This is engineering guidance, not legal advice. Confirm specifics with qualified counsel.

Why this matters

If you are scoping a teletherapy app, a digital addiction-treatment service, an employer mental-health benefit, or a psychiatry platform that prescribes, you are building in the vertical where the rules are strictest and the stakes are highest. The audience for this article is the founder, product manager, or clinical lead who needs to understand those rules well enough to make build-versus-buy decisions, write a sane scope, and ask an engineer or a compliance officer the right questions. Mental health data is protected health information with extra layers on top, and the people who use these products are, by definition, sometimes in crisis. This is the playbook for building a product that is safe, compliant, and one a patient will actually keep using.

The vertical in one paragraph

Behavioral health telemedicine covers a wide range of products that share one trait: the clinical work is mostly talk, so video and messaging are the treatment, not an add-on. That range runs from one-on-one teletherapy and psychiatry, through group therapy delivered to many patients at once, to medication-assisted treatment for opioid and other substance use disorders, to app-based programs for anxiety, depression, ADHD, and more. The market is large and growing — the global mental health apps market sits around USD 9–10 billion in 2026 and is growing at roughly 15–17% a year, with the US digital mental health market near USD 9 billion (2026 analyst estimates). The clinical case is settled enough to build on: across depression, anxiety, and PTSD, video therapy produces outcomes comparable to in-person care, and remote delivery often improves attendance and retention because patients do not have to travel or sit in a waiting room.

The first thing to understand: this data is more protected than ordinary PHI

Most telemedicine articles start with HIPAA. For behavioral health you have to start one level deeper, because two extra protections sit on top of ordinary health data.

First, a definition we will reuse. Protected Health Information — PHI — is any health data that can be tied to an identifiable person: a name with a diagnosis, an appointment time linked to an account, a recording of a session. HIPAA, the Health Insurance Portability and Accountability Act of 1996, sets the federal floor for protecting PHI through its Privacy Rule (who may see and share PHI) and its Security Rule (the technical and physical safeguards required, at 45 CFR §164.312 and the surrounding sections). That floor applies to everything in a behavioral health product.

On top of that floor, behavioral health adds two layers.

Layer one: psychotherapy notes get their own lock. HIPAA singles out a specific kind of record. Psychotherapy notes — a therapist's private notes analyzing a counseling session, kept separate from the rest of the chart — are defined at 45 CFR §164.501 and given special protection at §164.508(a)(2). In plain terms: most PHI can be shared for treatment, payment, and routine operations without asking the patient each time, but psychotherapy notes generally require the patient's specific written authorization before they go anywhere — even to the patient's own insurer. The product consequence is concrete. If your platform lets clinicians keep private session notes, those notes must live in a separate store with their own access controls, and they must not be swept into the same export, analytics, or insurance feed as the rest of the record.

Layer two: addiction records have their own federal law. Substance use disorder treatment records created by federally assisted programs are governed not just by HIPAA but by a separate regulation, 42 CFR Part 2, administered by the Substance Abuse and Mental Health Services Administration (SAMHSA). Part 2 exists because a leaked addiction record can cost someone a job, custody of a child, or their freedom, so it has historically been stricter than HIPAA about disclosure. A 2024 final rule (89 FR, published February 16, 2024, effective April 16, 2024) aligned Part 2 more closely with HIPAA — most importantly, it now lets a patient give a single consent covering all future disclosures for treatment, payment, and operations, rather than re-consenting for each one. Compliance with the updated rule became mandatory on February 16, 2026. If your product touches addiction treatment, Part 2 is not optional and not the same as HIPAA — it is an additional layer, with its own consent model and its own penalties.

The takeaway for a builder: in behavioral health, "we're HIPAA compliant" is the starting line, not the finish. You also need a separate-and-locked path for therapy notes and, if you serve addiction treatment, a Part 2 consent and disclosure model.

Three protection layers: PHI under HIPAA, psychotherapy notes locked separately, substance-use records under 42 CFR Part 2. Figure 1. Behavioral health data sits in nested protection layers. Each inner layer adds a rule the outer layer does not have — and a separate store or consent your product must build.

The hardest part is not the video — it is the crisis path

A normal telehealth product can treat a dropped call as an inconvenience. A behavioral health product cannot, because some fraction of its sessions involve a patient who is a danger to themselves or someone else. The single most important thing this vertical builds that others do not is a crisis-escalation path: what the product and the clinician do when risk appears during or around a session.

Two clinical-legal facts shape that path. The first is the duty to warn or protect, which comes from the 1976 Tarasoff v. Regents of the University of California line of cases. When a clinician believes a patient poses a serious, imminent danger to an identifiable person, the duty can require breaking confidentiality to warn the potential victim and law enforcement. The exact rule varies by state — some impose a duty, some permit it, a few are silent — so the product cannot hard-code one national behavior. The second is the existence of the 988 Suicide and Crisis Lifeline, the national crisis line run under SAMHSA, which handles de-escalation and, when someone has a specific plan and the means to carry it out, can escalate to 911 emergency services.

What this means for the product is a designed flow, not a phone number in a footer. A workable crisis path has a few moving parts:

  • A way for the clinician to flag risk and reach the patient's physical location fast. Because telehealth patients are not in your building, you need to know where they are when a session starts — at minimum the address on file, ideally confirmed at check-in — so that if a clinician must call for a welfare check, dispatch goes to the right place. This is also why behavioral health platforms confirm location at the start of each session, not just at signup.
  • A one-tap path to the 988 Lifeline and to local emergency services from inside the consult, for both patient and clinician.
  • A documented escalation runbook the clinician follows, with the steps and contacts recorded in the chart, because the decision to break confidentiality has to be defensible later.
  • A break-the-glass access model so that, in a genuine emergency, a supervisor or on-call clinician can reach the information needed to help — with every such access logged, because emergency access is exactly the kind of event an audit will examine.

Build the crisis path before you polish the video. It is the feature that, when it works, no one notices, and when it is missing, becomes the worst day of the company's life.

Crisis-escalation decision flow from risk detected through assessment to de-escalation, 988, 911, or duty-to-warn, with logging at each step. Figure 2. The crisis-escalation flow. Every branch is logged, and the duty-to-warn branch follows the patient's state law, which is why the rule cannot be hard-coded once.

Remote prescribing: the rule that changes every year

Many behavioral health products prescribe. Psychiatry platforms prescribe antidepressants and stimulants; addiction-treatment services prescribe buprenorphine for opioid use disorder. The moment a controlled substance is involved, a special and frequently changing federal regime applies, and a builder needs to understand its shape even though the dates move.

The base law is the Ryan Haight Online Pharmacy Consumer Protection Act of 2008, which generally requires at least one in-person medical evaluation before a controlled substance can be prescribed over the internet (codified at 21 U.S.C. §829(e)). During the COVID-19 public health emergency, the Drug Enforcement Administration (DEA) waived that in-person requirement, and removing the waiver abruptly would create what regulators call the "telemedicine cliff." To avoid it, the DEA and HHS have repeatedly extended the flexibilities. The current extension — the Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities (Federal Register 2025-24123) — keeps remote prescribing of controlled substances broadly available from January 1, 2026 through December 31, 2026, with permanent rules expected before that window closes.

One piece is now permanent and specific to addiction treatment. The "Expansion of Buprenorphine Treatment via Telemedicine Encounter" final rule (Federal Register 2025-01049, published January 17, 2025, effective December 31, 2025) created a lasting pathway to start buprenorphine — the standard medication for opioid use disorder — over telemedicine without a prior in-person visit. The rule has conditions a product must enforce: the prescriber may use audio-only or audio-visual telemedicine; they must check the state Prescription Drug Monitoring Program (PDMP) where the patient is located and record the date and time of that check; and this method covers up to a single six-month supply per patient who has never been seen in person. After six months, the patient needs an in-person evaluation or another qualifying telemedicine pathway to continue.

The product lesson is not to memorize the dates — they will change — but to build the prescribing flow as configurable rules, not hard-coded logic: a PDMP check step that can be required per state, a documentation capture for the check, a counter that tracks the six-month window, and an in-person-evaluation gate that can be turned on or off as the federal rule moves. A platform that bakes today's flexibility into its code will break the day the rule expires.

Decision tree for remote prescribing: Ryan Haight, the 2026 DEA flexibility, and the buprenorphine six-month pathway. Figure 3. The remote-prescribing decision tree. The dated boxes move; the structure does not. Build the flow as configurable rules so a date change is a config edit, not a code rewrite.

Where the patient sits decides who can treat them

A clinician is licensed by a state, and in US telehealth the rule of thumb is that care happens where the patient is located, not where the clinician is. For a behavioral health platform that wants to match a patient in one state with the best available clinician in another, cross-state licensing is a core product constraint, not a back-office detail.

Behavioral health is, fortunately, ahead of most specialties here, because of interstate compacts — agreements that let a clinician licensed in one member state practice in others without collecting a separate license for each. The Psychology Interjurisdictional Compact (PSYPACT) is the most mature: as of early 2026, roughly 43 states and territories participate, and a psychologist with PSYPACT authorization can deliver telepsychology across all member states. Parallel compacts exist for counselors (the Counseling Compact) and social workers (the Social Work Compact), expanding the pool further. The practical consequence: your scheduling and matching logic has to know each clinician's licenses and compact authorizations and each patient's location, and only offer matches that are legal. This is also why behavioral health platforms re-confirm patient location at every visit — a patient who travels can move out of the zone where their clinician may treat them.

Coverage and payment follow the same where-the-patient-sits logic. Medicare has made several behavioral-health telehealth flexibilities permanent: the patient's home counts as a valid location, the old rural-only geographic limits do not apply to mental health, and audio-only sessions are permanently allowed for mental health when the patient cannot or will not use video. But not everything is permanent — a requirement for an in-person visit within six months before the first Medicare mental-health telehealth service is set to return after January 30, 2026 (with an exception for patients already established before that date), per Section 1834(m) of the Social Security Act and CMS's 2026 telehealth guidance. On the commercial side, the 2024 Mental Health Parity and Addiction Equity Act final rule (Federal Register 2024-20612, effective November 22, 2024) pushes plans to make mental-health access genuinely comparable to medical access, and explicitly names expanding telehealth as one way to do it. As with prescribing, treat these as dated, jurisdictional facts to re-verify — not constants.

A worked example: the cost of a wrong location field

To make the location point concrete, walk the arithmetic of a single bad design choice. Suppose a platform captures the patient's location only once, at signup, and never re-confirms it. A patient signs up in a PSYPACT state, is matched with a psychologist practicing under PSYPACT authorization, and then moves to a non-member state for a new job. Every subsequent session is now, on paper, the clinician practicing in a state where they are not authorized.

Count the exposure. If that patient has a weekly session, that is roughly 4 sessions a month, about 48 a year, each one a potential licensing violation. Multiply across even 1% of a 10,000-patient panel that relocates in a year — 100 patients × 48 sessions = 4,800 non-compliant encounters generated by one missing re-confirmation step. The fix costs almost nothing: a single "Where are you located today?" prompt at session start, checked against the clinician's authorizations. The omission costs a regulatory mess and possibly the clinician's license. In behavioral health, the cheap input field is the compliance control.

Group therapy changes the architecture

One-on-one teletherapy is, technically, an ordinary two-person video call wrapped in the compliance layers above. Group therapy is different, and it is a large part of behavioral health — addiction recovery groups, DBT skills groups, support groups. Putting several patients and a facilitator on a call at once changes the media architecture and adds privacy problems that one-on-one care does not have.

On the media side, a multi-party clinical call should run through a Selective Forwarding Unit (SFU) — a media server that receives each participant's video and selectively forwards the streams to everyone else, rather than forcing every device to send a copy to every other device. The SFU is the right topology because it scales to a group without melting a patient's phone or home connection, and because it gives you a single, controllable point where recording, captioning, and access control can be enforced. (The protocol internals of SFUs versus peer-to-peer and the rest of the WebRTC stack are covered in our Video Streaming section; this playbook is about the clinical wiring, so we link rather than re-derive.)

The privacy problems are specific to group care. Patients in a group can see and hear each other, so the platform has to manage what each participant reveals — display names rather than full legal names, the ability to keep video off, and clear consent that other patients are present. Recording a group multiplies the consent problem, because a recording captures every patient at once, and one participant cannot consent for the others. And if the group is an addiction group, 42 CFR Part 2 applies to the fact of attendance itself, because being in the group reveals that the person is in substance-use treatment. Group care is where the compliance layers stop being abstract and start dictating concrete UI: name display, consent screens, recording defaults, and who can join.

Group therapy on an SFU: media server, participant streams, the privacy boundary, and consent and recording controls. Figure 4. Group therapy runs through an SFU so it scales and so recording, captions, and access have one enforcement point. The privacy boundary and per-participant consent are clinical requirements, not nice-to-haves.

Consent, recording, and retention — the behavioral-health version

Every telemedicine product handles consent and recording. Behavioral health handles them under tighter constraints, and the defaults should be more conservative.

Recording a therapy session is clinically and legally fraught in a way that recording, say, a dermatology photo review is not. A recorded session is a permanent, highly stigmatizing artifact, and many therapists and patients do not want one to exist. The safe default for behavioral health is not to record unless there is a specific clinical or training reason and explicit, revocable consent from everyone on the call. When recordings do exist, they are PHI of the most sensitive kind: encrypt them at rest, store them inside the compliance boundary with a vendor that has signed a Business Associate Agreement — the contract, called a BAA, that legally binds any vendor handling PHI to protect it — and apply a deliberate retention period rather than keeping them forever. Remember the layer rules: a session that is a therapy session may also produce psychotherapy notes that must be locked separately, and a session that is an addiction-treatment session falls under Part 2.

Consent in behavioral health also has to handle people the ordinary model ignores. Minors are the clearest case: under the HIPAA Privacy Rule (45 CFR §164.502(g)) a parent is usually the personal representative of a minor and can access the child's records — but the rule defers to state law, and many states let an adolescent consent to mental-health or substance-use treatment on their own, in which case the teenager, not the parent, controls those records. A behavioral health platform that serves anyone under 18 needs a consent and access model that can represent "the parent sees the chart, except the parts the state says the teen controls." That is genuinely hard to build, and it is a place where you involve counsel early rather than guessing.

Common mistakes in behavioral health builds

A few failure patterns show up again and again. Each one is avoidable.

  • Treating mental-health PHI as ordinary PHI. The most common mistake is building a competent HIPAA stack and stopping there — no separate store for psychotherapy notes, no Part 2 consent model for addiction records. The extra layers are not optional polish.
  • Putting the crisis path in the backlog. Teams ship the happy-path video and plan to "add safety features later." There is no later; the first at-risk patient arrives on day one.
  • Recording by default. Turning recording on for "quality" or "training" without per-call, all-party consent creates a library of the most sensitive recordings imaginable and a breach waiting to happen. Default off.
  • Hard-coding the prescribing and licensing rules. Baking the 2026 DEA flexibility or today's compact map into application logic guarantees a break when the rule changes — and these rules change yearly. Build them as configuration.
  • Capturing location once. A signup-only location field quietly turns legal sessions into out-of-jurisdiction ones the moment a patient travels or moves. Re-confirm at every visit.
  • Un-BAA'd analytics and AI. Dropping a consumer analytics SDK or an AI feature into a behavioral health app sends the most stigmatizing data to a vendor with no BAA. Encrypted is not the same as compliant; every vendor that can see PHI needs a signed BAA.

Engagement is a clinical outcome, not a growth metric

One feature of this vertical deserves a non-compliance word: engagement. In most software, retention is a business number. In behavioral health, it is closer to a clinical one, because treatment only works if the patient comes back, and the evidence that teletherapy improves attendance is one of its strongest selling points. That changes how you design. Frictionless rejoining after a dropped call, reminders that respect privacy (a notification that does not reveal a diagnosis on a lock screen), a waiting-room experience that is calming rather than clinical, and progress that the patient can see — these are not engagement hacks, they are part of making the treatment effective. The design goal is a product a person in distress will actually open again next week. That goal sits comfortably next to the compliance goal: a platform that is safe and private is also one a patient can trust enough to keep using.

Where Fora Soft fits in

Fora Soft has built real-time video, conferencing, and WebRTC products since 2005, including telemedicine platforms where the video is the care. In behavioral health the requirement comes first: the data carries extra federal protections, the crisis path has to exist before launch, and the prescribing and licensing rules have to be built as configuration because they move every year. We build the video core — one-on-one and group on an SFU, recording controls, captioning — inside that compliance boundary, with the separate stores and consent models the vertical demands. The capability follows the requirement, which is the only order that works in healthcare.

What to read next

Call to action

References

  1. SAMHSA / HHS, "Confidentiality of Substance Use Disorder (SUD) Patient Records," 42 CFR Part 2, Final Rule, Federal Register 2024-02544 (published Feb 16, 2024; effective Apr 16, 2024; compliance Feb 16, 2026). https://www.federalregister.gov/documents/2024/02/16/2024-02544/confidentiality-of-substance-use-disorder-sud-patient-recordsTier 1 (primary rule).
  2. eCFR, "42 CFR Part 2 — Confidentiality of Substance Use Disorder Patient Records" (current). https://www.ecfr.gov/current/title-42/chapter-I/subchapter-A/part-2Tier 1 (primary rule text).
  3. HHS, "HIPAA Privacy Rule and Sharing Information Related to Mental Health" (psychotherapy notes, 45 CFR §164.501 / §164.508(a)(2)). https://www.hhs.gov/sites/default/files/hipaa-privacy-rule-and-sharing-info-related-to-mental-health.pdfTier 1 (agency guidance on primary rule).
  4. HHS Office for Civil Rights, "Mental Health" FAQs, including minors and personal representatives (45 CFR §164.502(g)). https://www.hhs.gov/hipaa/for-professionals/faq/mental-health/index.htmlTier 1 (agency guidance).
  5. DEA / HHS, "Fourth Temporary Extension of COVID-19 Telemedicine Flexibilities for Prescription of Controlled Medications," Federal Register 2025-24123 (effective Jan 1, 2026 – Dec 31, 2026). https://www.federalregister.gov/documents/2025/12/31/2025-24123/fourth-temporary-extension-of-covid-19-telemedicine-flexibilities-for-prescription-of-controlledTier 1 (primary rule).
  6. DEA / HHS, "Expansion of Buprenorphine Treatment via Telemedicine Encounter," Final Rule, Federal Register 2025-01049 (published Jan 17, 2025; effective Dec 31, 2025). https://www.federalregister.gov/documents/2025/01/17/2025-01049/expansion-of-buprenorphine-treatment-via-telemedicine-encounterTier 1 (primary rule).
  7. SAMHSA, "Buprenorphine Telemedicine Prescribing: Questions and Answers" (PDMP check, six-month pathway). https://www.samhsa.gov/substance-use/treatment/statutes-regulations-guidelines/buprenorphine-telemedicine-prescribingTier 1 (agency guidance).
  8. CMS, "Telehealth FAQ — Calendar Year 2026" (Medicare behavioral-health telehealth, in-person requirement after Jan 30, 2026; audio-only). https://www.cms.gov/files/document/telehealth-faq-updated-11-20-2025.pdfTier 1 (agency guidance).
  9. Departments of Labor, HHS, and Treasury, "Requirements Related to the Mental Health Parity and Addiction Equity Act," Final Rule, Federal Register 2024-20612 (effective Nov 22, 2024). https://www.federalregister.gov/documents/2024/09/23/2024-20612/requirements-related-to-the-mental-health-parity-and-addiction-equity-actTier 1 (primary rule).
  10. SAMHSA, "988 Suicide & Crisis Lifeline" — overview and escalation. https://www.samhsa.gov/mental-health/988Tier 1 (agency program).
  11. PSYPACT (Psychology Interjurisdictional Compact), official site and participating-states map (≈43 states/territories, early 2026). https://psypact.gov/Tier 3 (governing body).
  12. Tarasoff v. Regents of the University of California (1976), duty to warn/protect; see overview. https://en.wikipedia.org/wiki/Duty_to_warnTier 6 (orientation only; confirm the controlling rule in each state with counsel).
  13. Psychiatric Services (APA), "Patient Experiences With Group Teletherapy for the Treatment of Mental Illness: A Qualitative Study" (2024). https://psychiatryonline.org/doi/10.1176/appi.ps.20240058Tier 5 (peer-reviewed).
  14. Precedence Research / The Business Research Company, mental-health and digital-mental-health market sizing (2026 estimates). https://www.precedenceresearch.com/mental-health-apps-marketTier 7 (market estimate; figures vary by firm).

Where lower-tier sources (e.g., the duty-to-warn overview, market sizes) touched a regulatory point, the article followed the primary rule and flagged the lower-tier source as orientation only.