Telehealth has become a permanent fixture in behavioral health care. According to the American Psychological Association, more than 60% of mental health providers now offer some form of virtual services—and that number continues to climb. But with expanded access comes expanded responsibility. Navigating HIPAA compliance in a telehealth environment is more nuanced than many practice owners realize, and the regulatory landscape has continued to evolve heading into 2026. Whether you're building your telehealth program from scratch or auditing your current setup, this guide covers what you need to know.
Why HIPAA Compliance Looks Different in Telehealth
Traditional HIPAA compliance was designed around physical environments—locked file cabinets, private waiting rooms, secure fax machines. Telehealth introduces a new category of risk. Protected Health Information (PHI) now travels across internet connections, sits on video platforms, and gets accessed from clinicians' home offices and patients' kitchen tables. The same core HIPAA rules apply—the Privacy Rule, the Security Rule, and the Breach Notification Rule—but the technical and administrative safeguards required to uphold them look very different in a virtual setting.
The Current Regulatory Landscape in 2026
The COVID-19 public health emergency introduced a series of telehealth flexibilities that temporarily relaxed certain HIPAA enforcement priorities. Many of those temporary measures have since been codified, modified, or allowed to expire. Here is where things stand as of 2026.
What Stayed After the PHE Ended
Several telehealth expansions were made permanent or extended through Congressional action. Notably, the ability to prescribe controlled substances via telehealth without an in-person evaluation—a critical issue for behavioral health practices prescribing medications like buprenorphine—has been extended under ongoing DEA rulemaking. However, requirements vary by substance and state, so practices should verify current rules with their state licensing board and legal counsel.
What Changed for HIPAA Enforcement
The HHS Office for Civil Rights (OCR) has returned to standard enforcement posture. This means the enforcement discretion that allowed providers to use non-HIPAA-compliant consumer video platforms like FaceTime or Zoom's standard consumer tier has ended. Using platforms that are not covered by a signed Business Associate Agreement (BAA) now carries real enforcement risk. In 2023 and 2024, OCR demonstrated a renewed focus on telehealth-related breaches, with several settlements involving improper use of tracking technologies on patient-facing portals and scheduling tools.
Core Requirements for HIPAA-Compliant Telehealth
Meeting HIPAA requirements in a telehealth context requires action across three domains: your technology stack, your administrative policies, and your staff training. Neglecting any one of these creates vulnerabilities even if the other two are airtight.
Technology Requirements
- Use a HIPAA-compliant video platform with a signed BAA. Healthcare-specific options include Doxy.me, Zoom for Healthcare, and telehealth tools built into compliant EHR platforms.
- Ensure end-to-end encryption for all video sessions. Verify this is enabled by default, not just available as a setting.
- Store session notes, recordings, and clinical documentation only on HIPAA-compliant systems. Avoid saving anything to personal devices or unsecured cloud storage.
- Use multi-factor authentication (MFA) on all systems that access PHI. This is one of the most effective and underutilized safeguards available.
- Conduct regular security risk assessments as required by the HIPAA Security Rule. This is not optional—it is a specific, auditable requirement.
Administrative and Policy Requirements
- Maintain signed BAAs with every vendor that handles PHI on your behalf—this includes your EHR, telehealth platform, billing software, and any scheduling tools.
- Update your Notice of Privacy Practices to reflect how PHI is used and shared in a telehealth context.
- Establish a written telehealth-specific policy covering session conduct, technical failures, patient location documentation, and emergency protocols.
- Document your security risk assessment and any remediation steps taken. OCR will request this documentation in the event of a complaint or audit.
- Create and test an incident response plan so your team knows exactly what to do if a breach occurs.
Staff Training Requirements
- Train all staff on HIPAA basics at onboarding and at least annually thereafter. Document completion.
- Provide telehealth-specific training covering secure login practices, session environment expectations, and how to handle technical issues without compromising PHI.
- Educate clinicians on conducting sessions from compliant environments—meaning private spaces, secured Wi-Fi, and no unauthorized individuals present.
- Cover phishing awareness and social engineering, which remain the leading causes of healthcare data breaches.
Common Compliance Pitfalls for Behavioral Health Practices
Behavioral health practices face some compliance risks that are distinct from other healthcare settings. The sensitivity of mental health records—including psychotherapy notes, which carry additional protections under HIPAA—makes any breach particularly serious for patients. Here are the mistakes we see most often.
- Using consumer-grade video tools without a BAA, often because they are free or familiar to clients.
- Collecting client contact information through standard web forms that are not covered by a BAA or encrypted in transit.
- Embedding third-party tracking pixels or analytics tools on patient portals without proper disclosure or authorization—an area OCR has investigated aggressively.
- Failing to document that a security risk assessment was completed, even when the underlying security practices are sound.
- Assuming that a telehealth platform being marketed as 'HIPAA-compliant' means compliance is automatic. Compliance is always a shared responsibility between the vendor and the provider.
How Your EHR Can Simplify Telehealth Compliance
One of the most practical steps a behavioral health practice can take is consolidating its telehealth workflow inside a purpose-built EHR platform. When your video sessions, clinical notes, treatment plans, and billing all live in one HIPAA-compliant environment, you eliminate a significant category of risk that comes from stitching together multiple disconnected tools. Platforms like MindWise Health are built specifically for behavioral health workflows, meaning features like integrated telehealth, secure messaging, and documentation are designed to work together under a single compliance framework rather than requiring separate BAAs and separate security configurations for each tool.
A Practical Compliance Checklist for 2026
Use this checklist to audit your current telehealth setup. If you cannot confidently check off every item, that is a good indicator of where to focus your attention.
- All video platforms used for clinical sessions have a signed BAA on file.
- All other vendors with access to PHI have a signed BAA on file.
- A current security risk assessment has been completed and documented.
- Multi-factor authentication is enabled on all systems accessing PHI.
- Staff have completed HIPAA training within the past 12 months with documentation.
- A written telehealth policy exists and has been reviewed within the past year.
- Your Notice of Privacy Practices reflects your current telehealth practices.
- No consumer-grade or non-BAA-covered tools are being used to transmit or store PHI.
- An incident response plan exists and staff know how to use it.
- Psychotherapy notes are stored separately from the general medical record and access is appropriately restricted.
Final Thoughts
HIPAA compliance in a telehealth environment is not a one-time project—it is an ongoing operational commitment. The practices that handle it best treat compliance not as a box to check but as a standard of care, recognizing that protecting patient information is inseparable from providing quality treatment. With the right technology, clear policies, and trained staff, running a fully compliant telehealth program is entirely achievable for practices of any size. If you are unsure where your practice stands today, start with the checklist above and consider a formal security risk assessment as your next step.