VPN for Therapists: HIPAA-Compliant Security for Telehealth Sessions

Mental health data is among the most sensitive information that exists. Diagnoses, session notes, medication records, trauma histories — this is information that patients share in the deepest confidence. It is also, increasingly, data that flows across the internet every time a therapist conducts a telehealth session, accesses their EHR from home, or sends a clinical note from a coffee shop.

In 2025, the US healthcare sector experienced 710 large-scale data breaches, exposing hundreds of millions of patient records according to Statista. Healthcare is the most targeted industry for ransomware, accounting for 17% of all ransomware attacks globally. And mental health data carries a specific additional risk: in one of the most high-profile incidents, telehealth provider Cerebral exposed the data of over 3.1 million mental health patients to Google, Meta, and TikTok through tracking pixels embedded in their platform — including names, IP addresses, insurance details, and mental health assessment responses.

For therapists who conduct sessions remotely, the question is not whether patient data can be exposed. The question is whether you have taken reasonable steps to prevent it.

What HIPAA Requires for Telehealth in 2026

The COVID-19 emergency enforcement discretion that temporarily relaxed HIPAA requirements for telehealth platforms ended in May 2023. Since that date, every telehealth therapy session must comply with the full HIPAA Security Rule. That means:

• Your video platform vendor must have a signed Business Associate Agreement (BAA) with your practice
• Session data must be encrypted in transit and at rest
• Your device must be encrypted, password-protected, and updated
• Remote access to any system containing Protected Health Information (PHI) must use secure, encrypted connections
• Chat messages, file sharing, and billing data during telehealth sessions are all considered ePHI and must be treated accordingly

That last point is where many therapists have a gap. The video platform may be compliant. But the network connection from your home office, hotel room, or coffee shop — the channel through which all that ePHI travels — may not be encrypted end-to-end at the network level.

HIPAA-compliant telehealth guidance published in 2026 explicitly lists VPN use as a required security measure for remote access: "Secure Wi-Fi (no public Wi-Fi) — VPN use if required — Device encryption." If your practice's security risk analysis identifies remote connections as a threat vector — and it should — VPN use is the standard control for that risk.

What a VPN Protects in Your Telehealth Practice

A VPN creates an encrypted tunnel from your device to the internet. Every session you conduct, every document you access, every message you send travels through that tunnel — encrypted with AES-256-GCM before it ever leaves your device.

Here is what that protects in practice:

• Telehealth sessions from home networks: Home Wi-Fi routers can be misconfigured, compromised, or accessed by others on your network. A VPN encrypts your session traffic independently of your router's security settings.
• EHR access from any location: Platforms like SimplePractice, TherapyNotes, and Therapy Brands contain complete patient records. Accessing them without a VPN on any network outside your office leaves that connection unencrypted at the network layer.
• Secure messaging and notes: Clinical notes, intake forms, and session summaries are ePHI. A VPN encrypts the connection over which they are transmitted.
• DNS privacy: Without a VPN, your internet provider sees every domain you access — which EHR platform you use, which billing service, which patient portal. With a VPN routing your DNS through encrypted resolvers, your ISP has no visibility into your clinical workflow.
• Public Wi-Fi sessions: Conducting telehealth from a coworking space, hotel, or any shared network without a VPN violates your HIPAA security obligations. A VPN makes those connections HIPAA-appropriate.

The Cerebral Case: Why Mental Health Data Needs Extra Protection

The Cerebral breach illustrates exactly why behavioral health providers face heightened privacy obligations. Cerebral, a mental health telehealth platform, used tracking pixels from advertising platforms — standard analytics tools used across the commercial internet — that captured and transmitted patient data including mental health assessment responses, appointment details, and insurance information to Google, Meta, and TikTok.

This was not a hack. It was not ransomware. It was a compliance failure: the assumption that tools acceptable for general commercial use were acceptable for handling mental health ePHI. They are not.

Behavioral health providers, telepsychiatrists, and psychologists face higher privacy expectations than general medical providers because session content is so sensitive. Notes, diagnoses, medications, and session discussions all fall under PHI — and the consequences of a breach for a patient extend far beyond inconvenience. Mental health records can affect employment, insurance, custody proceedings, and security clearances.

The appropriate standard for any data flowing through your practice is: assume it is the most sensitive information you hold, and protect it accordingly.

Does a VPN Make You HIPAA Compliant?

No single tool makes you HIPAA compliant. HIPAA compliance is a risk management framework that requires administrative, physical, and technical safeguards working together. A VPN addresses specific technical safeguards — specifically, encryption of data in transit and network-level access control.

What a VPN does in the context of a HIPAA security risk analysis:

• Addresses the threat of network interception on uncontrolled Wi-Fi
• Encrypts the connection layer independently of your telehealth platform's own encryption
• Prevents DNS-level visibility by your ISP into your clinical workflow
• Provides a documentable security control that demonstrates reasonable effort to prevent unauthorized disclosure

What it does not replace:

• A HIPAA-compliant telehealth platform with a signed BAA
• Encrypted device storage
• Multi-factor authentication on your EHR and practice management systems
• A written security risk analysis updated annually
• Staff HIPAA training

VPN use is one layer in your security posture. For therapists conducting any remote work — which in 2026 means nearly all therapists — it is a required layer.

What to Look for in a HIPAA-Appropriate VPN

Not all VPNs meet the standard for clinical use. These are the features that matter for behavioral health providers:

• AES-256-GCM encryption: This is the encryption standard cited in HIPAA technical safeguard guidance. It is the same standard used by the US government for classified data. Anything weaker is inadequate for ePHI.
• Zero-logs policy: If your VPN provider stores logs of your connections, those logs may contain metadata about your clinical sessions. A verified zero-logs policy means no records exist to be breached, subpoenaed, or sold.
• Kill switch: A kill switch cuts your internet access if the VPN connection drops unexpectedly. Without it, a momentary disconnection can expose your traffic on an unencrypted connection — during a live session, that is unacceptable.
• Encrypted DNS: Your DNS queries — which domains you look up — should route through the VPN's encrypted resolver, not your ISP's servers. This prevents your clinical workflow from being visible at the network level.
• US-based operations: For HIPAA-regulated practices, using a VPN vendor operating under US law and US data jurisdiction — not foreign privacy regimes — is the appropriate choice. Understand where your vendor is incorporated and what legal framework governs their operations.

CyberFence meets all of these requirements. AES-256-GCM encryption, verified zero-logs policy, kill switch on all platforms, encrypted DNS through Web Shield, and US-based operations. It is built for exactly the kind of professional use case that behavioral health providers need.

Practical Setup for Therapists

Getting started takes less than five minutes:

• Install on every device used for clinical work — your laptop, tablet, and phone. Therapists frequently access EHRs and patient communications from all three.
• Enable the kill switch before your first session. This ensures that if your connection drops during a live session, your traffic does not revert to an unencrypted channel.
• Connect before opening any clinical application. Before launching your EHR, your video platform, or your email — connect to the VPN first.
• Use it on home Wi-Fi too. Home networks are not inherently secure. Your ISP still has full network-level visibility without a VPN.
• Document VPN use in your security risk analysis. Your annual HIPAA security risk analysis should note that remote access is conducted over a VPN as a technical safeguard. This is the documentation that demonstrates reasonable effort if your practice is ever audited.

For more on the compliance landscape that frames these requirements, see our guides on HIPAA-compliant VPN use and what a zero-logs policy actually means for regulated industries.

The Bottom Line

Telehealth is now a permanent part of behavioral health practice. The regulatory grace period ended in 2023. The attack statistics are clear: healthcare is the most targeted sector, mental health data is uniquely sensitive, and the compliance standard for remote access to ePHI requires encrypted connections.

A VPN is not optional for therapists who conduct any remote clinical work. It is the network-layer encryption control that HIPAA requires for remote access to ePHI, the tool that protects your patients' most sensitive disclosures from network-level interception, and the documented safeguard that demonstrates your practice takes its obligations seriously.

CyberFence offers a Free Trial — no commitment required. Start it before your next telehealth session, and your connection will be encrypted from the first call.