Setting Up Telehealth for a Private Therapy Practice

Telehealth is now a standard component of private therapy practice, not a temporary accommodation. Setting it up correctly means resolving three distinct layers: the technology and HIPAA compliance, the documents clients must sign before the first virtual session, and the billing and licensing rules that govern where and how you can practice remotely. Getting any of these wrong creates real exposure — HIPAA enforcement, licensing board complaints, or unpaid insurance claims. This guide works through each layer in order.

---

HIPAA Rules for Telehealth: What You Are Required to Do Now

The COVID-era enforcement discretion that allowed providers to use non-compliant video platforms expired on August 9, 2023. Since then, the standard HIPAA Rules apply in full. The HHS Office for Civil Rights addresses this directly in its current telehealth guidance.

The operative requirement is the Business Associate Agreement (BAA). Any technology vendor that creates, receives, transmits, or stores protected health information (PHI) on your behalf is a Business Associate. You must have a signed BAA with that vendor before using the service for telehealth sessions.

One narrow exception: A phone carrier acting as a “mere conduit” for a live audio-only call — where the carrier doesn’t store or process the call content — does not require a BAA. HHS published specific guidance on audio-only telehealth clarifying this distinction. A standard phone call to a client does not require a BAA with your carrier. A video app that stores session recordings or transcripts in the vendor’s cloud does.

---

Choosing a Telehealth Platform

The determining factor is whether the vendor will sign a BAA. Consumer tiers of common apps — standard Zoom, Google Meet (personal), FaceTime, Skype — do not offer BAAs and cannot legally be used for sessions that transmit PHI.

Platforms that do offer BAAs for healthcare providers include:

• Doxy.me — free tier available with a BAA for solo practitioners
• Zoom for Healthcare — paid, HIPAA-enabled tier separate from standard Zoom
• VSee — built specifically for healthcare telehealth
• SimplePractice, TherapyNotes, Jane App — integrated EHRs with built-in telehealth and BAAs already included

The simplest path: if you already use an EHR that includes video sessions, your BAA with that vendor almost certainly covers the telehealth function. Verify this explicitly in the contract — do not assume a BAA covers video if it doesn’t say so.

When evaluating any platform, check two things: whether end-to-end encryption is on by default for sessions, and whether session recordings or AI-generated transcripts are stored in the vendor’s infrastructure. If recordings are stored, your BAA must explicitly cover that data.

---

The Telehealth Informed Consent Document

A standard Informed Consent for Treatment covers in-office services. Telehealth requires either a standalone Telehealth Consent form or a clear addendum to your existing consent — signed before the first virtual session.

A compliant telehealth consent must address:

Technology and confidentiality risks. The client acknowledges that internet transmission carries an inherent (though unlikely) risk of interception and that neither party can guarantee the security of a third-party platform.

Emergency protocols. What happens if a client is in crisis during a remote session. You need a specific plan documented in the consent: a local emergency contact for the client, confirmation of their physical address at the time of each session, and the phone number for local emergency services in their location. A vague statement that “you will call 911” is not sufficient when the client is in another city.

Right to refuse telehealth. Clients can choose in-person sessions instead, at any point. This must be stated explicitly.

Client’s responsibility for privacy. The client is responsible for being in a private, unobserved location during sessions.

Jurisdictional acknowledgment. The client understands that services are provided under the laws and licensing rules of the relevant state(s).

Some state licensing boards require specific language beyond these basics. Check your state board’s website before finalizing the form. For context on where telehealth consent fits within the broader document stack, see The Documents Every New Therapy Practice Needs and the paperless intake guide.

---

State Licensing and the Cross-State Jurisdiction Problem

Your license is issued by a state. In telehealth, the relevant jurisdiction is where the client is physically located at the time of service — not where you are. A therapist licensed in New York who sees a client temporarily staying in Florida is practicing in Florida and needs a Florida license (or compact authorization) to do so legally.

Two interstate compacts provide the primary path to multi-state authorization:

Counseling Compact (adopted by 32+ states as of 2026): Allows licensed professional counselors who meet compact requirements to obtain a practice privilege in other member states without a full license application. Verify the current member state list on the compact’s website before assuming your client’s state is covered.

Psychology Interjurisdictional Compact (PSYPACT) (26+ states as of 2026): Same structure for licensed psychologists. Requires obtaining an Authority to Practice Interjurisdictional Telepsychology (APIT) through the compact.

LCSWs and MFTs do not yet have a widely adopted compact. If you see clients who travel or relocate, you will either need individual state licenses or must pause telehealth services while those clients are outside your licensed jurisdiction.

Practical rule: Include a question about the client’s physical location in your intake paperwork. Ask again at the start of each telehealth session if the client travels. Document the location in every session note. If a client’s state changes, verify your licensing status before the next session rather than after.

---

Medicare Telehealth Coverage for Mental Health: 2026 Rules

Behavioral health telehealth under Medicare was made permanent by the Consolidated Appropriations Act, 2021 — removing the geographic restrictions that previously limited telehealth reimbursement. Mental health providers can now see Medicare beneficiaries via telehealth regardless of whether the patient lives in a rural area or is at home. The CMS Medicare Mental Health Coverage guide (March 2026) covers the current rules in full.

Key rules for 2026:

Audio-video is the standard; audio-only is permitted as an exception. The default requirement is two-way, real-time audio-video technology. Audio-only (phone-only) sessions are allowed when a specific patient has technological limitations, accessibility needs, or a preference that makes video impractical. Document the reason in the session note when using audio-only.

In-person visit requirement (effective January 30, 2026). For new Medicare patients, you must conduct an in-person, non-telehealth visit within six months before the first mental health telehealth service. Patients who were already in treatment as of January 30, 2026 are considered established and instead need at least one in-person visit every 12 months going forward.

Billing. Use standard mental health CPT codes (90837, 90834, 90832, etc.) with Place of Service code 02 (telehealth, patient not at home) or 10 (telehealth, patient at home). Confirm the correct modifier with your billing software — requirements vary by payer for non-Medicare claims.

For private insurance, telehealth parity laws in most states require reimbursement at in-person rates, but parity laws vary by state and plan type. Verify rates and modifier requirements directly with each contracted payer.

---

Physical Setup and Technical Environment

The HIPAA Security Rule requires “reasonable safeguards” for electronic PHI. For telehealth that means:

• A private room with a closed door. If you work from home or a shared office, add a white noise machine outside the door.
• Headphones. Reduces the chance of audio traveling beyond the room.
• Encrypted, password-protected devices. Your computer screen should auto-lock when unattended.
• A stable internet connection. Wired ethernet is preferable for video reliability — an unstable connection disrupts sessions clinically, not just technically.
• A documented backup plan. If the platform fails mid-session, you need a pre-agreed fallback — typically a direct phone call. State this in your telehealth consent form so clients know the plan before it’s needed.

Test audio and video before every session. A technical failure during a difficult clinical moment is more than inconvenient.

---

What Session Notes Must Document for Telehealth

Telehealth sessions require the same documentation as in-person sessions, with a few additional elements. For each telehealth note, include:

• The modality used (video or audio-only, and the platform)
• The client’s physical location at the time of service (city and state at minimum)
• If audio-only: the clinical or patient-preference reason
• The Place of Service code used for billing

These details matter during audits. A claim billed with POS 10 (patient at home) that lacks any documentation of the client’s location can be recouped. For the complete documentation standard that applies to both in-person and telehealth sessions, see How to Write Audit-Proof Therapy Progress Notes.

The APA Guidelines for the Practice of Telepsychology (updated August 2024) cover competency, informed consent, confidentiality, and cross-jurisdiction practice in detail — worth reading before launching a telehealth practice regardless of your license type.

For the full practice setup context — credentialing, HIPAA, billing, and document system — see the private practice setup guide.

---

Frequently Asked Questions

Can I see a client who moves to another state?

Only if you hold an active license or compact privilege in the state where the client is physically located at the time of each session. Verify this before the first session in their new state, not after. The Counseling Compact and PSYPACT provide the main multi-state paths for counselors and psychologists respectively; LCSWs and MFTs typically need individual state licenses.

Does my malpractice insurance cover telehealth sessions?

Most professional liability policies now cover telehealth, but coverage terms vary — especially for sessions with out-of-state clients. Verify with your carrier before offering telehealth to clients in compact-privilege states, and get the confirmation in writing.

Can I record telehealth sessions for supervisory or training purposes?

Recording requires explicit, written client consent and must comply with your state’s recording laws (some states require all-party consent). Session recordings that are stored are PHI and subject to all HIPAA requirements: secure storage, access controls, and retention per your state’s record retention schedule. Most solo practitioners choose not to record sessions to avoid the additional compliance overhead.