Secure Messaging and Telehealth Platforms for Therapists
Overview
Secure Messaging and Telehealth Platforms for Therapists
Telehealth has transformed from a pandemic necessity to an essential component of mental health care. Over 60% of therapy sessions now include some telehealth component, and secure client communication has become standard practice.
Key takeaways
- Secure Messaging and Telehealth Platforms for Therapists Telehealth has transformed from a pandemic necessity to an essential component of mental health care.
- Over 60% of therapy sessions now include some telehealth component, and secure client communication has become standard practice.
- This guide helps you navigate the landscape of HIPAA-compliant telehealth and secure messaging platforms, comparing features, costs, and implementation considerations.
- Understanding HIPAA Requirements What HIPAA Requires for Telehealth Before evaluating platforms, understand the HIPAA requirements that govern telehealth and electronic communication.
- Technical safeguards required: End-to-end encryption for video and messaging Secure transmission (TLS 1.2 or higher) Unique user identification and authentication Automatic session termination Audit controls and access logs Data integrity controls Administrative requirements: Business Associate Agreement (BAA) with vendor Documented security policies Staff training on secure platform use Risk assessment including telehealth Key point: The platform must sign a BAA.
Details
This guide helps you navigate the landscape of HIPAA-compliant telehealth and secure messaging platforms, comparing features, costs, and implementation considerations.
Understanding HIPAA Requirements
What HIPAA Requires for Telehealth
Before evaluating platforms, understand the HIPAA requirements that govern telehealth and electronic communication.
Technical safeguards required:
- End-to-end encryption for video and messaging
- Secure transmission (TLS 1.2 or higher)
- Unique user identification and authentication
- Automatic session termination
- Audit controls and access logs
- Data integrity controls
Administrative requirements:
- Business Associate Agreement (BAA) with vendor
- Documented security policies
- Staff training on secure platform use
- Risk assessment including telehealth
Key point: The platform must sign a BAA. Without a BAA, even a technically secure platform doesn't meet HIPAA requirements for PHI.
What Platforms Are NOT HIPAA-Compliant
Do NOT use for therapy sessions:
- Regular Zoom (non-healthcare version)
- Skype (consumer version)
- FaceTime
- Google Meet (non-Workspace version)
- WhatsApp, iMessage, or SMS
- Standard email
These platforms may be secure in some ways but don't meet healthcare requirements or won't sign a BAA.
The Post-COVID Enforcement Landscape
During the pandemic, HHS exercised enforcement discretion allowing non-compliant platforms. That period has ended. The Office for Civil Rights now expects full compliance.
Current requirements:
- Must use HIPAA-compliant platforms
- BAAs required from all vendors
- Same security standards as in-person care
- State licensing laws apply (practice where patient is located)
For state-specific telehealth regulations, see our California telehealth guide.
Telehealth Platform Features
Essential Features
Every telehealth platform for therapy should include:
Video quality:
- HD video capability
- Stable connection management
- Bandwidth optimization
- Mobile device support
Session management:
- Virtual waiting room
- Session scheduling integration
- One-click join for clients
- Recording capability (with consent)
Security:
- End-to-end encryption
- No data storage on client devices
- Secure session links
- Authentication options
Usability:
- No client download required
- Browser-based access option
- Mobile app availability
- Easy connectivity from any device
Advanced Features
Features that enhance the telehealth therapy experience:
Clinical tools:
- Screen sharing for worksheets
- Virtual whiteboard
- Document sharing during session
- Assessment integration
Administrative:
- EHR integration
- Appointment reminders
- Automated documentation
- Analytics and reporting
Specialized capabilities:
- Group therapy support
- Couples therapy (split screen)
- Interpreter/support person access
- Breakout rooms for family therapy
Client Experience Considerations
The best platform is one clients will actually use.
Client-friendly features:
- Simple joining process (click link, join session)
- No app installation required
- Mobile-friendly interface
- Clear audio/video controls
- Waiting room experience
- Technical support available
Accessibility:
- Closed captioning options
- Screen reader compatibility
- Adjustable interface
- Low-bandwidth mode
Platform Categories
Integrated EHR Telehealth
What it is: Telehealth built into your practice management system.
Examples: Most modern mental health EHRs include telehealth.
Pros:
- Seamless scheduling integration
- One system for all functions
- Simplified client experience (one portal)
- Automatic documentation linking
- Single vendor relationship
Cons:
- May have fewer features than standalone
- Video quality varies
- Switching EHR means switching telehealth
Best for: Practices wanting simplicity and integration over advanced features.
For EHR selection guidance, see our EHR buyer's guide.
Standalone Telehealth Platforms
What it is: Dedicated telehealth platform used alongside your EHR.
Examples: Purpose-built healthcare video platforms.
Pros:
- Often superior video quality
- More advanced features
- Specialized for healthcare
- Can keep if you change EHR
Cons:
- Additional cost
- Integration requirements
- Multiple systems to manage
- Potential client confusion
Best for: Practices prioritizing video quality and advanced features.
General Healthcare Video Platforms
What it is: Video platforms designed for healthcare broadly, adaptable for therapy.
Examples: Healthcare versions of mainstream video platforms.
Pros:
- Familiar interface for clients
- Robust infrastructure
- Competitive pricing
- Broad integration options
Cons:
- Not therapy-specific
- May lack clinical features
- Could be overkill for small practices
Best for: Practices comfortable with technology wanting flexibility.
Secure Messaging Platforms
Why Secure Messaging Matters
Client communication between sessions is routine. Standard email and text don't meet HIPAA requirements.
Common uses for secure messaging:
- Appointment logistics
- Insurance/billing questions
- Brief clinical check-ins
- Resource sharing
- Coordination of care
Secure Messaging Options
Option 1: Client portal messaging
Most EHR systems include secure messaging within the client portal.
Pros: Integrated, no extra cost, all communication in one place Cons: Clients must log into portal, may be less convenient
Option 2: Standalone secure messaging apps
Dedicated HIPAA-compliant messaging platforms.
Pros: App-like experience, convenient for clients, text-message feel Cons: Additional cost, another system to manage
Option 3: Encrypted email services
HIPAA-compliant email platforms.
Pros: Email interface clients know, professional appearance Cons: Email can feel formal, less immediate
Secure Messaging Best Practices
Regardless of platform:
Set expectations:
- Response time (e.g., within 24 hours)
- What's appropriate for messaging vs. session
- Emergency protocols
- Boundaries around availability
Sample messaging policy language:
"Secure messaging is available for non-urgent communication like scheduling changes, brief questions, and resource sharing. Messages are typically responded to within one business day. For clinical emergencies, please call 988 or go to your nearest emergency room. Secure messages are part of your clinical record."
Documentation: Include significant messages in clinical documentation as appropriate.
Implementation Guide
Step 1: Assess Your Needs
Questions to answer:
- What percentage of sessions will be telehealth?
- Do you need integrated or standalone platform?
- What features are essential vs. nice-to-have?
- What's your budget?
- How tech-savvy are your clients?
- Do you provide group therapy?
- What EHR are you using?
Step 2: Evaluate Platforms
Evaluation criteria:
| Category | Weight | Questions |
|---|---|---|
| HIPAA compliance | Required | BAA available? Encryption? Security certifications? |
| Video quality | High | HD support? Stability? Bandwidth management? |
| Client experience | High | Easy to join? Mobile-friendly? No download? |
| Integration | Medium-High | Works with your EHR? Calendar sync? |
| Features | Medium | Screen share? Recording? Waiting room? |
| Support | Medium | Help available? Training provided? |
| Price | Medium | Monthly cost? Per-provider or flat fee? |
Demo checklist:
- Test video quality in your environment
- Try the client experience (join as a client would)
- Test mobile experience
- Review security documentation
- Confirm BAA process
- Understand pricing and terms
Step 3: Legal and Administrative Setup
Before launching telehealth:
Sign BAA with telehealth vendor (required for HIPAA)
Update informed consent to include telehealth:
- Risks and limitations of telehealth
- Confidentiality protections
- Emergency protocols
- Recording policies (if applicable)
- Client responsibilities (private space, technology)
Verify licensing and insurance:
- Licensed in state where client is located during session
- Malpractice insurance covers telehealth
- Understand state-specific telehealth requirements
Establish policies:
- Telehealth eligibility criteria
- Technical requirements for clients
- Backup procedures if technology fails
- Documentation requirements
Reference: APA Telepsychology Guidelines
Step 4: Technical Setup
Your environment:
- Reliable internet (minimum 5 Mbps up/down, 10+ recommended)
- Quality webcam (720p minimum, 1080p preferred)
- Good microphone (USB microphone or quality headset)
- Adequate lighting (face well-lit, no backlighting)
- Professional, private background
- Backup internet option (mobile hotspot)
Test thoroughly:
- Run test sessions with colleagues
- Test from different devices
- Verify audio and video quality
- Practice troubleshooting common issues
Step 5: Client Preparation
Client setup instructions should include:
- How to access/join sessions
- Technical requirements (browser, app, internet)
- Creating private, confidential space
- Backup plan if technology fails
- How to contact you if issues arise
Sample client instructions:
"To join your telehealth session:
- Click the link in your appointment reminder email
- Allow camera and microphone access when prompted
- Ensure you're in a private space where you won't be overheard
- Have a phone nearby in case we need a backup connection
Technical requirements: A device with a camera and microphone, stable internet, and a current web browser. If you have trouble connecting, call [phone number]."
Step 6: Go-Live and Optimize
First week checklist:
- Monitor connection quality
- Gather client feedback
- Document any technical issues
- Adjust settings as needed
- Refine client instructions
Ongoing optimization:
- Review telehealth quality periodically
- Stay current with platform updates
- Refresh training as features change
- Monitor client satisfaction
Telehealth Best Practices for Therapy
Creating a Professional Telehealth Environment
Visual setup:
- Clean, professional background
- Face well-centered in frame
- Camera at eye level
- Minimal visual distractions
- Consistent environment session to session
Audio considerations:
- Quiet environment (no background noise)
- Good microphone positioning
- Consider noise-canceling features
- Test audio before sessions
Lighting:
- Light source in front of you (not behind)
- Soft, even lighting
- Avoid harsh shadows
- Natural light works well
Clinical Adaptations for Telehealth
Engagement techniques:
- More explicit verbal acknowledgment (nodding less visible)
- Direct eye contact (look at camera, not screen)
- Check in about what client sees/hears
- Address tech issues promptly
- Build in more pauses
Safety protocols:
- Verify client location each session
- Have emergency contacts on file
- Know local emergency resources for client's location
- Discuss safety plan in first session
- Have clear protocol for crisis during telehealth
Documentation:
- Note that session was via telehealth
- Document client location (state/jurisdiction)
- Record any technology issues
- Apply appropriate modifiers for billing (see our CPT codes guide)
Managing Technical Issues
Prevention:
- Test equipment regularly
- Keep backup options ready
- Advise clients on requirements
- Have pre-session connection check option
During session issues:
- Have phone backup ready
- Clear protocol for reconnection
- Don't let tech consume the session
- Document issues that occur
Common issues and solutions:
| Issue | Solution |
|---|---|
| Poor video quality | Turn off video; audio only |
| Audio echo | One person mute; use headphones |
| Connection drops | Reconnect; switch to phone if persistent |
| Client can't join | Send new link; provide phone support |
| Background noise | Mute when not speaking; suggest client adjustments |
Group Therapy Telehealth
Platform Requirements for Groups
Group telehealth has additional requirements:
Essential features:
- Support for enough participants (most therapy groups 6-12)
- Gallery view (see all participants)
- Mute controls (host can mute participants)
- Waiting room (control entry)
- Raise hand or reactions (facilitate participation)
Helpful features:
- Breakout rooms (for subgroups)
- Recording with consent
- Chat function (text support)
- Co-host capability
Group-Specific Best Practices
Structure:
- Clear participation guidelines
- Explicit turn-taking protocols
- Visual cues for wanting to speak
- Chat for non-urgent comments
- Muting guidelines
Confidentiality:
- Remind participants of confidentiality
- Require headphones in shared spaces
- Discuss recording prohibitions
- Address screenshots/recordings
Technical considerations:
- More bandwidth needed
- Longer connection time for all to join
- More troubleshooting required
- Consider co-facilitator for tech support
Billing for Telehealth Services
Telehealth Modifiers and Place of Service
Modifiers:
- 95: Synchronous audio-video telehealth
- 93: Audio-only (telephone) services where permitted
Place of Service codes:
- 02: Telehealth (patient at distant site)
- 10: Telehealth provided to patient at home
Payer-Specific Considerations
Medicare:
- CMS telehealth guidelines govern coverage
- Place of service and modifier requirements specific
- Audio-only expanded in recent years
Medicaid:
- State-specific rules
- California: See our Medi-Cal billing guide
Commercial payers:
- Policies vary by payer
- Most cover telehealth at parity with in-person
- Verify specific requirements
For complete billing guidance, see our CPT codes guide.
Cost Comparison
Pricing Models
Per-provider monthly:
- Range: $20-75/provider/month
- Most common model
- Usually includes unlimited sessions
Per-session pricing:
- Range: $1-5 per session
- Good for low-volume telehealth
- Costs scale with usage
Included with EHR:
- Range: $0 additional (part of EHR cost)
- Simplest option
- Features may be limited
Flat monthly fee:
- Range: $100-500/month regardless of providers
- Better value for larger practices
- Includes all features
Total Cost Considerations
Beyond subscription:
- Implementation/setup fees
- Training costs
- Integration costs
- Equipment (webcam, microphone, lighting)
- Internet upgrade if needed
ROI Calculation
Revenue impact of telehealth:
- Reduced no-shows (easier for clients to attend)
- Additional appointment capacity (no travel between locations)
- Extended service area (clients beyond driving distance)
- Weather-proof scheduling
- Filled schedule gaps with telehealth-only clients
Example:
- 20% no-show reduction = 2-3 recovered sessions/week
- At $150/session = $1,200-1,800/month additional revenue
- Platform cost of $50/month = excellent ROI
Security Incident Response
If Something Goes Wrong
Have a plan for security incidents:
Potential incidents:
- Unauthorized person joins session
- Recording discovered without consent
- Platform data breach
- Session credentials compromised
Response steps:
- End session immediately if active breach
- Document what occurred
- Contact platform security team
- Assess HIPAA breach notification requirements
- Notify affected clients if required
- Implement preventive measures
HIPAA breach assessment: Reference: HHS Breach Notification Rule
Factors determining if breach notification required:
- Was PHI actually accessed?
- What type of PHI was involved?
- Who accessed the information?
- Was the PHI actually acquired/viewed?
Frequently Asked Questions
Can I use Zoom for therapy?
Yes, but only Zoom for Healthcare (Zoom One for Healthcare), which includes a BAA and HIPAA-compliant features. The free consumer version of Zoom is not HIPAA-compliant.
What if my client has a crisis during a telehealth session?
Know the client's location and have emergency contacts on file. If there's immediate danger, contact local emergency services where the client is located. Consider having a protocol established from the first session.
Do I need separate consent for telehealth?
Yes. Your informed consent should specifically address telehealth, including risks, limitations, confidentiality considerations, and emergency protocols. Many state licensing boards require telehealth-specific consent.
Can I provide telehealth to clients in other states?
Only if you're licensed in the state where the client is located during the session. Some states have licensure compacts or temporary practice provisions, but most require full licensure. Check PSYPACT for psychologists or state-specific requirements for your license type.
Is audio-only (phone) therapy considered telehealth?
Yes, and most payers now cover it, though reimbursement may differ from video sessions. Use modifier 93 for audio-only services. Verify payer-specific coverage.
How do I handle couples therapy via telehealth when partners are in different locations?
Most platforms support this. Each partner joins from their location. Address confidentiality considerations (who might overhear at each location). Some platforms have split-screen features designed for this.
What if my client's video quality is poor?
Have a protocol: try audio-only, suggest they move closer to router, offer to continue by phone. Don't let technical issues dominate the session. Document issues that occur.
Looking for seamless telehealth integration? Ease Health includes HIPAA-compliant video therapy and secure messaging built directly into our EHR. No extra software, no additional cost. Schedule a demo to see how easy telehealth can be.
Next steps
- Review the key takeaways and adapt them to your practice workflow.
- Use the details section as a checklist when you implement or troubleshoot.
- Share this with your billing or admin team to align on process and terminology.
