HIPAA Compliance for Telehealth: What's Required Now That Enforcement Is Back

For about three years, telehealth providers operated under an unofficial safety net. In March 2020, the Office for Civil Rights announced it would exercise “enforcement discretion” for telehealth — meaning providers could use platforms like FaceTime, Skype, and consumer Zoom without fear of HIPAA penalties. The pandemic demanded rapid adoption, and OCR wasn’t going to stand in the way.

That discretion ended. First temporarily in May 2023, and then permanently as OCR made clear that all telehealth services must fully comply with the HIPAA Privacy, Security, and Breach Notification Rules. If your practice adopted telehealth during the pandemic and never upgraded your setup, you are now operating out of compliance.

This isn’t theoretical. OCR is actively investigating telehealth-related complaints, and the proposed 2026 Security Rule changes will tighten requirements further. Here’s what you need to know.

The Enforcement Discretion Is Over — What That Actually Means

During the enforcement discretion period, OCR said it would not impose penalties for good-faith use of non-public-facing communication platforms for telehealth. Providers could use Apple FaceTime, Facebook Messenger video, Google Hangouts, Zoom (consumer version), and Skype. The only platforms explicitly excluded were public-facing ones like TikTok Live or Facebook Live.

That was always a temporary measure. Now, the standard HIPAA requirements apply to telehealth exactly as they apply to any other method of creating, receiving, maintaining, or transmitting electronic protected health information (ePHI).

That means:

Every platform that handles ePHI needs a Business Associate Agreement (BAA)
Every telehealth session must occur over an encrypted, access-controlled connection
Every provider must include telehealth in their risk assessment
Every recording, message, and file shared during a telehealth visit is ePHI and must be protected accordingly

If your practice stood up telehealth quickly in 2020 and hasn’t revisited it since, now is the time. OCR has made clear that the pandemic grace period is behind us.

Which Video Platforms Are HIPAA Compliant (and Which Are Not)

This is the question providers ask most often, and the answer depends on more than just the platform itself. A platform is HIPAA compliant only if (1) it offers the necessary security features and (2) the vendor will sign a BAA with you.

Platforms That Can Be HIPAA Compliant

These platforms offer HIPAA-eligible configurations and will sign a BAA:

Doxy.me — Purpose-built for telehealth. Offers a free tier that is HIPAA compliant with a signed BAA. No downloads required for patients. This is the most straightforward option for small practices.
Zoom for Healthcare — This is not the same as regular Zoom. Zoom for Healthcare is a separate product with a BAA, end-to-end encryption options, and compliance features like waiting rooms, session locking, and audit logs. You must be on the Zoom for Healthcare plan specifically.
Microsoft Teams with BAA — Available through Microsoft 365 business and enterprise plans. Microsoft will sign a BAA, but you must configure Teams correctly — disable cloud recording unless storage meets HIPAA requirements, manage retention policies, and restrict external sharing.
Google Meet with BAA — Available through Google Workspace (formerly G Suite) business and enterprise tiers. Google will sign a BAA covering Meet, but again, the configuration matters. Consumer Gmail accounts with Google Meet do not qualify.

Platforms That Are NOT HIPAA Compliant

These platforms do not offer BAAs and cannot be used for telehealth under current HIPAA requirements:

Regular Zoom (free or Pro plans without the Healthcare add-on) — No BAA available. This is the number one mistake providers make. If you signed up for Zoom during the pandemic and never upgraded to the Healthcare plan, you are using the wrong product.
Apple FaceTime — Apple does not sign BAAs. Period. FaceTime is end-to-end encrypted, but encryption alone does not equal HIPAA compliance. Without a BAA, you have no contractual assurance about how Apple handles ePHI, no breach notification obligations, and no audit controls.
Skype — Microsoft does not offer a BAA for Skype (consumer). It is a separate product from Microsoft Teams.
WhatsApp — Meta does not sign BAAs for WhatsApp. Despite its encryption, it cannot be used for clinical telehealth.
Facebook Messenger — Same issue. No BAA, no HIPAA compliance.
Google Duo / Consumer Google Meet — The consumer versions of Google’s video tools are not covered under any BAA.

The key distinction: the platform’s security features are only half the equation. Without a signed BAA, even an encrypted, secure platform is not HIPAA compliant for telehealth use.

The BAA Requirement: What It Actually Covers

A Business Associate Agreement is a contract between your practice (the covered entity) and the technology vendor (the business associate) that establishes:

What ePHI the vendor will handle — video streams, chat messages, recordings, metadata
How the vendor will protect that ePHI — encryption standards, access controls, employee training
What happens in a breach — notification timelines, cooperation with investigations, liability
Permitted uses and disclosures — the vendor can only use the ePHI for the purposes you’ve agreed to
Subcontractor obligations — if the vendor uses third parties (cloud hosting, for example), those subcontractors must also comply

A BAA is not optional. Under the HIPAA Privacy Rule, you may not disclose ePHI to a business associate without a BAA in place. And a telehealth video session absolutely involves the disclosure of ePHI to the platform vendor — patient faces, clinical conversations, potentially screen-shared medical records.

If a vendor refuses to sign a BAA, you cannot use their product for telehealth. Full stop.

One common mistake: assuming that a BAA exists because you’re paying for a business account. Payment does not equal a BAA. You need an actual signed agreement. Most compliant vendors make this available through their admin portal or during enterprise onboarding — but you need to verify it exists in writing.

Home Office Requirements for Telehealth Providers

The shift to telehealth also meant a shift to home offices, and this is where HIPAA compliance gets personal. Your living room is not automatically a compliant clinical environment.

OCR has not issued specific “home office” rules, but the HIPAA Security Rule’s administrative, physical, and technical safeguard requirements apply regardless of where you deliver care. In practical terms, this means:

Screen Visibility

Your screen must not be visible to unauthorized individuals during a telehealth session. If your spouse, children, roommates, or anyone else can see your screen while you’re treating a patient, that’s a potential unauthorized disclosure. Position your monitor so it faces a wall or use a privacy screen filter.

Shared Computers

If you use a shared family computer for telehealth, you have a problem. HIPAA requires unique user identification and access controls. Your teenager logging into the same computer and potentially accessing your telehealth platform, browser history, or saved credentials is a compliance violation. Use a dedicated device for clinical work, or at minimum, use separate user accounts with strong passwords and automatic session lockout.

Audio Privacy

Family members or roommates overhearing a telehealth session constitutes an unauthorized disclosure of PHI. Conduct sessions in a private room with the door closed. Use headphones. If you can’t guarantee audio privacy, you can’t conduct telehealth from that location.

Network Security

Your home Wi-Fi network should be encrypted (WPA2 or WPA3), password-protected, and ideally segmented so your clinical device is on a separate network from your family’s devices. Public Wi-Fi at a coffee shop is never acceptable for telehealth.

Physical Security

If your home office computer stores any ePHI (session recordings, notes, downloaded files), it must be physically secured when unattended. That means locking the room or locking the device — not leaving a laptop open on the kitchen table.

These are not hypothetical concerns. OCR investigators will ask about your physical environment when investigating a complaint, and “I was working from home” is not a defense for inadequate safeguards.

HIPAA itself does not require specific written consent for telehealth. The HIPAA Privacy Rule’s consent provisions (which are optional for treatment, payment, and healthcare operations) don’t change based on the delivery method.

However, there are layers of consent that may apply:

Most states require providers to obtain informed consent before delivering care via telehealth. This is a state requirement, not a HIPAA requirement, but it’s essential. The consent should cover:

The nature and limitations of telehealth
The technology being used
Privacy and security risks specific to telehealth
The patient’s right to refuse telehealth and seek in-person care
How ePHI generated during the session will be stored and protected

Notice of Privacy Practices

Your Notice of Privacy Practices (NPP) should address telehealth. If your NPP was written before you offered telehealth, it likely doesn’t mention video sessions, chat-based communication, or remote monitoring. Update it to reflect how ePHI is created and handled during telehealth encounters.

State-Specific Requirements

State requirements vary significantly. Some states require verbal consent documented in the chart. Others require signed written consent. Some require consent to be renewed periodically. Check your state medical board’s telehealth guidelines — this is an area where state law frequently exceeds HIPAA’s requirements.

Recording Telehealth Sessions

Recording a telehealth session creates an ePHI-rich digital asset that must be managed under the HIPAA Security Rule. If you record sessions, you must address:

Consent for recording — Many states require all-party consent for recording. Even where not legally required, best practice is to inform the patient and document their agreement.
Encryption — Recordings must be encrypted both in transit and at rest. If your platform stores recordings in the cloud, that cloud storage must be covered under your BAA.
Access controls — Who can access the recording? Only authorized workforce members with a need to know should be able to view it. Implement role-based access.
Retention and disposal — How long will you keep the recording? Your retention policy should address telehealth recordings specifically. When it’s time to delete them, use secure deletion methods.
Storage location — If recordings are stored on the provider’s local device, that device must meet all HIPAA Security Rule requirements. Cloud storage is often more manageable, but only if the cloud provider has a BAA in place.

The safest approach for most small practices: do not record telehealth sessions unless there’s a specific clinical need. The less ePHI you create, the less you have to protect.

Chat and Messaging Within Telehealth Platforms

The chat function in your telehealth platform — yes, it generates ePHI. If a patient types their symptoms, medication list, or any health information into the chat window, that’s protected health information.

This means:

Chat logs must be stored with the same protections as any other ePHI
Chat messages transmitted between your device and the platform’s servers must be encrypted in transit
Retention policies must cover chat logs — they can’t persist indefinitely without security controls
Patient access — if a patient requests their records, chat logs from telehealth sessions may be part of the designated record set and subject to Right of Access requirements

Check your telehealth platform’s settings. Some platforms retain chat logs by default. Others delete them after the session. Know what your platform does, and make sure it aligns with your policies.

Similarly, if you use a separate messaging platform to communicate with patients outside of scheduled visits (appointment reminders, follow-up questions, prescription notifications), that platform also needs a BAA and must comply with the Security Rule.

Telehealth Across State Lines

Telehealth frequently crosses state lines, and this creates compliance complexity. HIPAA is federal and applies uniformly, but state privacy and telehealth laws vary.

The general rule: the state where the patient is physically located at the time of the visit governs the encounter. This means:

You may need licensure in the patient’s state (a licensing issue, not HIPAA per se, but practically intertwined)
The patient’s state’s consent requirements apply
The patient’s state’s privacy protections apply — and some states (like California and Texas) have privacy laws that exceed HIPAA
If a breach occurs, you may need to comply with the breach notification requirements of both your state and the patient’s state

For practices that serve patients across multiple states, this requires maintaining awareness of each state’s telehealth and privacy regulations. Multi-state telehealth compacts have simplified licensure in some cases, but they don’t override state-specific privacy requirements.

Mobile Apps and Patient-Facing Telehealth Portals

If your practice uses a patient-facing mobile app or portal for telehealth — whether it’s a dedicated app from your telehealth vendor, a patient portal through your EHR, or a custom solution — HIPAA applies to the ePHI handled by that app.

Key considerations:

The app vendor must sign a BAA if it handles ePHI on your behalf
Authentication must be robust — multi-factor authentication is strongly recommended and may become mandatory under the proposed 2026 Security Rule changes
Data at rest on patient devices — once ePHI is downloaded to a patient’s phone (appointment summaries, visit notes, images), HIPAA’s protections on the covered entity’s side are met, but you should still minimize what’s stored locally on patient devices
Push notifications — be careful about what information appears in push notifications. A notification that says “Your lab results are ready” is different from one that says “Your HIV test results are ready.” Configure notifications to be generic.
App permissions — ensure the app doesn’t request unnecessary device permissions (camera roll access, contact list, location) beyond what’s needed for the telehealth function

If you’ve developed or commissioned a custom app, it must undergo a security assessment. Off-the-shelf solutions from reputable vendors are generally safer, but you’re still responsible for verifying their compliance.

The Proposed 2026 Security Rule Changes and Telehealth

The proposed HIPAA Security Rule update published in early 2026 has significant implications for telehealth. While the rule is not yet final, practices should begin preparing now. Key proposed changes affecting telehealth include:

Mandatory encryption — The proposed rule would eliminate the “addressable” designation for encryption. Encryption of ePHI in transit and at rest would become required, not optional. For telehealth, this means every video stream, chat message, and recording must be encrypted. Most reputable telehealth platforms already do this, but if yours doesn’t, you’ll need to switch.
Multi-factor authentication — MFA would become mandatory for all systems accessing ePHI. Logging into your telehealth platform with just a password would no longer be sufficient.
Technology asset inventory — The proposed rule would require a comprehensive inventory of all technology assets that handle ePHI, including telehealth platforms, mobile apps, and the devices used to access them.
Vulnerability scanning and penetration testing — These would become explicit requirements, not just best practices. Your telehealth infrastructure would need to be included in regular security testing.
72-hour restoration requirement — If your telehealth platform goes down, you’d need the ability to restore it within 72 hours.

For a deeper look at the proposed rule changes, see our full analysis in What the 2026 HIPAA Security Rule Changes Mean for Your Practice.

These changes aren’t final, but they signal OCR’s direction. Practices that start implementing these measures now will avoid a scramble when the final rule is published. Our HIPAA compliance assessment can help you identify where your current telehealth setup falls short.

Real Enforcement: What OCR Has Done

OCR enforcement actions related to telehealth and electronic communications provide concrete examples of what goes wrong:

Lafourche Medical Group — $480,000 settlement in 2023 after a phishing attack compromised a system used for electronic communications with patients. OCR found the practice had failed to conduct a risk assessment — the same risk assessment that should have identified vulnerabilities in their telehealth and messaging systems.
Banner Health — $1.25 million settlement for a breach that affected nearly 3 million records. Among the findings: inadequate access controls and audit controls on electronic systems, including those used for patient communication.
Right of Access Initiative cases — While not telehealth-specific, several of these cases involved providers who failed to provide patients with records generated during telehealth visits, including session recordings and chat logs. Penalties ranged from $3,500 to $240,000.

The pattern across enforcement actions is consistent: the violations are rarely about the telehealth platform itself failing. They’re about the practice failing to assess risks, implement safeguards, and maintain policies that account for telehealth.

Telehealth HIPAA Compliance Checklist

Use this checklist to evaluate your telehealth setup. If you can’t check every box, you have work to do.

Platform and BAA

Your telehealth platform offers end-to-end encryption for video and audio
You have a signed BAA with your telehealth platform vendor
You have verified the BAA covers video, chat, file sharing, and recordings (if applicable)
You are using the HIPAA-compliant version of your platform (not the consumer version)

Access Controls

Providers log in with unique credentials (no shared accounts)
Multi-factor authentication is enabled on your telehealth platform
Automatic session timeout is configured
Waiting room or equivalent access control is enabled for patient sessions

Physical Environment

Telehealth sessions are conducted in a private space where others cannot see the screen
Audio cannot be overheard by unauthorized individuals
Devices used for telehealth are not shared with non-workforce members (or have separate secured accounts)
Home Wi-Fi is encrypted (WPA2/WPA3) and password-protected

Documentation and Policies

Your risk assessment includes telehealth technology and processes
Telehealth-specific policies exist (acceptable platforms, home office requirements, recording rules)
Your Notice of Privacy Practices addresses telehealth
Staff have received training on telehealth-specific HIPAA requirements

Patient-Facing Requirements

Informed consent for telehealth is obtained and documented per your state’s requirements
Patients are informed about the privacy risks of telehealth
Patient-facing apps and portals are covered under a BAA
Push notifications do not display ePHI content

Recordings and Communications

If sessions are recorded, patient consent is obtained
Recordings are encrypted at rest and in transit
Chat logs are managed under your retention and disposal policies
Secure messaging with patients uses a platform with a BAA

For a complete, downloadable compliance checklist covering all HIPAA requirements (not just telehealth), visit our HIPAA compliance checklist.

How ComplyMD Helps With Telehealth Compliance

Telehealth compliance isn’t a separate category — it’s an extension of your overall HIPAA program. But it introduces specific technology, physical environment, and documentation requirements that many practices haven’t addressed.

ComplyMD is built to handle this. Our platform walks you through:

Risk assessment that specifically addresses telehealth platforms, home office environments, and patient-facing technology
Policy generation that produces telehealth-specific policies tailored to your practice’s setup — not generic templates
BAA tracking so you know exactly which vendors have signed agreements and when they need renewal
Staff training that covers telehealth-specific scenarios, including home office requirements and secure communication
Compliance monitoring that alerts you when requirements change — including state-specific telehealth rules and the evolving federal Security Rule

The proposed 2026 Security Rule changes are going to raise the bar for every practice offering telehealth. The time to prepare is now, not when the final rule drops.

Start your free compliance assessment to see where your telehealth setup stands, or join our early access list to be first in line when ComplyMD launches.