Skip to main content
Headway

Life as a provider

Running a safe, secure telehealth practice as a mental healthcare provider

Telehealth cybersecurity is a growing risk for therapy practices. Protect yours from NPI theft, credential fraud, deepfakes, impersonation, and more.

May 15, 2026

6 min read

When telehealth went mainstream, access to mental healthcare was widely expanded. Suddenly, a therapist in a rural area could reach a client who'd been on a four-month waitlist. A parent managing a chaotic schedule could finally keep their weekly sessions. Geographic barriers, transportation hurdles, and stigma around walking into a physical office have been reduced — opening the door to care that feels more accessible to many people seeking mental healthcare.

The benefits of telehealth are real. But so is a less-discussed consequence of moving therapy online: a broader and more sophisticated risk for fraud, impersonation, and cybercrime.

This isn't a concern reserved for hospital IT departments or enterprise health systems. Solo talk therapists, group practices, and psychiatric care providers are increasingly targets — often without realizing it. If you're offering telehealth services (or thinking about it), understanding and protecting against the risks isn't just good practice. In many cases, it's a regulatory obligation under the HIPAA Security Rule.

Here are some aspects of telehealth cybersecurity that every mental healthcare provider running a telehealth practice needs to know — and concrete ways to protect yourself.

The security risks every telehealth provider faces

When you think about HIPAA compliance for therapists, the conversation often centers on patient data — and for good reason. But therapists themselves are increasingly victims of a range of cybersecurity threats that can derail their practices, damage their reputations, and expose them to serious financial and legal liability.

The most common telehealth security risks providers face include:

  • Unsecured video and messaging platforms: Not all video conferencing tools are created equal. Consumer-grade platforms that aren't specifically designed for healthcare can transmit data over unencrypted channels, leave session recordings accessible to third parties, or fail to meet HIPAA's technical safeguards. If you're using a general-purpose video tool for therapy sessions, you may be putting both your clients and your practice at risk without even knowing it.
  • Phishing and credential theft: Therapists receive a steady stream of emails: insurance notifications, EHR system updates, billing alerts. Cybercriminals exploit this by sending convincing fake emails designed to steal login credentials. Once inside a provider's accounts, they can access patient records, redirect payments, or impersonate the provider entirely.
  • Impersonation and account takeovers: A growing category of telehealth fraud involves bad actors posing as actual licensed therapists, using stolen credentials to schedule sessions, bill insurers, or conduct unauthorized visits.
  • Identity-based prescription fraud: Telehealth has also lowered some barriers for using stolen or fabricated identities to obtain prescriptions — including controlled substances — under false pretenses. This is a fraud-and-identity issue, not a clinical-complexity issue: the concern is verifying that the person on the screen is who they say they are.
  • AI-powered deepfakes and synthetic identity fraud: This one is newer, but the threat is real and growing. Generative AI tools can now create convincing audio and video mimicry of real people. In a telehealth context, that means someone could impersonate a patient — or even a provider — in ways that are harder to spot in real time. And AI-powered deepfake attempts are climbing fast across healthcare. Pindrop reports an 880% surge in deepfake fraud in 2024, with cloned voices and synthetic video increasingly used to impersonate both patients and providers in real time. There's no sweeping solution for this problem yet, but strong identity verification is one of the best defenses available today.

Practice in-network with confidence

Simplify insurance and save time on your entire workflow — from compliance and billing to credentialing and admin.

Talk to a practice consultant

What these risks actually look like in practice

It's easy to treat "cybersecurity risks" as an abstract concern. But the real-world consequences for mental healthcare providers are concrete, costly, and often devastating.

NPI theft and credential fraud is one of the most insidious threats. Your National Provider Identifier (NPI) is publicly accessible — by design, because it's used for billing and credentialing. But that accessibility makes it a prime target. Fraudsters use stolen NPIs to bill insurance companies for services never rendered, a practice known as “ghost billing.” The provider whose NPI is used may not discover the fraud for months — and in the meantime, fraudulent claims have accrued under their name and potentially triggered an audit or investigation.

Patient identity theft in a telehealth context often means someone using stolen or fabricated credentials to access care under another person's name or insurance. For the provider, the fallout can include regulatory scrutiny and, in some cases, professional liability.

Reputational harm from impersonation is another underappreciated risk. If someone impersonates your practice online or on a telehealth platform, clients may unknowingly share sensitive disclosures with a fraudulent "therapist." When the deception is discovered, your name is attached to it — even if you were the victim.

The financial toll is well-documented. According to the HIPAA Journal, HHS Office for Civil Rights (OCR) resolved 22 HIPAA enforcement actions in 2024 alone, and the agency launched a dedicated risk analysis enforcement initiative in 2025. Even small practices have not been spared: OCR's 2024 settlement with Manasa Health Center, a small mental health provider, totaled $30,000 — and per-violation penalties for willful neglect range from approximately $14,602 to $73,011, with most enforcement actions involving multiple violations. That's before accounting for legal fees, notification costs, and lost client trust.

How to mitigate your telehealth security risks

The good news: You don't need to become a cybersecurity expert to protect your practice. What you need is a clear, practical framework, and the right tools to support it. The U.S. Department of Health and Human Services offers detailed guidance on telehealth privacy and security best practices for providers, and it's a worthwhile read. Here's a provider-friendly summary of the most critical steps, followed by ways Headway helps you complete them.

1. Conduct a HIPAA risk analysis — and document it. Under the HIPAA Security Rule, providers are required to conduct an accurate, thorough assessment of the potential risks and vulnerabilities to electronic protected health information. The absence of a documented risk analysis is the most-cited deficiency in OCR enforcement actions — and it's increasingly the trigger for penalties against small practices. If you don't have one, this is the single highest-leverage thing you can do this week.

2. Maintain written policies and procedures. The Security Rule also requires written policies and procedures that document how your practice safeguards electronic PHI, trains staff, responds to incidents, and reviews controls over time. HIPAA laws are crucial for mental healthcare providers, and technical tools alone don't satisfy HIPAA; the documentation matters, too.

3. Use a HIPAA-compliant telehealth platform — and verify what that means. A platform that supports your HIPAA compliance should offer encryption that meets the HIPAA standard, a signed Business Associate Agreement (BAA), and a secure video infrastructure. If a vendor won't provide a BAA, that's a red flag. 

4. Verify patient identity before every telehealth session. Take reasonable steps to confirm the identity of patients (and any authorized third parties) before a telehealth visit. Options for verifying identity include: 

  • Confirming name, date of birth, address, and contact information against the patient record
  • Using identity verification tools that flag suspicious or synthetic identities

Identity verification isn't only a security practice — it also strengthens the clinical alliance, supports informed consent, and ensures you're treating who you think you're treating. Modern identity verification tools provide a secure, tamper-proof, and access-controlled digital record that can be supplied in the event of potential investigation or audit.

5. Enable two-factor authentication (2FA) on every account. Your EHR login, billing platform, email, scheduling software — all of it should be protected with two-factor authentication. This single step dramatically reduces the risk of credential theft or an account takeover.

6. Keep your devices updated and encrypted. The devices you use for telehealth sessions (laptop, tablet, desktop computer, and phone) should have up-to-date operating systems and security software, full-disk encryption enabled, and strong password protection.

7. Know what protected health information you're transmitting — and how. Every piece of data that travels between you and your clients during a telehealth session is potentially subject to HIPAA — including session notes, emails, chat messages, files shared during a session, and even meeting metadata.

8. Know your breach notification obligations. If a breach of unsecured PHI does occur, HIPAA's Breach Notification Rule requires you to notify affected individuals — and, in some cases, HHS and the media — within specific timeframes, using the appropriate channels. Knowing the rules before an incident is the difference between a manageable response and a regulatory escalation.

How Headway helps protect your telehealth practice

Here's the challenge with cybersecurity: it evolves faster than most clinicians have bandwidth to track. You went into this work to provide care, not to become an IT specialist. The good news is that you don't have to — if you're on the right platform.

Headway's telehealth platform is built to support your HIPAA compliance, with security baked into the infrastructure rather than piecing together a general-purpose video tool with bolt-on protections:

  • Secure telehealth video and platform: Headway uses encryption at rest (AES-256) and in transit (TLS 1.2+) — the HIPAA-compliant encryption standard. Sessions on Headway's platform are not recorded by default, which reduces the surface area for unauthorized access.
  • Two-factor authentication: Headway supports 2FA across provider accounts and patient accounts, adding a critical layer of protection against credential theft and unauthorized access.
  • Cutting-edge identity verification: Headway is rolling out advanced patient identity verification — a feature designed to better catch fraudulent and synthetic identities before a session begins. Built directly into the Headway workflow, it's a capability that's historically been hard for solo practitioners to access on their own. 
  • Built-in HIPAA compliance support: Headway handles the technical safeguards required of a Business Associate, and maintains the secure data infrastructure your practice depends on for telehealth — so you can focus on your clients.

With Headway, providers get this infrastructure as part of joining the network — at no additional cost.

Protect your practice today

Telehealth has made mental healthcare more accessible — and more vulnerable to a new category of risk. Provider NPI theft, credential fraud, deepfakes, identity-based prescription fraud: these aren't distant, hypothetical threats. They're happening to clinicians like you, right now.

The answer isn't to retreat from telehealth. It's to practice it on a platform that takes security as seriously as you take your clients' care. By staying informed about the risks, implementing foundational protections, and partnering with technology built for healthcare, you can offer telehealth confidently — knowing your practice, your clients, and your reputation are supported.

Ready to build a more secure telehealth practice? Join Headway and see how our platform supports security and compliance so you don't have to do it alone.

Talk to a practice consultant

*Rewards are subject to program eligibility requirements.
For full terms and conditions, see Headway's Provider Referral Program.

This content is for general informational and educational purposes only and does not constitute clinical, legal, financial, or professional advice. All decisions should be made at the discretion of the individual or organization, in consultation with qualified clinical, legal, or other appropriate professionals.

© 2026 Therapymatch, Inc. dba Headway. All rights reserved. No part of this publication may be reproduced without permission.

Life as a provider

Continuing education for mental health professionals

Acquiring CE credits helps you better serve your clients — and grow your business.

How much does a typical therapist make?

Curious about the average salary of people in your profession? It depends on a few factors.

Therapist burnout: Signs, causes and how to prevent it

It’s a common phenomenon in helping professions, but work-related burnout can feel debilitating.