For most therapy and counseling practices, telehealth is no longer a backup option. It is how a large share of sessions now happen, and that convenience carries a compliance obligation many small practices have not caught up on. The pandemic-era rules that let providers use almost any video app expired in 2023, and a major update to substance use disorder record rules reached its compliance date in February 2026. If your practice handles mental health or addiction records, the bar for protecting that data is now higher, and clearer, than ever.
Behavioral health data is a high-value target
Mental health and substance use records are among the most sensitive information a person can share. That makes them valuable to criminals and damaging when exposed. In 2025, healthcare organizations reported a record 772 large data breaches to federal regulators, exposing the protected health information of roughly 140 million people, according to the HIPAA Journal’s analysis of the HHS breach portal. Most of those incidents traced back to compromised network servers and email accounts, not exotic attacks. Small practices are not too small to be noticed, because those attacks are automated and scan for weak defenses regardless of practice size.
The telehealth rules tightened in 2023
During the COVID-19 public health emergency, the HHS Office for Civil Rights used enforcement discretion so providers could deliver telehealth over consumer apps that were not fully HIPAA compliant. That flexibility ended. After a short transition period, OCR’s enforcement discretion expired at 11:59 p.m. on August 9, 2023.
Since then, every behavioral health provider offering telehealth is expected to use platforms that meet HIPAA requirements. In practice, that means two things. First, the video or messaging vendor must be willing to sign a business associate agreement, because the platform creates, receives, or stores protected health information on your behalf. Second, the tool itself needs appropriate safeguards such as encryption and access controls.
A compliant telehealth setup generally needs:
- A signed business associate agreement with every platform that touches patient information
- Encryption of video, audio, and messaging while data is in transit
- Individual logins and strong authentication, not one shared account
- Session and access logging so you can see who connected to what
- Clear policies for recording, storage, and verifying patient identity
Free consumer versions of popular video apps usually will not sign a business associate agreement, which is why a paid healthcare-grade plan or a purpose-built behavioral health platform is the safer route.
42 CFR Part 2 changed for substance use records
If your practice treats substance use disorders and receives federal assistance, a second rulebook applies on top of HIPAA. It is known as 42 CFR Part 2, and it has historically been stricter than HIPAA about sharing addiction treatment records.
In 2024, HHS finalized a rule that brings Part 2 into closer alignment with HIPAA, with a compliance date of February 16, 2026. Among other changes, it lets a patient give a single consent for future uses and disclosures for treatment, payment, and health care operations, and it applies the HIPAA Breach Notification Rule to breaches involving Part 2 records, according to HHS. In practice, your consent forms, record-sharing workflows, and breach response plan all need to reflect the current rule, not a version set up years ago.
The IT foundation behind a compliant practice
Telehealth and Part 2 sit on top of the HIPAA Security Rule, which still sets the baseline for protecting electronic records. The core requirements have not gone away, and they are where most practices have gaps.
- A current security risk analysis that documents where patient data lives and how it is protected
- Multi-factor authentication on email, your EHR, and remote access
- Encryption on laptops, phones, and backups
- Tested, isolated backups so a ransomware attack cannot erase your records
- Signed business associate agreements with every vendor that handles patient data, from your EHR to your telehealth tool
A documented security risk analysis is the foundation regulators look for first, and it is also the fastest way to find the gaps that lead to breaches. From there, managed IT built for healthcare and a layered cybersecurity program keep those controls working day to day. If you also send appointment reminders or messages to clients, our guide to texting patients under HIPAA covers the rules that apply there. For the full picture, our HIPAA compliance services page explains how the pieces fit together.
Frequently asked questions
Is FaceTime or free Zoom HIPAA compliant for therapy sessions?
Standard consumer FaceTime and free Zoom are not appropriate for telehealth, because the vendor will not sign a business associate agreement. You need a healthcare-grade plan or platform that offers a signed agreement and the right safeguards. The pandemic-era exception that allowed consumer apps ended on August 9, 2023.
Does my practice need a business associate agreement with its telehealth vendor?
Yes, if the platform creates, receives, or stores patient information on your behalf, which video and messaging tools do. A signed business associate agreement is required before you use the tool with patients.
What is 42 CFR Part 2 and does it apply to me?
Part 2 is a federal rule protecting the confidentiality of substance use disorder treatment records held by federally assisted programs. If you provide that kind of treatment, it applies in addition to HIPAA. The updated rule’s compliance date was February 16, 2026.
We are a small or solo practice. Are we really a target?
Yes. Most breaches come from automated attacks on email and servers, and from missing basics like multi-factor authentication, none of which depend on practice size. Smaller practices are often easier targets because they have fewer defenses in place.
Where should we start if we are not sure we are compliant?
Begin with a documented security risk analysis. It shows where your data lives, where the gaps are, and what to fix first, and it is something regulators expect every practice to have.
Get a clear answer on where your practice stands
Not sure whether your telehealth setup, consent forms, and IT controls would hold up under scrutiny? Atlantic Computer Systems helps behavioral health and medical practices across the Bay Area, New England, and nationwide close those gaps before they become breaches. Book a free IT and security consultation at https://calendly.com/glewis-acs-tech/free-it-security-assessment or call 1-650-300-7557, and we will help you build a telehealth and compliance setup you can trust.