When OCR settled with a behavioral health provider in 2023 for $125,000 after a therapist conducted sessions over a consumer-grade video platform without a business associate agreement, it sent a clear signal: the enforcement discretion era for telehealth is over. If your practice delivers teletherapy, HIPAA teletherapy compliance guidelines are no longer aspirational — they are the baseline OCR expects you to meet.

Why the End of Telehealth Enforcement Discretion Changes Everything

During the COVID-19 public health emergency, OCR issued a notification of enforcement discretion allowing covered entities to use non-public-facing communication platforms for telehealth without risk of penalty. That discretion formally ended on May 11, 2023, when the public health emergency expired.

Since then, OCR has returned to full enforcement of the HIPAA Privacy Rule and Security Rule as they apply to remote care. Healthcare organizations that adopted quick-fix telehealth solutions in 2020 and never upgraded are now operating with significant compliance gaps.

In my work with covered entities — particularly small behavioral health practices — I consistently find that clinicians believe using any video platform with encryption is sufficient. It is not. Encryption is one technical safeguard among dozens of requirements under 45 CFR Part 164.

HIPAA Teletherapy Compliance Guidelines: The Five Non-Negotiables

Whether you are a solo practitioner or a multi-site behavioral health organization, these five requirements form the core of any compliant teletherapy program.

1. Execute a Business Associate Agreement Before the First Session

Every technology vendor that creates, receives, maintains, or transmits protected health information on your behalf is a business associate under the Omnibus Rule. This includes your video platform provider, your cloud storage vendor, and your scheduling software company.

Without a signed business associate agreement (BAA), using a platform to conduct teletherapy is itself a HIPAA violation — regardless of how secure the technology may be. Consumer tools like standard Zoom (non-healthcare version), FaceTime, and Google Hangouts do not offer BAAs, making them non-compliant for ongoing clinical use.

2. Conduct a Thorough Risk Analysis That Includes Telehealth

The Security Rule at 45 CFR §164.308(a)(1) requires every covered entity to conduct a comprehensive risk analysis. Your risk analysis must specifically address teletherapy workflows: where PHI is created during a session, how it is transmitted, where recordings or session notes are stored, and who has access.

OCR has cited failure to perform an adequate risk analysis as the single most common finding in enforcement actions. If your analysis does not include telehealth-specific threats — such as screen sharing of PHI, unauthorized recording, or unsecured home Wi-Fi networks — it is incomplete.

3. Apply the Minimum Necessary Standard to Every Virtual Encounter

The minimum necessary standard requires that your workforce access and disclose only the PHI needed for a specific purpose. In teletherapy, this means ensuring that screen shares do not display other patients' records, that session recordings (if permitted) capture only essential clinical content, and that intake forms collected digitally request only necessary information.

Build workflows that limit what is visible on-screen during a session. If your EHR is open in the background while you share your screen with a patient, you risk an impermissible disclosure of another individual's protected health information.

4. Implement Technical Safeguards Beyond Encryption

Encryption in transit and at rest is essential — but HIPAA teletherapy compliance guidelines demand more. Under the Security Rule, your organization must also address:

  • Access controls: Unique user IDs for every workforce member accessing the telehealth platform.
  • Audit controls: Logs that track who accessed PHI, when, and from which device.
  • Automatic session timeouts: Preventing unauthorized access if a clinician steps away mid-session.
  • Device and media controls: Policies governing the use of personal devices, removable media, and local recordings.

Many platforms market themselves as "HIPAA compliant," but compliance is never a product feature — it is a result of how your organization configures, uses, and governs the technology.

5. Train Every Workforce Member on Telehealth-Specific Risks

The Privacy Rule at 45 CFR §164.530(b) requires training for every workforce member who handles PHI. Generic annual HIPAA training is not sufficient for clinicians conducting teletherapy daily. Your training must cover telehealth-specific scenarios: what to do if an unauthorized person enters the room during a session, how to verify patient identity remotely, and how to handle technical failures that may expose PHI.

Investing in structured HIPAA training and certification that includes telehealth modules ensures your clinicians understand the unique risks of virtual care — not just the general principles of HIPAA.

Update Your Notice of Privacy Practices for Teletherapy

Your Notice of Privacy Practices (NPP) must accurately reflect how your organization uses and discloses PHI. If you have added teletherapy since your NPP was last updated, it likely does not describe how PHI is collected and transmitted during virtual sessions, what third-party platforms process that data, or what additional risks telehealth introduces.

Revise your NPP to include a clear description of your telehealth practices. Distribute the updated notice to every patient before their first virtual session and make it available on your website.

Documentation That Proves Compliance During an OCR Investigation

OCR does not take your word for compliance — they ask for documentation. Maintain the following for every element of your teletherapy program:

  • Signed BAAs with every telehealth vendor, updated annually.
  • A risk analysis that specifically names telehealth assets, threats, and vulnerabilities.
  • Policies and procedures governing virtual session conduct, recording, and storage.
  • Workforce training records with dates, topics covered, and attestations.
  • Incident response documentation for any telehealth-related breaches or near-misses.

Under the Breach Notification Rule, if a teletherapy-related breach affects 500 or more individuals, you must notify OCR, affected individuals, and prominent media outlets within 60 days. Documentation of your safeguards is the difference between demonstrating a good-faith compliance effort and facing a penalty that can reach $2,067,813 per violation category per year under the updated penalty tiers.

Build a Teletherapy Compliance Program That Scales

HIPAA teletherapy compliance guidelines are not a one-time checklist. They require ongoing risk management, regular workforce retraining, and periodic reassessment of every vendor and platform in your telehealth ecosystem.

Start by benchmarking your current teletherapy operations against the requirements outlined above. Identify the gaps — missing BAAs, incomplete risk analyses, outdated training — and build a remediation timeline with assigned owners and deadlines.

If your organization needs a structured path to full workforce compliance, HIPAA Certify's workforce compliance program provides the training, documentation support, and certification your practice needs to meet OCR's expectations — before an investigation forces your hand.