for the companion article on email — the other vendor question most therapists get wrong — see our Gmail breakdown.

Start the free HIPAA Risk Assessment →

What comes next

Take the free risk assessment to see where your practice stands on HIPAA — including your telehealth setup. Yundra generates all 7 compliance documents you need, personalised to your specific telehealth platform, EHR, and email provider. The assessment takes 25 minutes, and your compliance score is instant.

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly