The HIPAA Telehealth Waivers Are Gone: What Every Therapist Practicing Remotely Must Now Do Differently

When the COVID-19 public health emergency ended in May 2023, it ended with it a set of HIPAA enforcement flexibilities that had fundamentally changed how therapists could deliver remote care. The transition period extended into 2025, but as of April 2025, the last remaining telehealth HIPAA accommodations have expired. Therapists who built their remote practice during the pandemic under emergency rules are now operating in a fully different regulatory environment — and many do not know it.

What the Waivers Allowed

Between March 2020 and the emergency's end, HHS's Office for Civil Rights (OCR) announced enforcement discretion across several dimensions:

• Platform flexibility: Providers could use "non-public facing" video communication platforms — including FaceTime, Zoom's standard (non-HIPAA) version, Skype, and Google Meet — for telehealth without a Business Associate Agreement (BAA). This is the waiver most therapists relied on. It is now gone.
• Audio-only flexibility: Therapists could conduct audio-only telehealth even where state licensure required synchronous video, provided the patient consented and the clinical context justified it.
• Cross-state practice: Many states temporarily suspended enforcement of out-of-state licensure requirements for telehealth. These state-level accommodations varied and most have been rescinded.

What Is Now Required

HIPAA-compliant platform: Any video platform used for therapy sessions must have a signed Business Associate Agreement with the provider. This means the free tier of Zoom does not qualify; Zoom for Healthcare (with BAA) does. Similar requirements apply to all platforms. Non-compliant platforms create exposure to HIPAA penalties, which range from $100 to $50,000 per violation depending on culpability.

Business Associate Agreements: Anywhere ePHI (electronic protected health information) — session notes, scheduling data, billing records, therapy portal communications — is handled by a third party, a BAA is required. Cloud storage, EHR systems, scheduling platforms, and note-keeping apps all potentially require BAAs if they touch patient data.

State licensure compliance: The patient's state of location at the time of the session governs licensure requirements in most jurisdictions. Temporary interstate practice accommodations from the pandemic period have largely expired. Practicing teletherapy across state lines without appropriate licensure is a disciplinary risk.

The Ethics Dimension

HIPAA compliance is not only a legal obligation — it is an ethical one. APA Ethics Code Standard 4.01 (Maintaining Confidentiality) and Standard 4.02 (Discussing the Limits of Confidentiality) require psychologists to take reasonable precautions to protect confidential information. Using a non-HIPAA-compliant platform for therapy sessions after the waivers expired is not a technical compliance failure — it is a potential ethics violation under codes that require taking "reasonable precautions."

The informed consent dimension is distinct: clients who were told their sessions were conducted on a compliant platform during the pandemic may not know whether their current platform meets post-waiver standards. Updating informed consent documentation to accurately reflect current platform use and its compliance status is ethically required.

Practical Steps

1. Audit your platform: Does it have a BAA? Check your current Zoom, Teams, or video plan tier.
2. Audit your storage: EHR, cloud storage, scheduling platform — all require BAAs if they handle PHI.
3. Update informed consent: Reflect the current platform and its compliance status.
4. Review interstate clients: Where are they located? Does your licensure cover that state?
5. Consult your malpractice carrier: Many carriers have updated telehealth guidance post-PHE.