Staying compliant as a remote therapist in California involves navigating telehealth, employment, and privacy regulations. Here’s what you need to know:

• Telehealth Rules: Obtain informed consent, use HIPAA-compliant platforms, and ensure proper supervision for pre-licensees.
• Employment Laws: Follow AB 5 for worker classification and comply with wage and hour laws.
• AI in Hiring: Starting October 2025, audit any AI tools used in employment decisions to avoid discrimination.
• Workspace Standards: Maintain a secure, professional environment with privacy safeguards.
• Documentation: Keep detailed records of consent, supervision, and compliance practices.
• Technology: Use encrypted devices, secure networks, and HIPAA-compliant tools.

California Telehealth and Remote Work Laws

Remote Supervision Rules for Pre‑Licensees

Associate Professional Clinical Counselors (APCCs) can count unlimited telehealth hours toward the required 3,000 hours for licensure, as long as supervision happens through live, two-way videoconferencing. However, supervision via phone alone doesn’t meet California’s requirements, which mandate a face-to-face component. Supervisors must evaluate whether remote supervision is appropriate and ensure client confidentiality is upheld. Additionally, all supervision sessions must be properly documented according to state rules.

A Supervision Agreement and a corresponding Supervisory Plan must be signed within 60 days of starting supervision. Keep these documents on file for licensure purposes. If the supervisor isn’t employed by the same organization as the supervisee, a Written Oversight Agreement between the supervisor and the employer must be completed before supervision begins.

Each week, pre-licensees need to complete at least one hour of individual or triadic supervision, or two hours of group supervision. For those providing more than 10 hours of direct clinical counseling in a week, an additional hour of supervision is required. Group supervision sessions are capped at a maximum of eight participants.

For registered associates working in private practices or professional corporations, the supervisor must be directly affiliated with the practice – either as an employee, contractor, or owner. They must also provide psychotherapeutic services or have a written agreement granting them access to clinical records.

To meet licensure requirements, pre-licensees must complete 3,000 hours over a minimum of 104 weeks. This includes at least 1,750 hours of direct counseling and up to 1,250 hours of non-clinical work. Weekly limits are set at 40 total experience hours and 6 supervision hours. Importantly, any experience gained more than six years before the application date will not count.

Required Documentation and Client Consent

Getting Informed Consent for Telehealth

Before starting telehealth sessions, it’s essential to obtain and document either verbal or written informed consent from clients. During this process, you should explain potential risks, such as technical glitches or the challenges of handling emergencies remotely. Be sure to provide your license type and number, and document your efforts to identify local emergency services and resources for the client. Additionally, discuss the technology platform being used, backup communication methods in case of technical issues, and emergency protocols. Keeping this documentation secure ensures you meet both legal and recordkeeping standards.

Keeping Secure Client Records

It’s crucial to maintain secure records that detail the consent process, including the date it was obtained. This not only safeguards client information but also demonstrates compliance with professional requirements.

Telehealth Training and Certification

Beyond securing informed consent and proper recordkeeping, formal training is a key component of compliant telehealth practice. Starting July 1, 2023, all new applicants for LMFT, LPCC, and LCSW licensure in California are required to complete 3 hours of telehealth training before obtaining their license. This requirement, introduced through Assembly Bill 1759, also applies to practitioners licensed before that date at their first license renewal on or after July 1, 2023.

The training must address practical, clinical, legal, and ethical aspects of telehealth, with an emphasis on California state law. Topics include legal and ethical requirements, current telehealth research, security and confidentiality measures, strategies for engaging clients, and procedures for communication between sessions.

Specialized 3-hour courses designed to meet California’s Board of Behavioral Sciences standards are available for $39. When choosing a course, make sure it specifically covers California’s regulations rather than providing only a general overview of telehealth practices.

Employment Law and Workplace Compliance for Remote Therapists

New AI Regulations in Employment Practices

Starting October 1, 2025, California’s updated Fair Employment and Housing Act (FEHA) will expand to include all employers – remote therapists included – using AI tools for hiring, promotions, or terminations. These rules apply to any automated decision system (ADS), which refers to algorithms that influence employment decisions. The goal? Ensuring fairness and compliance in every aspect of employment practices.

Employers must ensure their AI tools do not discriminate based on gender, race, age, or disability. This includes accountability for both direct and unintended biases, even when the tools are provided by third-party vendors. To meet compliance standards, these audits should align with broader workplace protocols already in place.

For remote therapists, this means carefully reviewing and auditing AI tools while thoroughly vetting vendors to avoid unlawful practices. For instance, AI systems that analyze disability-related data could lead to illegal inquiries. Additionally, such tools cannot replace the individualized assessments required for evaluations, such as those involving criminal history.

Legislation like SB 7, also known as the "No Robo Bosses" bill, may soon require human oversight for decisions involving AI in disciplinary actions or terminations.

2025 Proposed Medicare Physician Fee Schedule and Therapy Practices

sbb-itb-b6e72a9

Technology, Security, and Confidentiality Standards

This section highlights key technology and data security practices essential for maintaining compliance in remote therapy settings.

Using HIPAA-Compliant Technology

As of August 2023, telehealth services must fully comply with HIPAA regulations. This means all technology used during remote sessions must be properly configured and meet specific security standards.

The HIPAA Security Rule applies to telehealth activities involving electronic media, such as internet connections, cellular networks, and Wi-Fi. This includes platforms like VoIP services, mobile apps, and desktop applications. However, audio-only sessions conducted through traditional landlines are not subject to this rule.

When choosing telehealth platforms, ensure you obtain Business Associate Agreements (BAAs) from vendors. These contracts legally bind the vendor to protect patient health information under HIPAA guidelines. Platforms like Zoom for Healthcare, SimplePractice, and TherapyNotes often provide BAAs, but you must request and sign these agreements to ensure compliance.

Your Electronic Health Records (EHR) system must also align with HIPAA standards. Look for features like automatic session timeouts, audit logs that track access details, and role-based access controls to limit staff access to essential patient data.

Communication tools require special attention. Standard email, text messaging, and common file-sharing services typically do not meet HIPAA standards. Instead, use encrypted platforms designed for healthcare communications to ensure secure exchanges outside of scheduled sessions. These measures, combined with strong technology protocols, are critical for safeguarding patient information.

Protecting Client Data and Privacy

Device security is the foundation of protecting remote therapy data. Encrypt all devices – laptops, tablets, and smartphones – that store or access patient information. Set devices to auto-lock using passwords or biometrics after a brief period of inactivity.

Network security is equally important. Avoid public Wi-Fi for therapy sessions or accessing patient records. If working outside a secure environment, use a Virtual Private Network (VPN). Many therapists also rely on secured mobile hotspots to ensure a private and stable connection when working from flexible locations.

Data storage should follow strict protocols. Avoid storing patient information on local hard drives unless they are encrypted and regularly backed up to a HIPAA-compliant cloud service. Limit staff access to patient information based on necessity.

Physical workspace security is another critical factor. Position screens to prevent unauthorized viewing from windows, doorways, or other exposed areas. Use privacy screens on devices, and take steps to ensure family members or housemates cannot accidentally view or overhear sensitive information during sessions.

Keeping software up to date is non-negotiable. Enable automatic updates for operating systems, antivirus software, and any applications used in your practice to close security gaps that could expose patient data.

Conducting Risk Assessments and Bias Audits

Technical safeguards alone aren’t enough – regular evaluations are key to maintaining data security. Annual risk assessments help identify vulnerabilities in your remote practice setup. Document all devices, software, and network connections used to access patient data, and evaluate each for risks such as outdated encryption or unsecured data transmissions.

Create a detailed risk assessment checklist that addresses physical security (e.g., workspace privacy and secure device storage), technical security (e.g., encryption, access controls, and backup procedures), and administrative security (e.g., staff training and incident response plans). Update this checklist whenever new technology is introduced or your practice setup changes.

Keep thorough documentation of technology reviews, security updates, and compliance checks. This not only reinforces your commitment to security but also serves as proof of compliance if requested by regulatory bodies or insurance providers.

Consider bringing in third-party security consultants for annual penetration testing and vulnerability assessments. These experts can identify risks that might go unnoticed during internal reviews and provide actionable recommendations to strengthen your security practices.

Finally, have an incident response plan in place. Develop clear procedures for containing breaches, notifying affected patients, and reporting incidents to the appropriate authorities. Regularly test and update these procedures to ensure they remain effective as your technology evolves.

Practice Setting and Workspace Solutions for Remote Therapists

Running a remote therapy practice comes with unique challenges, especially when it comes to meeting regulatory requirements and maintaining a professional work environment. Choosing the right workspace is a key step in ensuring compliance and building trust with clients.

Physical and Virtual Practice Address Requirements

In California, therapists must adhere to specific rules regarding client safety and address verification. For every session, you’re required to verbally confirm and document your client’s full name and current address. Keep in mind that any temporary regulatory relaxations in place will expire after 2024.

While meeting these address requirements is essential, creating a professional workspace also plays a significant role in compliance and fostering client confidence.

Exploring Flexible Workspace Solutions like Humanly

If your home office doesn’t meet professional or regulatory standards, it might be time to explore other options. Dedicated workspaces can provide the professional setting you need to elevate your practice.

Humanly, for example, offers flexible solutions such as virtual memberships and on-demand rentals. These services include features like a professional business address, mail handling, and secure therapy spaces equipped with the necessary amenities.

What sets these spaces apart isn’t just the physical setup – they also create opportunities for connection. Many flexible workspaces cultivate a sense of community by offering networking events, peer support, and even in-house referral systems. Plus, these environments are designed with privacy, security, and compliance in mind, meeting the high standards required in healthcare.

When selecting a workspace, think about how it aligns with your telehealth tools, client scheduling needs, and compliance obligations. A well-chosen workspace can help streamline the administrative side of your practice, allowing you to focus on what matters most – your clients.

Conclusion: Staying Compliant and Professional in Remote Practice

Practicing therapy remotely in California involves navigating a maze of evolving regulations. From telehealth protocols to employment laws, technology standards, and workspace requirements, there’s a lot to keep up with. Staying compliant means keeping a close eye on these layers and adapting as things change.

At the heart of compliance are two key elements: accurate documentation and secure technology. Maintaining detailed records, safeguarding client information, and ensuring data accuracy are non-negotiable. On the technology front, your tools must meet HIPAA standards to protect privacy and maintain a professional image.

For therapists struggling with workspace challenges, modern solutions can make all the difference. For example, Humanly offers flexible workspace options tailored to remote practitioners. Their services include professional business addresses, secure therapy spaces, and opportunities to connect with other wellness professionals. A virtual membership costs $50 per month and includes address services and mail handling, while hourly spaces range from $2.50 to $20.50 depending on your membership and location needs.

Beyond secure workspaces, aligning every part of your practice with compliance requirements ensures long-term success. Compliance isn’t a one-time task – it’s an ongoing process. Regular risk assessments, staying updated on training, and engaging with professional networks can help you stay ahead of regulatory changes. By investing in the right tools and workspaces, therapists can build a sustainable practice that meets California’s evolving standards while continuing to provide excellent care.

FAQs

What are the key compliance requirements for therapists providing telehealth services in California, and how can they ensure their technology is HIPAA-compliant?

Therapists providing telehealth services in California are required to meet certain legal standards, including securing either verbal or written informed consent from clients before starting sessions. Additionally, they must keep accurate records and comply with state-specific telehealth regulations.

To stay compliant with HIPAA, therapists should utilize secure, encrypted telehealth platforms designed to protect client confidentiality. Another key step is establishing Business Associate Agreements (BAAs) with technology providers to ensure data security aligns with HIPAA requirements.

What does California’s AB 5 law mean for remote therapists, and how can they ensure compliance?

California’s AB 5 law relies on the ABC test to decide whether a worker is classified as an employee or an independent contractor. For remote therapists, this means they are considered employees by default unless all three of the following conditions are met:

• Freedom from control: They operate independently of the hiring entity’s control and direction.
• Work outside the hiring entity’s business: Their services are not part of the core business of the hiring entity.
• Independent trade or business: They are engaged in an established trade, occupation, or business of their own.

Remote therapists should take a close look at their work arrangements to see if they align with these criteria. If even one condition isn’t satisfied, they must be classified as employees, granting them rights like benefits and protections under California labor laws. Consulting a legal professional to review contracts and ensure compliance with AB 5 is a smart move.

What steps should therapists working remotely in California take to assess risks and protect client data?

Therapists offering remote services in California need to focus on thorough risk assessment. This starts with collecting detailed client information during the intake process and keeping a close watch for any changes over time. Working together with clients to create tailored safety plans can also help address potential risks effectively.

When it comes to data security, using HIPAA-compliant telehealth platforms is non-negotiable. Therapists must adhere to California’s confidentiality laws and guide clients on maintaining their privacy. Regular cybersecurity practices – like relying on encrypted communication tools and secure devices – are critical to safeguarding sensitive client information.

Related Blog Posts

• Private Practice Setup Checklist: Essential Steps for Success
• How to Choose the Right Location for Your Therapy Practice
• Best Practices For Client Onboarding In Therapy
• How to Build a Hybrid Therapy Practice