Yundra
← All articlesPractical Guides

Telehealth HIPAA Compliance Checklist for 2026

11 min read

The pandemic-era telehealth HIPAA enforcement discretion is long over. As of 2026, OCR enforces telehealth HIPAA requirements at the same level as in-person care. If you provide any virtual sessions, your telehealth setup must fully comply with the HIPAA Security Rule.

This checklist covers everything you need — from platform selection to documentation — organised by priority. Work through it top to bottom, and you'll have a telehealth setup that meets OCR's expectations.

Platform Requirements

Checklist: Your telehealth platform

  • [ ] Uses a HIPAA-compliant platform (not regular Zoom, FaceTime, Google Meet, or Skype)
  • [ ] Signed BAA with the platform vendor (check your account settings — most require explicit acceptance)
  • [ ] End-to-end encryption enabled (verify in your platform's security settings)
  • [ ] Recording disabled by default (if recording is available, it should be off unless clinically necessary and consented to)
  • [ ] Waiting room enabled (patients shouldn't enter the session until you admit them)
  • [ ] Screen sharing restricted (only you should be able to share, not the patient, unless explicitly enabled)

HIPAA-compliant telehealth platforms for therapists

These platforms offer BAAs and meet HIPAA security requirements:

  • Doxy.me — Free and paid plans, both HIPAA compliant with BAA. Purpose-built for telehealth. No downloads required for patients.
  • Zoom for Healthcare — Separate from regular Zoom. Requires the Healthcare plan specifically. BAA available.
  • SimplePractice Telehealth — Built into SimplePractice. BAA covered under the main SimplePractice agreement.
  • TherapyNotes Telehealth — Built into TherapyNotes. Same BAA.
  • VSee — HIPAA-compliant video platform with signed BAA.

For a detailed comparison, see our guide to HIPAA-compliant telehealth platforms.

Platforms that are NOT HIPAA compliant

  • Regular Zoom (Pro, Business) — only the Healthcare plan is compliant
  • FaceTime — Apple does not sign BAAs
  • Google Meet — only compliant with a Google Workspace BAA, and even then it's debatable for clinical sessions
  • Skype — Microsoft does not position Skype as HIPAA compliant
  • WhatsApp — no BAA available
  • Facebook Messenger — no BAA available

Your Physical Environment

Checklist: Your telehealth workspace

  • [ ] Private room — sessions conducted in a space where others cannot overhear
  • [ ] Locked door (or a "Do Not Disturb" indicator visible to household members)
  • [ ] No smart speakers or voice assistants active (Alexa, Google Home, Siri) in the room during sessions
  • [ ] Screen positioned away from windows and doorways
  • [ ] Headphones used (prevents session audio from being overheard)

These seem obvious, but they're part of the physical safeguard requirements. If you conduct telehealth from home, your home office is your clinical space during sessions — treat it accordingly.

Network and Device Security

Checklist: Your technical setup

  • [ ] Secure internet connection — use your home/office network, not public Wi-Fi
  • [ ] Wi-Fi network encrypted (WPA3 or WPA2 — check your router settings)
  • [ ] Device encrypted — full-disk encryption on your laptop/computer (FileVault on Mac, BitLocker on Windows)
  • [ ] Operating system up to date — automatic updates enabled
  • [ ] Antivirus/security software active and up to date
  • [ ] Strong, unique password on your telehealth account
  • [ ] Multi-factor authentication (MFA) enabled on your telehealth platform
  • [ ] Automatic screen lock set to 5 minutes or less
  • [ ] VPN considered if you ever work from locations outside your primary office

Patient Consent and Communication

Checklist: Patient-facing requirements

  • [ ] Informed consent for telehealth — documented consent from each patient for virtual sessions, including acknowledgment of risks specific to telehealth
  • [ ] Technology instructions provided — patients know how to access the session, test their setup, and troubleshoot common issues
  • [ ] Emergency protocols documented — what happens if the connection drops? How does the patient reach you? What's the plan for a clinical emergency during a virtual session?
  • [ ] Patient's physical location confirmed at the start of each session (for licensing and emergency response purposes)
  • [ ] Backup communication method established (phone number to call if video fails)

Documentation

Checklist: Your compliance records

  • [ ] Telehealth mentioned in your Security Risk Analysis — your SRA should specifically address telehealth risks and mitigations
  • [ ] Telehealth policies in your Policies and Procedures Manual — who can use telehealth, what platform, security requirements, consent procedures
  • [ ] BAA signed with telehealth platform and recorded in your BAA tracker
  • [ ] Telehealth covered in your HIPAA training — documented training on telehealth security procedures
  • [ ] Telehealth consent form template available and used consistently

State-Specific Requirements

Beyond HIPAA (which is federal), your state may have additional telehealth requirements:

  • State licensing laws — many states require you to be licensed in the state where the patient is physically located during the session
  • Interstate compacts — the PSYPACT (for psychologists) and ASWB mobility (for social workers) may allow cross-state practice
  • State privacy laws — some states (California, New York, Texas) have privacy requirements that exceed HIPAA
  • Telehealth-specific regulations — some states require specific consent language or platform features

Check your state licensing board's telehealth guidance for the most current requirements.

Common Telehealth HIPAA Mistakes

Using regular Zoom. "Zoom" is not the same as "Zoom for Healthcare." The standard Zoom product does not include a BAA or HIPAA-specific security configurations.

No BAA signed. You're using a compliant platform but never actually signed the BAA in your account settings. Having the option isn't the same as having the agreement.

Sessions in shared spaces. Conducting therapy sessions in an open living room, a shared office, or a coffee shop violates physical safeguard requirements.

No telehealth consent. HIPAA doesn't specifically require telehealth consent, but best practices (and most state laws) do. It's also a risk management essential — patients should understand the limitations and risks of virtual care.

Not documenting the modality. Your session notes should indicate whether the session was conducted via telehealth, including the platform used. This matters for both billing and compliance.

The Quick Self-Check

Answer these five questions:

  1. Is your telehealth platform on the "compliant" list above? → If no, switch.
  2. Do you have a signed BAA with them? → If no, sign it today.
  3. Do you conduct sessions in a private space with the door closed? → If no, fix your setup.
  4. Is your device encrypted with MFA enabled? → If no, enable both.
  5. Do your patients sign a telehealth consent form? → If no, create one.

If you answered "no" to any of these, you have a compliance gap. Take the free assessment to check this and 35 other HIPAA compliance areas in 25 minutes.

Take the free HIPAA Risk Assessment →

Not sure if your vendors are HIPAA compliant?

Our assessment checks your EHR, email, telehealth, and cloud storage against HIPAA requirements. Free, 25 minutes, results are instant.

Free · See your score instantly