The telehealth expansion since 2020 brought a wave of platforms claiming HIPAA compliance — and a corresponding wave of therapists discovering that "we take security seriously" does not mean the same thing as a signed Business Associate Agreement. The distinction matters more than most practitioners realize until a compliance review lands in their inbox.
This guide covers six platforms that regularly appear in therapist evaluations: Doxy.me, SimplePractice Telehealth, TherapyNotes, Zoom for Healthcare, VSee, and MindDesk. For each: what HIPAA compliance actually means for that platform, what it costs, what the workflow experience looks like, and who it's best suited for.
If you need a compliance foundation first, our HIPAA compliance checklist for therapy practice technology covers the full requirements — BAA, data storage, access controls, and breach notification — before you evaluate any specific platform.
What HIPAA Compliance Actually Requires for Telehealth
HIPAA compliance for a telehealth platform has three non-negotiable elements:
- Signed Business Associate Agreement (BAA). Any platform that receives, stores, or transmits protected health information (PHI) on your behalf is a "business associate" under HIPAA. Before you use it for patient sessions, it must sign a BAA. This is not optional, not implied by a terms-of-service checkbox, and not substituted by the platform's general privacy policy.
- End-to-end encryption. Video and audio data must be encrypted in transit — standard is AES-256 or TLS 1.2+. Some platforms encrypt in transit but not at rest; for clinical platforms that record or store session data, both matter.
- Access controls and audit logging. Only authorized users should be able to access sessions or session records, and access events should be logged for audit purposes.
The BAA is where most therapist compliance gaps occur. Standard Zoom does not offer BAAs on consumer plans. Google Meet does not offer BAAs outside of Google Workspace for Healthcare. FaceTime, WhatsApp, and standard Skype do not offer BAAs period. If you're using any of those for patient sessions, you are not in compliance — regardless of how secure the video quality feels.
A signed BAA does not make a platform HIPAA-compliant on its own — but the absence of a BAA makes any platform automatically non-compliant. Before evaluating features, confirm whether the platform offers a BAA at your pricing tier. Several platforms (including Zoom) only offer BAAs on higher-cost healthcare-specific plans.
At a Glance: HIPAA Compliance & Pricing Comparison
| Platform | HIPAA Compliant | BAA Available | Solo Price | Telehealth Cost | Standalone or Integrated |
|---|---|---|---|---|---|
| Doxy.me | ✓ Yes | ✓ All plans | Free – $35/mo | Included | Standalone only |
| SimplePractice | ✓ Yes | ✓ All plans | $69/mo (Essential) | Included Essential+ | Integrated (EHR) |
| TherapyNotes | ✓ Yes | ✓ All plans | $49/mo | +$10/mo add-on | Integrated (EHR) |
| Zoom for Healthcare | ⚠ Healthcare plan only | ⚠ Healthcare plan only | $200+/mo | Included | Standalone only |
| VSee | ✓ Yes | ✓ All plans | Free – $49/mo | Included | Standalone only |
| MindDesk | ✓ Yes | ✓ All plans | $49/mo | Included (no add-on) | Integrated (full practice management) |
Prices as of May 2026. Verify on each platform's pricing page — telehealth pricing has shifted frequently in the past 12 months.
The 6 Platforms in Detail
Doxy.me
Doxy.me is the default answer when a therapist asks "what's the simplest HIPAA-compliant video tool?" It does one thing: browser-based video sessions with a waiting room. No download required for patients. BAA included on the free tier. For a therapist who already has a practice management system and just needs a compliant video layer, Doxy.me's free plan is the most frictionless starting point in this comparison.
The free plan is genuinely functional — unlimited sessions, a customizable waiting room link, and HD video. The paid tiers ($35/mo Professional) add session notes within the platform, group sessions, and basic analytics. What Doxy.me doesn't do: scheduling, intake forms, billing, or any EHR functionality. It's video and nothing else. Every other workflow lives in a separate system.
- Free plan with full HIPAA compliance and BAA
- No patient download required — browser-based
- Extremely simple setup — under 5 minutes
- Customizable waiting room with your branding
- Widely recognized — patients familiar with it
- Video only — no scheduling, intake, or billing
- Requires separate systems for all other workflows
- No integration with most EHRs out of the box
- Free tier: limited waiting room customization
- No mobile app (browser-only on all tiers)
Therapists who already have a practice management system and need only a compliant video layer. Solo practitioners wanting the lowest-cost entry point for telehealth without replacing their existing workflow.
SimplePractice Telehealth
SimplePractice's telehealth is integrated directly into its EHR — sessions launch from the appointment record, session notes attach to the video event, and billing is pre-populated from the session. For therapists already using SimplePractice for their full practice management stack, the telehealth experience is seamless: one platform, one workflow, no external tools.
The integration quality is the strongest argument for SimplePractice Telehealth over a standalone tool. Patients receive their telehealth link in the automated reminder, click to join from their mobile or desktop without any download, and the session populates directly into the clinical workflow. The trade-off is cost: you need the Essential plan at minimum ($69/mo), which is meaningfully more expensive than Doxy.me or VSee if telehealth is your only need. And SimplePractice's broader per-claim and per-SMS fees apply on top — see our practice management software comparison for the all-in cost analysis.
- Fully integrated — telehealth lives inside the EHR
- Session links auto-sent in appointment reminders
- No patient download required
- Notes and billing flow directly from session
- Mature, stable platform used by 250,000+ clinicians
- Requires $69/mo Essential plan minimum
- Per-claim and per-SMS fees on top of base price
- Not available as standalone — must use full platform
- Locked into SimplePractice ecosystem
- Group sessions limited on lower tiers
Therapists already using SimplePractice who want integrated telehealth without managing a separate tool. Not the right choice if you only need video — the base platform cost is too high for that use case alone.
TherapyNotes
TherapyNotes offers telehealth as an add-on to its core EHR at $10/mo — one of the more affordable integrated telehealth options in this comparison. The video is powered by a proprietary solution built into the TherapyNotes platform. Like SimplePractice, sessions launch from the appointment record and connect directly to the clinical workflow.
Where TherapyNotes shines is in its billing layer — insurance billing, ERA processing, and claim management are best-in-class for a mid-market platform. Telehealth sessions feed into that billing workflow cleanly. For insurance-heavy practices where billing accuracy is the primary driver and telehealth is a secondary need, the $59/mo total (base + telehealth add-on) is a strong value point. The UI is more functional than polished — it gets the job done without the design investment you see in SimplePractice or newer entrants.
- Best-in-class insurance billing integration
- No per-claim fees — strong value for high-volume billing
- $59/mo all-in for solo with telehealth
- Integrated with scheduling and clinical notes
- Solid support reputation
- Telehealth is not included — $10/mo add-on required
- Dated UI compared to newer platforms
- Per-clinician fees compound for group practices
- Limited mobile functionality
- No AI intake or automation features
Insurance-heavy practices where billing workflow matters most and telehealth is a secondary requirement. Therapists who submit high claim volumes and want integrated video without paying SimplePractice-level base costs.
Zoom for Healthcare
Zoom is the most widely recognized video platform in existence — and one of the most common sources of accidental HIPAA violations for therapists. The standard Zoom plans (Free, Pro, Business) do not include a BAA and are explicitly not HIPAA-compliant. Zoom for Healthcare is a separate enterprise product with dedicated infrastructure, additional security controls, and a BAA — but it starts at pricing designed for hospital systems, not individual therapists or small practices.
For the vast majority of solo therapists and small practices, Zoom for Healthcare is not a realistic option. The pricing ($200+/mo) is structured for enterprise healthcare organizations with multiple practitioners and IT support. If you are currently using standard Zoom for therapy sessions, you need to switch — not upgrade. Doxy.me, VSee, or any of the integrated EHR options in this comparison are more appropriate alternatives at a fraction of the cost.
Many therapists believe their standard Zoom Pro account is HIPAA-compliant because "Zoom is secure." It is not. The BAA is only available on the Healthcare enterprise plan. If you're using standard Zoom for patient sessions, switch before your next telehealth appointment.
- Familiar interface — patients already know Zoom
- Enterprise-grade security and uptime SLA
- Large meeting capacity for group sessions
- Advanced waiting room and host controls
- Broad device compatibility
- $200+/mo — priced for enterprise, not solo practices
- Standalone only — no EHR integration
- Standard Zoom is NOT HIPAA-compliant (common error)
- No scheduling, billing, or intake integration
- Overkill for solo therapist or small group needs
Large healthcare organizations and group practices with enterprise IT support — not individual therapists or small practices. For solo and small-group practices, the cost and complexity are not justified.
VSee
VSee is the closest competitor to Doxy.me in the standalone HIPAA-compliant video segment. Its free plan includes BAA, unlimited sessions, and a waiting room — functionally similar to Doxy.me Free. Where VSee differs: it offers a native mobile app for both therapist and patient, which Doxy.me lacks. For therapists who conduct mobile sessions or have patients who prefer a dedicated app experience, VSee's native mobile support is a genuine differentiator.
The paid tier ($49/mo Clinic) adds session scheduling within the platform, custom intake forms (basic), group video sessions, and messaging. This makes VSee Clinic a limited practice management option — more complete than Doxy.me, but still not at the level of a full EHR like SimplePractice or TherapyNotes. Video quality on VSee is strong; the platform was purpose-built for healthcare video from the start rather than adapted from a consumer product.
- Free plan with BAA and full HIPAA compliance
- Native mobile app for therapist and patient
- Strong video quality — purpose-built for healthcare
- Paid tier adds scheduling and basic intake
- Group session support on Clinic plan
- No billing or clinical documentation features
- Less widely known than Doxy.me — some patient friction
- Patient requires app download for best mobile experience
- Paid tier limited compared to full EHR platforms
- Smaller support ecosystem
Therapists who prioritize mobile telehealth and want a native app experience for both sides of the session. Strong alternative to Doxy.me for practices where mobile access matters more than browser-only convenience.
MindDesk
MindDesk includes telehealth as a core feature of a full practice management platform — alongside intake automation, scheduling, billing, and SMS reminders. Where standalone tools like Doxy.me and VSee handle video in isolation, MindDesk integrates the telehealth session into the entire patient workflow: the appointment reminder includes the session link, intake forms are completed before the session, notes attach directly to the visit record, and billing triggers on session completion.
The HIPAA compliance architecture covers the entire stack — not just video. A single BAA covers telehealth, intake data, appointment records, billing information, and patient communications. For therapists concerned about maintaining compliance across multiple systems (a standing risk when you use one tool for video, another for intake, a third for billing), the unified stack eliminates most of that surface area. MindDesk's AI-powered intake processing also automatically routes and flags submissions before the telehealth session begins, so the clinical picture is already populated when the session starts.
At $49/mo for solo practitioners with telehealth included — versus $69–79/mo for SimplePractice or $59/mo for TherapyNotes + telehealth add-on — the pricing is competitive even before you factor in the automation value. For group practices, the $99/mo flat rate with unlimited clinicians is significantly more favorable than per-seat pricing from incumbents. See how this compares in our full practice management software review.
- Telehealth integrated with full practice management stack
- Single BAA covers entire platform — not just video
- AI intake automation before each telehealth session
- $49/mo flat — no telehealth add-on fees
- Group: $99/mo flat, unlimited clinicians
- Session link delivered in automated reminders
- Newer platform — less documentation template depth
- Smaller user community than SimplePractice
- All-in-one means switching cost if you leave
Therapists who want telehealth as part of a complete, HIPAA-compliant practice management platform without separate tools for scheduling, intake, and billing. Solo practitioners looking for the best all-in value. Group practices where per-seat pricing from incumbents has become a cost problem.
How to Choose: A Decision Framework
The right telehealth platform depends on one question first: do you need video only, or do you need video as part of a broader practice management stack? Everything else flows from that.
Do you already have a HIPAA-compliant practice management system?
If yes, and it doesn't include telehealth, add Doxy.me (free) or VSee (free). Don't replace a working stack just for video. If you're on TherapyNotes, add the $10/mo telehealth add-on — it's integrated. If you're re-evaluating your full stack, continue to step 2.
Is insurance billing your primary complexity driver?
If high insurance volume is the core problem — claim management, ERA processing, denial tracking — TherapyNotes at $59/mo all-in (base + telehealth add-on) delivers the best billing workflow in this price range. SimplePractice is the alternative if you also need deep clinical documentation and are comfortable with per-claim fees.
Is admin automation your primary pain point?
If the core problem is the time you spend on intake, scheduling coordination, reminders, and billing follow-up — not the billing complexity itself — MindDesk at $49/mo delivers automation depth that standalone tools and billing-focused EHRs don't approach. Intake is automated, reminders are pre-configured, billing fires on session completion.
Do you need mobile-first video sessions?
If therapist or patient mobile experience is a priority and you want a native app, VSee Clinic ($49/mo) is the strongest standalone option. Doxy.me is browser-only — it works on mobile but without the native app experience.
Are you currently using standard Zoom?
Switch immediately. Standard Zoom is not HIPAA-compliant. Zoom for Healthcare is priced for enterprise organizations. The fastest compliant alternative is Doxy.me Free — set up in under 5 minutes, no cost, BAA included. More sustainable: migrate to an integrated platform that handles video alongside the rest of your workflow.
Video only, lowest cost: Doxy.me Free. Video only, need mobile app: VSee Free. Insurance-heavy billing focus: TherapyNotes. Deep clinical documentation: SimplePractice Essential. Full admin automation + telehealth included: MindDesk. Currently on standard Zoom: Switch to any of the above immediately.
The Compliance Risk No One Talks About
Most telehealth compliance discussions focus on the video platform. The bigger risk is actually the adjacent systems.
A therapist who uses Doxy.me (HIPAA-compliant) for video but collects intake through Google Forms (no BAA), schedules through a consumer Calendly account (no BAA), and sends follow-up through Gmail (no BAA) has a compliance gap across 3 out of 4 systems. The video is compliant. Everything else is not. A single PHI transmission through a non-covered platform is a reportable breach — the compliant video layer doesn't offset it.
This is the practical case for integrated platforms over standalone video tools: when one BAA covers the entire workflow — intake, scheduling, telehealth, clinical notes, billing communications — the surface area for compliance gaps drops to near zero. Standalone video tools are appropriate only when the rest of your stack is already fully covered.
For a complete inventory of what your practice technology stack needs to be compliant, the HIPAA compliance checklist for therapy practice technology covers every layer — intake, scheduling, telehealth, clinical documentation, billing, and patient communications — with the specific requirements for each.
Telehealth vs. In-Person: What Changes for HIPAA
Telehealth doesn't create new HIPAA obligations — it surfaces existing ones in a new context. The same rules that govern how you store paper records govern how you store video session recordings. The same rules that govern patient communications by phone govern patient communications via encrypted messaging in a telehealth platform.
What telehealth adds is a new technical surface: the video platform itself, the session link delivery mechanism, and any recordings. Each of those is PHI transmission and requires the same BAA and security controls as any other PHI workflow. The mistake most therapists make is applying HIPAA rules strictly to their clinical record-keeping while treating telehealth video as a different category. It is not. A session conducted over video is subject to the same rules as a session conducted in person — with additional technical requirements for the platform transmitting it.
The practical implication: evaluate your telehealth platform with the same scrutiny you'd apply to choosing an EHR. The BAA, encryption standards, access controls, and breach notification procedures are not marketing features — they are the baseline requirements for legal operation. If a platform doesn't offer them clearly and contractually, it doesn't belong in your stack. See our guide on automating your mental health practice for how telehealth fits into a fully automated, compliant workflow.
Telehealth included. BAA included. $49/mo.
MindDesk covers telehealth, intake, scheduling, billing, and reminders in one HIPAA-compliant platform. No telehealth add-on fees. No per-claim fees. Group practices: $99/mo flat, unlimited clinicians.
Request a Demo →30-minute demo. See the full telehealth and intake workflow live.
Frequently Asked Questions
Is Zoom HIPAA-compliant for therapists?
Standard Zoom (Free, Pro, Business plans) is NOT HIPAA-compliant for therapy sessions. A Business Associate Agreement is only available on the Zoom for Healthcare enterprise plan, which starts at $200+/mo and is priced for hospital systems. If you're using standard Zoom for patient sessions, you need to switch to a compliant platform. Doxy.me offers a free HIPAA-compliant alternative with a BAA on the free tier.
What makes a telehealth platform HIPAA-compliant?
Three requirements: (1) a signed Business Associate Agreement (BAA) — mandatory before transmitting any PHI, (2) end-to-end encryption of video and audio data in transit and at rest, and (3) access controls and audit logging. The BAA is the non-negotiable baseline — without a signed BAA, no technical security measure makes a platform compliant. All platforms in this guide (except standard Zoom) offer BAAs on at least their paid tiers; Doxy.me and VSee offer BAAs on free plans.
What is the best free HIPAA-compliant telehealth platform for therapists?
Doxy.me is the most widely used free option — unlimited sessions, browser-based (no patient download), customizable waiting room, and a signed BAA on the free tier. VSee is a strong alternative if you need a native mobile app experience. Both are video-only tools; you'll need separate systems for scheduling, intake, and billing. For a complete integrated stack, MindDesk at $49/mo includes telehealth alongside full practice management.
Do I need a separate telehealth platform or is it included in practice management software?
It depends on your current stack. TherapyNotes charges a $10/mo telehealth add-on. TheraNest also charges separately. SimplePractice includes telehealth on Essential ($69/mo) and Plus plans. Jane App includes telehealth on all plans. MindDesk includes telehealth on all plans at no extra cost. If you're on a platform without built-in telehealth, Doxy.me is the standard add-on choice. Avoid consumer video tools (standard Zoom, FaceTime, Google Meet) regardless of workarounds — none are HIPAA-compliant without a BAA.
What happens if I use a non-HIPAA-compliant video platform for therapy?
Using a non-compliant platform for telehealth is a HIPAA violation. Civil penalties range from $100 to $50,000 per violation (with annual maximums up to $1.9 million per category). A breach also triggers mandatory patient notification, which damages the therapeutic relationship. The cost of a compliant platform — $0 for Doxy.me free tier — is trivially small compared to the liability. Switching takes under 10 minutes.