If you know your obligations as a healthcare provider, choosing online therapy platforms that comply with HIPAA and other regulations isn’t difficult.
We’ve had the technology to operate online therapy platforms for at least a decade. However, the concept only took off in earnest after the initial years of the coronavirus pandemic, when everyone had to adapt to social distancing norms.
Since then, the popularity of online therapy has skyrocketed. Everyone has become more comfortable with online sessions but with one caveat: platforms must do everything possible to protect patient privacy.
So, what are online therapy platforms’ legal obligations regarding privacy concerns? That varies depending on your location, but in most places, they primarily need to respect the Health Insurance Portability and Accountability Act (HIPAA) and the General Data Protection Regulation (GDPR) of the European Union.
Let’s explore what this means in practice.
Online Therapy Platforms: Balancing Mental Health Needs with Privacy
Group therapy conducted on online platforms introduces unique challenges to patient privacy, as sensitive mental health discussions are shared in a virtual group setting. Therapists and platform providers must comply with legal standards like HIPAA to protect participants’ confidentiality through encrypted communications, secure data storage, and clearly defined consent protocols.
Adhering to comprehensive online group therapy guidelines helps ensure that patient trust is maintained, legal obligations are met, and group members feel safe sharing their experiences without fear of a data breach or misuse of their personal information.
Now that we understand the importance of protecting patient privacy let’s examine the legal aspect of this process. Specifically, which laws must online therapy platforms comply with to ensure their safe and legal operation?
Legal Framework For Patient Privacy
In theory, each country can define its own patient privacy laws. These laws would apply to websites hosted in the country and by its citizens.
In practice, however, most therapy platforms in the developed world follow the guidelines of a few key regulations. These are laws formed in influential jurisdictions like the EU, the United States, and Canada. Most online therapy platforms target citizens of these countries and want to appear on search engines and social media platforms that comply with these laws.
That’s why a few crucial pieces of legislation are actually important for patient privacy, including:
- General Data Protection Regulation (GDPR)
- Personal Information Protection and Electronic Documents Act (PIPEDA)
- Health Insurance Portability and Accountability Act (HIPAA)
This article will primarily focus on HIPAA because the other two pieces of legislation contain broadly similar clauses.
Health Insurance Portability and Accountability Act (HIPAA)
All online therapists have to comply with HIPAA privacy standards while providing care. While this piece of legislation contains many provisions, in this context, therapy providers must not disclose private information about clients to third parties without the client’s knowledge and consent.
Note that this doesn’t mean therapists must not leak patient information intentionally. They’re liable even if they leak patient information accidentally, such as during hacked calls, data breaches, or other online attacks. As a result, choosing the right online therapy platform is essential to avoiding uncomfortable legal proceedings later.
That is necessary because patients share private information with their healthcare providers — including information about their psychological and other issues. Hackers could easily use this data to blackmail and extort patients. Patients often would rather pay them than suffer the embarrassment of their medical information being made public.
To avoid this, as a therapist, you must use HIPAA-compliant online therapy platforms.
These platforms are designed to ensure:
- Only authorized users can access them, meaning therapists and patients,
- Client information is encrypted and protected,
- Constant monitoring for security breaches is in effect.
Online therapists can ensure that their tech vendors provide HIPAA-compliant platforms by signing a specific business associate agreement (BAA). This legal document is required because technology vendors inevitably have access to patient information.
Which Technologies Can You Use?
Considering the rules above, you’d be right to ask which software you can use as a therapist to communicate with your clients.
It’s important to note that there’s an exception to the BAA rule mentioned above. You can use certain software without signing a BAA with their providers if the software:
- Doesn’t make copies of protected patient data,
- Doesn’t have access to the data itself.
That means you don’t have to sign a BAA for transmission software — like Zoom, Skype, or FaceTime. After all, this software doesn’t store any client data like email providers and instant messaging apps.
However, this also means that iMessage, SMS, and instant messaging apps must be registered as BAA. Therapists must, therefore, use only software from vendors that specifically offer secure messaging features for online therapy.
As a result, you’re not allowed to communicate client information via email. Clients can send an email to you as a therapist because they aren’t the ones who have to comply with HIPAA. However, you can only respond via HIPAA-approved platforms.
Some rudimentary communication can be performed via email, but a therapist can never use it to transmit personal patient information. However, there are end-to-end encrypted email services that are considered HIPAA compliant.
Can You Use Video Chat?
Using online video platforms is fine as long as their vendors comply with basic HIPAA rules. The platform must encrypt the video call and never record videos of the online therapy session, which would mean they’re keeping client data.

Nowadays, the most popular video chat platforms for business meetings are HIPAA-compliant and ready to sign a BAA if you want to use them as online therapy platforms.
Wrapping Up
If you know your obligations as a healthcare provider, choosing online therapy platforms that comply with HIPAA and other regulations isn’t difficult. Just bear in mind that these laws extend beyond your preferred digital platform. While performing video calls, you must also ensure you’re in a safe environment where you won’t be interrupted by anyone.
Join the conversation!