In early 2024, OCR settled with a telehealth provider for $950,000 after an investigation revealed the organization had deployed a cloud-based therapy platform without encrypting protected health information at rest or executing a compliant business associate agreement with its cloud vendor. The case is far from isolated. As behavioral health practices rapidly adopt cloud-based therapy applications, the gap between technology adoption and security measures for PHI in cloud-based therapy applications continues to widen — and OCR is paying attention.

Why Cloud-Based Therapy Platforms Create Unique PHI Risks

Cloud-based therapy applications handle some of the most sensitive categories of protected health information: psychotherapy notes, substance abuse treatment records, and mental health diagnoses. A breach involving this data doesn't just trigger regulatory penalties — it causes measurable harm to patients who trusted your organization with their most private disclosures.

Unlike on-premise systems where your IT team controls the physical environment, cloud platforms distribute PHI across infrastructure you don't own. That shared responsibility model means your covered entity must understand exactly where PHI resides, how it moves, and who can access it at every layer of the stack.

Healthcare organizations consistently struggle with this distinction. The cloud vendor secures the infrastructure. You secure the data, the configurations, and the access controls. Failing to own your side of that equation is where most HIPAA violations in cloud environments originate.

The Business Associate Agreement: Your First Security Measure

Before a single byte of PHI enters a cloud-based therapy application, 45 CFR §164.502(e) requires your organization to execute a business associate agreement (BAA) with the cloud service provider. This isn't optional and it isn't a formality. The BAA must specify how the business associate will safeguard PHI, report breaches, and limit uses and disclosures to only what's permitted.

In my work with covered entities, I've seen organizations assume that using a well-known cloud platform like AWS or Azure automatically means HIPAA compliance. It doesn't. These providers offer HIPAA-eligible services and will sign BAAs — but only for specific services. If your therapy application stores PHI in a service not covered by the BAA, you have an unprotected exposure that no amount of encryption can fix.

Review your BAA annually. Confirm it covers every cloud service touching PHI in your therapy workflow, including databases, storage buckets, messaging queues, and backup systems.

Essential Security Measures for PHI in Cloud-Based Therapy Applications

The HIPAA Security Rule at 45 CFR Part 164, Subpart C, organizes safeguards into administrative, physical, and technical categories. Here's how those translate to cloud-based therapy environments:

Encryption in Transit and at Rest

OCR has made clear through enforcement actions and guidance that encryption is an addressable specification under the Security Rule — but "addressable" doesn't mean optional. For cloud-based therapy applications handling sensitive behavioral health PHI, encryption using AES-256 at rest and TLS 1.2 or higher in transit is the expected standard. If you choose not to encrypt, you must document an equivalent alternative measure, and in practice, no equivalent exists for cloud environments.

Access Controls and Authentication

Implement role-based access controls so that therapists, administrative staff, and billing personnel only access the minimum necessary PHI for their job functions. The minimum necessary standard under the Privacy Rule applies directly here. Multi-factor authentication (MFA) should be mandatory for every user accessing the cloud therapy platform — not just administrators.

Audit Logging and Monitoring

Your cloud-based therapy application must generate and retain audit logs that track who accessed PHI, when, and what actions they performed. Configure real-time alerting for anomalous access patterns. OCR investigators routinely request audit logs during breach investigations, and the absence of logging has been cited as a Security Rule violation in multiple enforcement actions.

Automatic Session Timeouts and Device Controls

Therapists frequently access cloud platforms from laptops, tablets, and personal devices. Configure automatic session timeouts after periods of inactivity. Enforce device-level security policies including screen locks, remote wipe capabilities, and endpoint encryption. These technical safeguards directly address 45 CFR §164.312(a)(2)(iii).

Conduct a Risk Analysis Specific to Your Cloud Therapy Environment

The single most cited deficiency in OCR enforcement actions isn't a missing firewall or an unencrypted laptop. It's the failure to conduct an adequate and accurate risk analysis as required by 45 CFR §164.308(a)(1)(ii)(A). Your risk analysis must account for every threat and vulnerability specific to your cloud-based therapy application.

This means evaluating your cloud provider's shared responsibility model, assessing API security for integrations between your therapy app and EHR systems, and identifying risks introduced by patient-facing features like secure messaging and video sessions. Document everything. A risk analysis that lives only in someone's memory doesn't exist in the eyes of OCR.

Update your risk analysis whenever you change cloud providers, add new application features, or modify how PHI flows through the system. Annual reviews are a minimum — not a best practice ceiling.

The Workforce Training Requirement Most Organizations Underestimate

Technical safeguards protect PHI from external threats. Workforce training protects PHI from the people inside your organization who handle it every day. Under 45 CFR §164.530(b), your covered entity must train every workforce member on policies and procedures related to PHI — and that training must address the specific tools they use, including your cloud-based therapy application.

Generic annual training that covers HIPAA basics but ignores the actual platforms your therapists use daily leaves a dangerous gap. Your workforce needs to understand how to use the therapy application securely: how to verify encryption indicators, how to avoid sharing login credentials, what to do if they suspect unauthorized access, and how to handle PHI when using personal devices.

Investing in comprehensive HIPAA training and certification ensures your team doesn't just know HIPAA rules in the abstract — they know how to apply those rules to the cloud-based tools they interact with every session.

Breach Notification Preparedness for Cloud Therapy Platforms

Despite strong security measures for PHI in cloud-based therapy applications, breaches can still occur. The Breach Notification Rule at 45 CFR §§164.400-414 requires your organization to notify affected individuals within 60 days of discovering a breach, notify HHS, and for breaches affecting 500 or more individuals, notify prominent media outlets in the affected jurisdiction.

Your incident response plan must account for cloud-specific scenarios: a misconfigured storage bucket exposing session recordings, a compromised API key granting unauthorized access to patient records, or a cloud provider experiencing a security incident affecting your PHI. Coordinate with your business associate in advance so that breach detection and notification timelines are clearly defined in your BAA.

Build a Compliance Foundation That Matches Your Technology

Cloud-based therapy applications offer tremendous clinical value — expanded access, flexible scheduling, and continuity of care that was unimaginable a decade ago. But the speed at which behavioral health has adopted these tools has outpaced the compliance infrastructure at many organizations.

Closing that gap requires more than purchasing a HIPAA-compliant platform. It demands a comprehensive approach: executed BAAs, thorough risk analyses, layered technical safeguards, and a workforce that understands how to protect PHI in every interaction with the technology. Organizations looking to build that foundation across their entire team should explore HIPAA Certify's workforce compliance programs designed specifically for healthcare environments navigating modern technology challenges.

OCR's enforcement priorities make the expectation clear: if your organization uses cloud-based therapy applications, you own the responsibility of securing the PHI those applications process. The tools exist. The regulations are defined. The only variable is whether your organization acts before — or after — an investigation begins.