SOAP Notes Template
for Speech Therapists

Covered Topics:

No card needed.

Why HIPAA compliance matters for teletherapy in 2026

HIPAA compliance matters in teletherapy because speech-language pathologists handle protected health information over video, messaging, and stored notes, all of which must be safeguarded under the Privacy and Security Rules. In telehealth, the key expectations are risk analysis, staff training, identity verification, consent when needed, secure documentation, and BAAs with relevant vendors.

Teletherapy has made care more convenient, but it also increases exposure to privacy risks such as unsecured connections, overheard sessions, and improper platform use. In 2026, clinics should treat compliance as part of everyday workflow, not as an optional add-on, because compliance failures can lead to privacy complaints, penalties, and loss of trust.

The complete HIPAA telehealth compliance checklist

A strong HIPAA telehealth checklist starts with identifying every place PHI is created, accessed, stored, or transmitted, then mapping the vendors and devices involved. After that, practices should document policies, train staff, sign BAAs, and verify that the video platform is configured securely.

Checklist items

Conduct a telehealth risk assessment.
Identify all PHI touchpoints, including video, chat, email, and file sharing.
Use only approved platforms and devices.
Sign BAAs with all vendors that handle PHI.
Require patient identity verification before discussing sensitive information.
Secure waiting rooms, meeting links, and session access.
Limit recordings and protect stored files.
Train staff on privacy, security, and teletherapy etiquette.
Document incidents, breaches, and corrective actions.
Review policies regularly and update them as tools or laws change.

Download as PDF

Common HIPAA violations in teletherapy and how to avoid them

Common teletherapy violations include using non-approved platforms, failing to verify identity, exposing PHI in public settings, not signing BAAs, and leaving sessions or recordings unsecured. Another frequent issue is poor staff training, since inadequate training itself can become a HIPAA violation.

To avoid these problems, therapists should use only configured, approved systems, keep sessions private, confirm patient identity, and apply the minimum necessary rule when sharing information. It also helps to create simple internal rules for recordings, screen sharing, chat logs, and post-session storage so staff know exactly what is permitted.

How to evaluate whether your video platform is HIPAA-compliant

A platform is not automatically compliant just because it is marketed that way; it must support the safeguards your practice needs and be used correctly. The most important question is whether the vendor will sign a BAA, because vendors with persistent access to PHI are generally treated as business associates.

Questions to ask

Does the vendor sign a BAA?
Is data encrypted in transit and at rest?
Are meeting links protected with authentication and waiting rooms?
Can you control recordings, storage, and retention?
Are audit logs available?
Can user access be restricted by role?
Does the platform support secure file sharing and messaging?

If the answer is unclear on any of these points, the platform should not be treated as HIPAA-ready for teletherapy.

BAAs explained: what they are and why every therapist needs one

A Business Associate Agreement is a contract that explains how a vendor will protect PHI when it handles data on behalf of a covered entity. In teletherapy, BAAs matter because video platforms, cloud storage tools, transcription services, and practice management systems may all touch PHI.

Without a BAA, using a vendor that has access to PHI can create serious compliance risk. For therapists, the safest rule is simple: if a service stores, transmits, or can access PHI, confirm whether a BAA is required before using it.

How ReadySetConnect ensures HIPAA compliance by default

ReadySetConnect positions its therapy notes software around HIPAA compliance and states that its agreement is intended to satisfy HIPAA Privacy Rule and Security Rule standards, along with HITECH requirements. Its public HIPAA page also indicates that it is designed to protect the privacy and security of PHI disclosed through the platform.

For an article or landing page, you can frame the benefit like this: ReadySetConnect helps therapists reduce compliance friction by making HIPAA considerations part of the product foundation rather than an afterthought. That makes it easier for SLPs to document sessions, manage therapy notes, and work with client data in a more secure environment.

FAQs

Is Zoom HIPAA-compliant for therapy?

ReadySetConnect is HIPAA-compliant, HITRUST CSF certified, and PCI-secure. We sign a Business Associate Agreement (BAA) with every account on every plan. All client data is encrypted in transit and at rest. Your data is always yours.

What is a BAA and do I need one?

Can I be fined for HIPAA violations in teletherapy?

Your next session starts soon.

Let ReadySetConnect handle everything around it.