Hiring a virtual assistant for your therapy practice sounds straightforward until you remember that your clients' most sensitive personal information runs through every part of your admin operation. Scheduling systems, billing platforms, intake forms, insurance records — all of it touches protected health information. The wrong hire doesn't just create administrative problems. It creates HIPAA liability.

Most general virtual assistants have no training in healthcare privacy requirements, no experience with therapy-specific platforms, and no understanding of what's actually at stake when something goes wrong with a client's protected data. Here's exactly what to look for before you hand anyone access to your practice.

Start with the BAA — before anything else

A Business Associate Agreement is a legally required contract under HIPAA between you and any vendor who handles protected health information on your behalf. It is not optional. It is not something you sort out later. If a virtual assistant has access to your EHR, your scheduling system, your billing platform, or your client emails, a signed BAA must be in place first.

If a VA hesitates when you ask about a BAA — or doesn't know what one is — that's your answer. End the conversation.

"A BAA isn't paperwork. It's the legal foundation that makes the entire working relationship compliant. It has to come first."

The full checklist before you hire

What to verify before giving anyone access to your practice
They will sign a BAANon-negotiable. Ask upfront. If they don't know what it is, stop there.
They have real experience with your platformsSimplePractice, ZocDoc, Headway — not just general admin tools. Training someone on therapy-specific software takes weeks you don't have.
They understand what PHI isAsk them directly. They should be able to define protected health information and explain how they handle it.
They communicate on HIPAA-compliant channelsStandard Gmail and consumer messaging apps are not HIPAA compliant. Ask what platforms they use for client-related communication.
They have mental health practice experience specificallyGeneral medical admin is different from therapy practice admin. The culture, the sensitivity, and the tools are not the same.
They can handle high-pace, independent workA busy practice doesn't slow down to hand-hold its admin support. The right VA is self-directed and keeps up without being managed.
They have a clear process for billing follow-upAsk specifically how they handle denied claims and overdue invoices. Vague answers here cost you money.

The agency problem

Many therapists turn to VA agencies because they seem like the safer, more professional option. In practice, agencies introduce a problem that solo admins don't: you don't know who's actually handling your client data. Agencies assign staff, rotate team members, and operate at a distance from the specific needs of your practice. Every new person assigned to your account is a new person with access to your systems — and a new training cycle you have to run.

When you hire an individual directly, you know exactly who has access, you build a real working relationship, and the person handling your practice becomes genuinely familiar with how it runs. That familiarity has real value — and it's nearly impossible to achieve through an agency.

One thing to watch for: Some VAs market themselves as "HIPAA compliant" without having a real compliance process in place. HIPAA compliance is not a certification you earn — it's a set of ongoing practices. Ask for specifics: what platforms do they use, how do they store client information, what happens in the event of a data incident? Confident, specific answers are a good sign. Vague reassurances are not.

What good looks like

A genuinely qualified virtual admin for a therapy practice brings a BAA to the table without being asked. They know SimplePractice well enough to train you on features you didn't know existed. They handle billing follow-up without being prompted — and they're persistent enough to chase overdue invoices until they're paid. They pick up the phone when clients call, handle the conversation professionally, and keep your clinical headspace protected.

That combination — compliance knowledge, platform fluency, billing tenacity, and strong client-facing communication — is specific. It's not what most general VAs offer. But it's exactly what a therapy practice needs.

Wallace Admin checks every box on this list.

BAA signed before anything begins. Years inside a real therapy practice. SimplePractice, ZocDoc, and Headway fluency from day one.

Talk to Amy →