Is Online Therapy Secure? Privacy, HIPAA, and What to Know
A practical guide to online therapy security, covering HIPAA compliance, platform safety, encryption, red flags, and what you can do to protect your privacy.
The Honest Answer: It Depends on the Platform and the Practices
Online therapy can be very secure — but it is not automatically secure. The level of privacy protection you get depends on what platform your therapist uses, how their practice handles data, and what steps you take on your end. Understanding what "HIPAA compliant" actually means, and what it does not, will help you make informed decisions about your care.
93%
What HIPAA Actually Requires for Online Therapy
HIPAA — the Health Insurance Portability and Accountability Act — sets the baseline for health data privacy in the United States. For online therapy, HIPAA requires:
Encryption in transit. Video and audio streams must be encrypted so that no one can intercept the content of your session as it travels between your device and your therapist's device.
Encryption at rest. If any session data is stored (such as chat messages or session notes), it must be encrypted on the server.
Business Associate Agreements (BAAs). Your therapist's practice must have a signed BAA with any technology vendor that handles your protected health information (PHI). This means the platform vendor is legally obligated to protect your data under HIPAA.
Access controls. Only authorized people — your therapist and relevant clinical staff — should be able to access your records.
Audit trails. The system should log who accesses your information and when.
Breach notification. If your data is compromised, your provider is required to notify you.
Common Platforms and Their Security Features
Most therapists in private practice use one of a handful of platforms for telehealth. Here is how the major ones compare:
Telehealth Platform Security Comparison
| Platform | HIPAA Compliant | BAA Available | End-to-End Encryption | Notes |
|---|---|---|---|---|
| SimplePractice | Yes | Yes | Yes (video) | All-in-one EHR with built-in telehealth |
| Doxy.me | Yes | Yes | Yes | Free tier available; no downloads required |
| Zoom for Healthcare | Yes | Yes | Optional (must enable) | Different from regular Zoom — requires healthcare plan |
| Google Meet (Workspace) | Yes (with BAA) | Yes (paid plans) | In transit only | Requires Google Workspace with BAA signed |
| TherapyNotes | Yes | Yes | Yes (video) | EHR with integrated telehealth |
| VSee | Yes | Yes | Yes | Designed for healthcare; low bandwidth |
| Regular Zoom (free) | No | No | Yes | Not HIPAA compliant — no BAA |
| FaceTime | No | No | Yes | Apple does not sign BAAs |
| Skype | No | No | Yes | Microsoft does not offer a BAA for Skype |
| No | No | Yes | End-to-end encrypted but not HIPAA compliant |
An important distinction: a platform can have strong encryption but still not be HIPAA compliant if the vendor does not sign a BAA. FaceTime and WhatsApp are both end-to-end encrypted, but Apple and Meta do not sign business associate agreements, which means they are not legally bound to HIPAA requirements for your therapy data.
Red Flags: When to Be Concerned
Not every therapist offering online sessions is using appropriate security practices. Watch for these warning signs:
- Your therapist asks you to use regular Zoom, Skype, FaceTime, or WhatsApp. While these tools may have encryption, they are not HIPAA compliant for healthcare use without a BAA.
- No mention of privacy practices. Your therapist should be able to tell you what platform they use and confirm it is HIPAA compliant. If they cannot answer basic questions about their technology, that is a concern.
- Sessions are recorded without your knowledge or consent. Your therapist should never record a session without discussing it with you first. Most therapists do not record sessions at all.
- Unencrypted email communication about clinical details. Standard email (Gmail, Yahoo, Outlook) is not HIPAA compliant for sharing therapy notes, diagnoses, or detailed clinical information. Secure patient portals should be used instead.
- Pressure to communicate via text message. Standard SMS texts are not encrypted or HIPAA compliant. If your therapist communicates clinical information via text, that is a privacy risk.
What Your Therapist Should Be Doing
A responsible online therapist will have these practices in place:
Using a HIPAA-compliant video platform with a signed BAA from the vendor.
Providing you with a Notice of Privacy Practices that explains how your information is collected, used, and protected — including specifics about telehealth. The APA telepsychology guidelines outline best practices for providers delivering therapy online.
Conducting sessions from a private location where they cannot be overheard. Your therapist should not be taking your session from a coffee shop or open office.
Using secure messaging through a patient portal (like SimplePractice or TherapyNotes) rather than standard email or text for clinical communication.
Having a plan for technology failures. If the video connection drops, your therapist should have a protocol — such as switching to a phone call — rather than texting you clinical information to troubleshoot.
What You Can Do to Protect Your Privacy
Security is a two-way responsibility. Here is what you can do on your end:
Use a private space. Find a room where you will not be overheard. If you live with others, consider using a white noise machine or fan outside your door. Sitting in your car in a quiet parking area is another option some people use.
Use headphones. This prevents anyone nearby from hearing your therapist's side of the conversation.
Avoid public Wi-Fi. Coffee shop and airport Wi-Fi networks are less secure. Use your home network or your phone's cellular data instead.
Keep your device updated. Software updates patch security vulnerabilities. An outdated operating system is more susceptible to exploits.
Use a strong password on your patient portal and do not reuse passwords from other accounts.
Know who can see your screen. Close unnecessary browser tabs and applications before your session. Make sure no one can see your screen from behind you.
Ask about session recordings. If your therapist records sessions (some do for training or supervision purposes), they should obtain your written consent first. You have the right to decline.
256-bit
Therapy Apps and Data Privacy: A Different Conversation
Therapy platforms like BetterHelp and Talkspace are HIPAA-compliant healthcare providers, but they have faced scrutiny over data practices. In 2023, the FTC fined BetterHelp $7.8 million for sharing user data with third parties for advertising purposes. While BetterHelp has since changed its practices, this case illustrates that HIPAA compliance and corporate data practices are not always the same thing.
If you use a therapy app or platform, review their privacy policy carefully. Look for:
- Whether they share data with third parties
- What data they collect beyond session content (app usage, browsing behavior, etc.)
- Whether they use your data for advertising or product development
- How long they retain your data after you stop using the service
This is not a reason to avoid these platforms, but it is a reason to read the fine print.
Comparing Online vs. In-Person Privacy
It is worth noting that in-person therapy has its own privacy limitations. Someone could see you walking into a therapist's office. Thin walls in a building could allow conversations to be overheard. Paper records can be lost or stolen. Insurance claims reveal that you are receiving treatment regardless of whether it is in-person or online.
Online therapy introduces different risks (data breaches, unsecured platforms) but also offers some privacy advantages — nobody sees you enter a building, and you control your physical environment. For general guidance on telehealth privacy and security, see the HHS telehealth resource center.
If you are using a work computer or work Wi-Fi, your employer could potentially see that you accessed a telehealth platform, though they would not be able to see the content of your encrypted session. To avoid this, use a personal device and your own internet connection for therapy sessions. If you use a personal phone on cellular data, your employer has no visibility into your activity.
With a properly configured HIPAA-compliant platform using end-to-end encryption, intercepting a live therapy session is extremely difficult. The more realistic risks are someone in your physical environment overhearing your session, or a data breach at the platform level that exposes stored information. Using headphones and a private space addresses the first risk, and choosing a reputable platform with a strong security track record addresses the second.
Most therapists store their notes in an electronic health record (EHR) system, whether they see you in-person or online. These systems are HIPAA compliant and use encryption. The risk of a data breach exists with any digital system, but HIPAA-compliant EHRs are held to specific security standards. Your session itself is not typically recorded or stored — only your therapist's clinical notes are saved.
Standard phone calls over cellular networks have basic encryption but are not as strongly encrypted as HIPAA-compliant video platforms. However, intercepting a phone call is still very difficult in practice. If security is a top concern, using a HIPAA-compliant platform's audio feature (which routes through their encrypted system) is more secure than a regular phone call.
The Bottom Line
Online therapy is secure when your therapist uses a HIPAA-compliant platform with a signed BAA, and when both you and your therapist take reasonable precautions. The key factors are the platform's encryption and compliance status, your therapist's data handling practices, and your own environment and device security. If you are uncertain about your therapist's setup, ask them directly — a good therapist will welcome the question and be transparent about their security practices.
Ready to Find the Right Therapist?
Our quiz helps you understand what type of therapy fits your needs, whether online, in-person, or a combination.
Take the Therapy Quiz