HIPAA Compliance Checklist for Remote Therapists
Use this HIPAA checklist for remote therapists to review video platforms, BAAs, messaging, storage, devices, workspace privacy, and key risks.
A HIPAA checklist for remote therapists should cover more than the video platform. Remote therapy can involve video, audio, messaging, intake forms, clinical notes, billing details, cloud storage, devices, home Wi-Fi, and a private workspace. Each of those areas can affect privacy and security.
This guide is a practical starting point for licensed clinicians comparing remote therapy jobs or preparing a private telehealth workflow. It is not a substitute for legal or compliance advice, and it does not certify that any platform or practice is HIPAA compliant.
Quick Answer: HIPAA Checklist for Remote Therapists
Remote therapists should review:
| Checklist area | What to verify |
|---|---|
| Role and responsibility | Are you an employee, contractor, private-practice owner, covered entity, or workforce member? |
| Approved platforms | Are video, messaging, phone, forms, and EHR tools approved for clinical use? |
| Business associate agreements | Are BAAs in place where required for vendors handling PHI? |
| Device security | Are devices password-protected, updated, encrypted where appropriate, and access-controlled? |
| Workspace privacy | Can others hear, see, record, or interrupt sessions? |
| Records and storage | Are notes and files stored only in approved systems? |
| Risk analysis | Has the practice or organization reviewed privacy and security risks? |
| Training and policies | Do you know your employer’s HIPAA, documentation, messaging, and incident-reporting procedures? |
For job seekers, the key question is not simply “Is this platform HIPAA compliant?” A better question is: “What complete privacy and security workflow does this employer or practice require?”
1. Confirm Your HIPAA Role
Remote therapists work in different arrangements, and responsibilities can differ.
| Work arrangement | Practical HIPAA question |
|---|---|
| Employee at a telehealth company | What policies, platforms, training, and reporting procedures does the employer require? |
| Contractor for a group practice | Which systems are approved, and what does the contract require? |
| Solo private-practice owner | Are you responsible for vendor selection, BAAs, policies, risk analysis, and staff training? |
| Supervised associate clinician | What can you access, document, message, and store under the supervising organization’s workflow? |
Do not assume your role is the same in every job. HHS explains that HIPAA obligations differ for covered entities, business associates, and workforce members. A clinician using an employer-provided EHR may have different responsibilities than a solo clinician buying software directly. Confirm your status and obligations with your employer, practice, or qualified compliance counsel.
2. Verify Approved Telehealth Platforms
A remote therapy platform should be reviewed for privacy, security, workflow, and contract fit. HHS telehealth technology guidance explains that covered health care providers and health plans must use technology vendors that comply with HIPAA rules and enter into HIPAA business associate agreements when vendors provide video communication products or other remote communication technologies for telehealth.
Ask:
- Is this platform approved by the employer or practice?
- Does the vendor offer a business associate agreement when required?
- Are the correct account type and settings being used?
- Does the platform support secure waiting rooms, access controls, and session privacy?
- Are recording features disabled unless specifically needed and approved?
- Are chat, file sharing, and screen sharing configured appropriately?
- Where are session data, transcripts, recordings, or messages stored?
Avoid using casual personal accounts for therapy sessions unless your organization has specifically approved the arrangement. A familiar app is not automatically appropriate for clinical care.
3. Check Business Associate Agreements
A business associate agreement, or BAA, is an important HIPAA contract concept. HHS explains that a covered entity may disclose protected health information to a business associate only if it obtains satisfactory assurances—usually in a written contract or other written agreement—that the associate will appropriately safeguard the information. If a vendor creates, receives, maintains, or transmits protected health information on behalf of a covered entity, a BAA may be required.
Common vendor categories to review:
| Vendor type | Examples to check |
|---|---|
| Video platform | Telehealth video, waiting room, group session tools |
| EHR or practice management | Notes, scheduling, billing, client portal |
| Cloud storage | Documents, forms, recordings, exported reports |
| Email or messaging | Client communication, reminders, clinical messages |
| Phone/VoIP | Calls, voicemail, call logs, recordings |
| AI/transcription/scribing | Any tool that receives, stores, or processes PHI |
| Billing or payment | Claims, invoices, payment details |
A BAA does not make every use automatically compliant. It is one part of a broader privacy and security program.
4. Review Video, Audio, and Messaging Rules
Remote therapists often use more than video. HIPAA risk can also appear in texts, voicemails, emails, reminders, and portal messages.
Checklist:
- I use only approved video platforms for clinical sessions.
- I do not send PHI through personal text, personal email, or unapproved messaging apps.
- I understand what may be sent through appointment reminders.
- I know whether voicemail messages are allowed and what they may include.
- I know whether audio-only sessions are permitted by my employer, payer, and state rules.
- I do not record sessions unless there is a documented, approved reason and consent process.
- I know how to document failed connections or platform problems.
For remote jobs, ask whether the employer provides the platform or expects you to supply your own technology.
5. Secure Devices Used for Remote Therapy
Your device is part of your clinical environment. HHS describes the HIPAA Security Rule as requiring regulated entities to implement reasonable and appropriate administrative, physical, and technical safeguards to protect electronic protected health information.
Consider practices such as:
- Strong password or passcode
- Auto-lock after inactivity
- Current operating system and browser updates
- Security software where applicable
- Separate user profile if others use the device
- No shared family device for clinical work when avoidable
- No saving PHI to desktop folders, downloads, or personal drives
- Multi-factor authentication when required
- Secure disposal or transfer process for old devices
If you use a personal device for employer work, follow the employer’s bring-your-own-device policy. Do not assume personal convenience is acceptable for clinical data.
6. Protect Your Home Office
HIPAA privacy is not only digital. Remote therapy also creates physical privacy risks.
Home-office checklist:
- Sessions happen in a private room.
- Others cannot hear the client.
- Headphones are used if privacy is uncertain.
- Doors and windows are managed for sound and visibility.
- Smart speakers, home assistants, and unnecessary recording devices are off or away.
- Client names and notes are not visible on paper or screens.
- Printed materials are stored securely.
- Family members, roommates, and visitors know not to interrupt.
- The camera background does not show private information.
A quiet room is not enough if someone can overhear through a door or see your screen from behind you.
7. Handle Records, Notes, and Downloads Carefully
Remote therapists may be tempted to use personal tools to stay organized. That can create avoidable risk.
Avoid:
- Drafting notes in personal documents
- Saving screenshots of client information
- Downloading reports to an unmanaged personal computer
- Storing intake forms in personal cloud drives
- Copying client details into unapproved calendars or task apps
- Using personal AI tools for clinical notes
- Leaving printed notes in a home workspace
Use the approved EHR or record system. If you need a temporary workflow, get approval from your employer, supervisor, or compliance contact first.
8. Review Cloud Storage and AI Tools
Cloud storage, transcription, and AI tools deserve special attention because they can receive, maintain, or process PHI. Treat vendor review, access controls, retention, and risk analysis as part of a broader security workflow, not as a one-time software choice.
Before using any tool with clinical information, ask:
| Question | Why it matters |
|---|---|
| Does the vendor handle PHI? | Determines whether HIPAA vendor obligations may apply |
| Is there a BAA if required? | Required in many covered-entity/vendor relationships |
| Where is data stored? | Relevant to security, access, and retention |
| Does the tool train models on submitted content? | Important for AI and transcription tools |
| Can data be deleted or exported? | Relevant to record retention and incident response |
| Is the tool approved by the employer? | Personal tool choices may violate policy |
Do not paste client information into consumer AI, note-taking, transcription, or productivity tools unless the organization has specifically approved that workflow and addressed privacy and security requirements.
9. Create an Incident-Response Habit
Every remote therapist should know what to do if something goes wrong.
Examples:
- You send a message to the wrong client.
- A family member overhears part of a session.
- Your laptop is lost or stolen.
- A session recording is accidentally saved.
- A client uploads documents to the wrong place.
- You realize an unapproved app stored PHI.
- Your account is accessed unexpectedly.
Checklist:
- I know who to notify.
- I know the required timeline or urgency.
- I do not try to hide or quietly fix potential incidents.
- I preserve relevant details.
- I follow employer or practice policy.
- I avoid making promises to clients before the situation is reviewed.
Fast internal reporting matters. The right response depends on the facts, policy, and legal requirements. Follow your organization’s incident-response procedures and consult the responsible privacy, security, or compliance contact rather than trying to resolve potential PHI incidents informally.
10. Printable HIPAA Checklist for Remote Therapists
Use this checklist as a starting point. Adapt it to your employer, practice, state, and compliance policies.
Platform and vendor checklist
- Video platform approved for clinical use
- EHR or practice-management system approved
- Messaging tools approved
- Email process approved
- Phone or VoIP process approved
- Cloud storage approved
- AI, transcription, or scribing tools reviewed before use
- BAAs confirmed where required
- Vendor settings reviewed periodically
Session privacy checklist
- Private room
- Headphones available
- Screen not visible to others
- Notifications silenced
- Client identity and location workflow followed
- Other people in the room addressed when clinically appropriate
- Recording disabled unless approved
- Disconnection plan ready
Device checklist
- Password or passcode enabled
- Auto-lock enabled
- Software updated
- MFA enabled where required
- No PHI stored in personal notes apps
- No PHI downloaded to unapproved folders
- Device backup and disposal policies understood
- Work account separated from personal use where possible
Documentation checklist
- Notes entered in approved record system
- Intake and consent stored appropriately
- Emergency plan documented
- Telehealth consent documented when required
- Messages and attachments filed according to policy
- Corrections and late entries handled according to policy
Training and policy checklist
- HIPAA training completed
- Telehealth policy reviewed
- Incident-reporting process understood
- Employer or practice contact identified
- State privacy requirements reviewed where relevant
- Risk analysis or security review completed or reviewed by the responsible party
Platform Examples: What to Verify
Clinicians often ask whether tools like SimplePractice, Doxy.me, or Zoom for Healthcare are “HIPAA compliant.” A safer way to evaluate them is to verify the details.
| Platform example | What to verify |
|---|---|
| SimplePractice | Current BAA terms, account settings, telehealth configuration, data workflows |
| Doxy.me | Current HIPAA statements, BAA availability, plan features, waiting-room settings |
| Zoom for Healthcare | Correct healthcare/BAA arrangement, admin settings, recording controls, user permissions |
| Employer-provided platform | Required training, documentation rules, support process, permitted features |
The same product name can have different plans, settings, or contract terms. Always verify the current arrangement.
How to Use This Checklist Before Applying
If you are applying for remote therapist jobs, use this checklist to prepare for interviews.
Ask employers:
- What telehealth platform do you use?
- Is the platform provided by the employer?
- Do clinicians use personal devices or employer-issued devices?
- What HIPAA training is required?
- How are BAAs and vendor reviews handled?
- How are client messages documented?
- What is the process for disconnections or emergencies?
- Are sessions recorded?
- What support is available during technical or privacy issues?
Then compare roles on ClinicianRemote’s therapy jobs page or search all remote clinician jobs. If you are still building your remote career plan, review licensure guides and subscribe to the Weekly Digest.
HIPAA Checklist FAQs
Is Zoom HIPAA compliant for therapy?
Do not evaluate Zoom only by product name. For clinical use, verify the account type, BAA arrangement, administrative settings, recording controls, and employer or practice policies. Many organizations use healthcare-specific Zoom arrangements, but casual personal use is not the same thing.
Do therapists need a BAA for telehealth software?
A BAA may be required when a vendor creates, receives, maintains, or transmits PHI on behalf of a HIPAA covered entity. HHS states that the satisfactory assurances from a business associate must be in writing, whether as a contract or other agreement. Confirm with official guidance, the vendor, your organization, and qualified compliance counsel.
Is a HIPAA-compliant video platform enough?
No. A platform is only one part of a HIPAA workflow. You also need appropriate policies, training, device security, workspace privacy, secure records, incident reporting, and risk review.
Can I text clients from my personal phone?
Do not use personal texting for clinical information unless your employer or practice has clearly approved the process and addressed privacy, security, documentation, and consent requirements.
Can remote therapists use AI note-taking tools?
Only if the tool and workflow have been reviewed and approved for PHI use by the responsible organization. Do not put client information into consumer AI tools without approval and appropriate safeguards.
What is the most common HIPAA risk for remote therapists?
Common risks include unapproved messaging, weak device security, overheard sessions, accidental downloads, unclear BAA status, and personal tools used for clinical information.
Disclaimer
This guide is general educational information for US mental-health clinicians. It is not legal advice, compliance advice, clinical advice, or a HIPAA certification checklist. HIPAA obligations depend on your role, organization, vendors, contracts, state laws, and facts. Confirm requirements with official HHS/OCR guidance, your employer or practice, and qualified legal or compliance counsel.
Browse Remote Therapist Jobs
Looking for roles with clear telehealth workflows and employer-provided systems? Browse remote therapist jobs, search all remote clinician jobs, or join the Weekly Digest for new remote clinician listings.
Related guides
Sources
- HHS OCR — HIPAA and Telehealth
- Telehealth.HHS.gov — HIPAA rules for telehealth technology
- HHS — Business associates
- HHS — Summary of the HIPAA Security Rule
- HHS — Guidance on HIPAA and cloud computing
- Telehealth.HHS.gov — Develop a privacy and security telehealth strategy
- ONC — Security Risk Assessment Tool
- HHS OCR — Educating patients about telehealth privacy and security risks