⚠️ January 2025 HIPAA Security Rule Updates Now in Effect
HIPAA Ready Check

Telehealth & HIPAA Compliance

Essential requirements for delivering compliant virtual care, securing video platforms, and protecting patient information in remote healthcare settings.

The rapid expansion of telehealth services has transformed healthcare delivery, but it also introduces significant HIPAA compliance challenges. Virtual care requires the same level of privacy and security protection as in-person visits, with additional considerations for technology platforms, remote communications, and home-based care environments.

Many healthcare organizations rushed to implement telehealth during the COVID-19 pandemic using consumer video platforms. While enforcement discretion temporarily allowed this, those flexibilities have ended. Organizations must now ensure full HIPAA compliance for all telehealth operations.

Important: Enforcement Discretion Has Ended

OCR's pandemic-era enforcement discretion for telehealth platforms ended in 2023. Using non-compliant consumer platforms (standard Zoom, Skype, FaceTime, Google Meet) for telehealth visits now constitutes a HIPAA violation subject to penalties.

Core Telehealth Platform Requirements

Your telehealth platform must meet these minimum HIPAA requirements before transmitting any patient health information.

End-to-End Encryption

Video, audio, and chat communications must be encrypted in transit using TLS 1.2 or higher.

Access Controls

Implement unique user authentication, automatic session timeouts, and role-based permissions.

Business Associate Agreement

Obtain a signed BAA from your telehealth platform vendor before transmitting any PHI.

Audit Logging

Platform must maintain detailed logs of who accessed patient information and when.

Telehealth HIPAA Compliance Checklist

Obtain signed Business Associate Agreement from telehealth platform provider
Verify end-to-end encryption for all video, audio, and messaging
Implement multi-factor authentication for provider access
Configure automatic session timeouts (15 minutes of inactivity)
Enable audit logging and review access logs regularly
Train staff on telehealth privacy and security procedures
Develop policies for virtual waiting rooms and patient identification
Ensure screen sharing controls prevent unauthorized PHI disclosure
Implement secure patient registration and intake processes
Create incident response procedures for telehealth security events
Document risk analysis specific to telehealth operations
Establish procedures for emergency access to patient records

Telehealth Platform Comparison

Not all video platforms are HIPAA compliant. Here's what you need to know about common options.

PlatformBAA AvailableEncryptionNotes
Zoom for HealthcareYesEnd-to-end availableSeparate healthcare product required, not standard Zoom
Doxy.meYesAES-256 encryptionPurpose-built for telehealth, simple setup
VSeeYesAES-256 encryptionEnterprise telehealth platform with full EMR integration
Microsoft Teams (Healthcare)YesEnd-to-end encryptionRequires healthcare-specific configuration and licensing
Standard Zoom/Skype/FaceTimeNoVariesNOT compliant - consumer versions cannot be used for PHI

Common Telehealth Compliance Pitfalls

Using Consumer Video Platforms

The Issue:

Zoom, Skype, FaceTime, and Google Meet consumer versions are NOT HIPAA compliant without a BAA.

The Solution:

Use healthcare-specific versions with signed BAAs (e.g., Zoom for Healthcare, Doxy.me, VSee).

Unsecured Patient Communications

The Issue:

Sending appointment links, instructions, or PHI via regular SMS or email exposes data.

The Solution:

Use patient portals or encrypted messaging systems for all communications containing PHI.

Inadequate Patient Identity Verification

The Issue:

Failing to properly verify patient identity before virtual visits creates privacy risks.

The Solution:

Implement multi-factor identity verification using birthdates, unique PINs, or photo ID checks.

Recording Without Consent

The Issue:

Recording telehealth sessions without explicit patient consent violates HIPAA Privacy Rule.

The Solution:

Obtain documented consent before recording, store recordings securely, and apply retention policies.

Unsecured Home Networks

The Issue:

Providers accessing ePHI over public or unsecured Wi-Fi networks risk data interception.

The Solution:

Require VPN use for remote access, implement endpoint security, and train on safe network practices.

Remote Patient Monitoring (RPM) Considerations

Remote patient monitoring devices and applications introduce additional HIPAA compliance requirements beyond basic telehealth visits.

Device Security
  • Ensure all RPM devices encrypt data in transit and at rest
  • Obtain BAAs from device manufacturers and app developers
  • Implement secure device pairing and authentication mechanisms
  • Establish procedures for device loss, theft, or disposal
Mobile App Requirements
  • Verify app uses secure API connections (HTTPS/TLS 1.2+)
  • Ensure patient authentication before accessing PHI
  • Implement automatic logout after period of inactivity
  • Prevent data caching on patient devices or use encrypted local storage

Provider Best Practices for Secure Telehealth

Network Security
  • • Use VPN when accessing ePHI remotely
  • • Avoid public Wi-Fi networks for telehealth
  • • Secure home networks with WPA3 encryption
  • • Update router firmware regularly
Device Security
  • • Enable full-disk encryption on all devices
  • • Use strong passwords and biometric authentication
  • • Install endpoint protection software
  • • Keep operating systems and apps updated
Physical Environment
  • • Conduct visits in private, secure locations
  • • Position screens away from windows/doorways
  • • Use privacy screens on monitors
  • • Lock devices when stepping away
Patient Privacy
  • • Verify patient identity at start of each visit
  • • Confirm patient is in private setting
  • • Obtain consent before recording sessions
  • • Close all unnecessary applications before visits

Key Takeaways

  • Consumer video platforms are not compliant. Standard Zoom, Skype, FaceTime, and Google Meet cannot be used for telehealth without healthcare-specific versions and signed BAAs.
  • End-to-end encryption is not enough by itself. You also need access controls, audit logging, BAAs, and proper security policies.
  • Remote patient monitoring creates additional obligations. RPM devices, apps, and data transmission require separate risk analysis and security measures.
  • Provider education is critical for compliance. Train all telehealth providers on network security, device security, and privacy best practices.
  • Document everything. Maintain records of platform selection, risk analysis, BAAs, policies, training, and security configurations.

Related Articles

HIPAA vs State Privacy Laws

Navigate the complex landscape where federal HIPAA requirements meet state privacy laws.

Read Article

HIPAA Compliance for Healthcare Startups

Essential guide for health tech founders building compliant products from day one.

Read Article

Assess Your Telehealth Compliance

Not sure if your telehealth program meets HIPAA requirements? Our free assessment identifies gaps and provides actionable recommendations.