Empower Your Practice

Journal for Practice Managers

Navigating HIPAA Compliance in Telemedicine: A Guide

Kate Pope
Written by
Kate Pope
Vlad Kovalskiy
Reviewed by
Vlad Kovalskiy
Last updated:
Expert Verified

The rise of telemedicine during the COVID-19 era has elevated the accessibility of medical services to a whole new level. Today, patients can receive assistance regardless of their location or time zone. All they need is an internet connection.

However, with increased accessibility of medical services comes the need for safeguarding patient data and protection against unauthorized access. That's where HIPAA, the Health Insurance Portability and Accountability Act, steps in. Understanding HIPAA and telemedicine together is essential for any provider delivering virtual care in 2026, especially following the public health emergency expiration telehealth rules that took effect in 2023.

In our guide, we delve into essential topics related to HIPAA compliance for healthcare professionals:

  • What is HIPAA?
  • How do I choose the right telemedicine platform?
  • What practices are included in HIPAA compliance?
  • What measures are taken for violations?
  • How does secure messaging between patient and physician occur?

Stay tuned.

Learn how to simplify your practice workflow and free up more time for patients with Medesk.

Open the detailed description >>

Key Aspects of HIPAA: What You Need to Know

HIPAA is a federal law designed to safeguard protected health information. The United States Department of Health and Human Services (HHS) has established a set of rules regulating the confidentiality of patients' medical records. Unauthorized disclosure of private medical information is illegal.

This applies to:

  • Healthcare service Providers
  • Insurance companies
  • Information platforms
  • Cloud services.

In other words, to all companies and individuals with access to medical information.

The End of COVID-19 PHE Enforcement Discretion

During the pandemic, the HHS Office for Civil Rights (OCR) exercised enforcement discretion, relaxing certain HIPAA requirements to make telemedicine more accessible. Those flexibilities are no longer in effect. On April 12, 2023, OCR announced that its COVID-19 Notifications of Enforcement Discretion would expire on May 11, 2023, when the Public Health Emergency officially ended. OCR provided a 90-day transition period running from May 12, 2023 through August 9, 2023, during which covered providers were not penalized for good-faith telehealth noncompliance. That transition period has now fully expired. As of August 9, 2023, all covered entities must comply with HIPAA Rules in full when providing telehealth services.

A key practical consequence is that platforms previously permitted under enforcement discretion, such as standard consumer versions of Skype or FaceTime, are no longer acceptable for telehealth visits. Providers must use only HIPAA-compliant platforms and must have a valid Business Associate Agreement (BAA) in place. Organizations like AAAAI explicitly identify tools such as Zoom for Healthcare and Doxy.me as examples of compliant options.

When it comes to telemedicine, HIPAA ensures that healthcare providers, referred to as covered entities, and their service providers, known as business associates, adhere to strict guidelines. These guidelines are detailed in the HIPAA Privacy, Security, and Breach Notification Rules.

The HIPAA Privacy Rule establishes national standards for protecting medical records and applies to health plans, clearinghouses, and certain electronic healthcare transactions dealing with PHI.

The HIPAA Security Rule ensures the safety of electronic Protected Health Information (ePHI), which includes any PHI created, stored, transmitted, or received electronically.

Medesk helps automate scheduling and record-keeping, allowing you to recreate an individual approach to each patient, providing them with maximum attention.

Learn more >>

The Importance of Telehealth Risk Assessments

Before adopting any virtual care platform, providers must conduct a telehealth risk assessment. This is a core requirement of the HIPAA Security Rule. It involves identifying where ePHI is created, received, maintained, or transmitted across your telehealth workflow. A thorough assessment evaluates potential vulnerabilities, from software gaps to the physical environment where calls take place.

Healthcare organizations must perform this analysis regularly. It should be updated whenever new telehealth technologies are introduced. Documenting your risk assessment helps outline targeted security measures to reduce identified threats. Skipping this critical first step leaves the practice exposed to data breaches and immediate OCR penalties.

How to Choose a HIPAA-Compliant Telehealth Platform

Since the PHE transition period ended on August 9, 2023, providers can no longer rely on enforcement discretion to justify using non-compliant tools. Even if a BAA is signed, the underlying platform must itself meet HIPAA technical safeguard requirements. Before launching virtual services, the critical first step providers must take is a comprehensive telehealth risk assessment to identify how ePHI will be handled in their specific workflow. A platform that securely guards your data should have:

  • Secure messaging system
  • Data encryption
  • Staff training
  • BAA (Business associate agreement)
  • Integrations
  • Security audits

Approved HIPAA-Compliant Telehealth Platforms

The following platforms are widely recognized as HIPAA-compliant and suitable for telehealth use in 2026. Each offers BAA execution and meets the technical safeguard requirements under the HIPAA Security Rule:

  • Zoom for Healthcare. A healthcare-specific configuration of Zoom with encryption, access controls, and BAA availability. Providers must configure it correctly to maintain compliance.
  • Doxy.me. A browser-based platform designed specifically for healthcare, requiring no app download from the patient. BAAs are available on paid tiers.
  • Teladoc Health. An enterprise telehealth platform with built-in HIPAA compliance and EHR integration capabilities.
  • Updox. Offers HIPAA-compliant video visits alongside secure messaging and patient communication tools.
  • Vsee. A clinical-grade video platform with end-to-end encryption and BAA support.

Standard consumer tools, including the non-healthcare version of Skype and personal Zoom accounts, do not qualify, regardless of whether a BAA is attempted.

Secure Messaging

Secure messaging pertains to ePHI (electronic Protected Health Information). According to HIPAA guidelines, both covered entities and their business associates must implement measures to protect messages and use various tools for this purpose. OCR also emphasizes that providers must educate patients about privacy risks when communicating remotely, ensuring they understand how to use the platform securely.

Encryption

Messages containing ePHI must be encrypted to prevent unauthorized access during transmission. Encryption ensures that the data remains secure and unreadable to anyone except the intended recipient.

Access control

Secure messaging systems should implement access controls, such as usernames and passwords, to verify the identities of users. Access should be limited to authorized individuals, and each user should have a unique identifier to track their activities within the system.

access-permissions-png

Discover more about the essential features of Medesk and claim your free access today!

Explore now >>

Authentication and authorization

Authentication ensures that the sender and receiver of the messages are who they claim to be. Authorization mechanisms define what actions users are allowed to perform within the messaging system, ensuring that only authorized personnel can access ePHI.

Message retention and disposal policies

HIPAA mandates the implementation of retention and disposal policies for electronic messages containing ePHI. Secure messaging systems should have mechanisms to automatically delete messages after a specified retention period to prevent unauthorized access after the information is no longer needed.

Secure file transfer

In healthcare, files such as medical images or documents often need to be shared securely. Secure messaging systems should allow the secure transfer of files, ensuring that attachments containing ePHI are encrypted and protected during transmission.

Secure messaging policies

Organizations should establish clear policies and procedures governing the use of secure messaging systems. These policies should cover topics such as acceptable use, password management, reporting security incidents, and consequences for violating security protocols.

Staff Training

Staff training ensures that every healthcare professional understands their responsibilities and the unique challenges that arise in virtual care settings. Telehealth introduces risks that do not exist in a clinic setting. Staff must be trained to conduct sessions from a private, secure location where conversations cannot be overheard. Providers must also understand the rules around bystander consent. If a colleague, student, or family member is present on either side of the call, informed consent must be obtained from the patient and documented.

Employees should be trained to recognize potential risks and take necessary precautions to prevent breaches, such as using a VPN when working remotely. Regular refreshers keep employees up-to-date with the latest requirements for handling electronic devices and reporting security incidents promptly.

Business Associate Agreement

The telehealth services provider should be willing to sign a business associate agreement with covered entities, outlining their responsibilities regarding the protection of patient data. This legal contract ensures that the platform provider shares the responsibility for HIPAA compliance.

Integration capabilities

The platform should be able to integrate with Electronic Health Records (EHR) systems securely. It ensures that medical history is accurately recorded and securely shared between healthcare providers. Seamless integration enhances the overall quality of care you give.

patient-record-1png

Regular security audits

The platform provider should conduct regular security audits and assessments to identify and address vulnerabilities, ensuring continuous HIPAA compliance and a high level of security.

Obtaining informed consent before a virtual visit is both an ethical obligation and, in many states, a legal requirement. Requirements vary by state, so providers must verify what their jurisdiction mandates. Some states require written consent specifically for telehealth, while others accept verbal consent documented in the medical record.

State laws governing telehealth informed consent vary significantly. Some states mandate explicit written or verbal consent specifically for virtual visits. Others integrate telehealth consent into general medical consent statutes. Organizations like AAAAI recommend verifying these regulations through resources like the Center for Connected Health Policy.

Practices operating across multiple states must track differing requirements. Failing to adhere to state-specific mandates is a common compliance gap. Providers should verify what their jurisdiction mandates. Keep a log of state consent requirements. Update this annually, as telehealth laws continue to evolve.

Best practices for obtaining informed consent prior to a virtual visit include:

  • Disclose the telehealth format. Inform the patient that the visit will be conducted via video or phone, and explain the technology being used.
  • Explain privacy limitations. Patients should understand that no digital platform is entirely without risk and that they should take steps to protect their own privacy (see the patient section below).
  • Address recording. Clarify whether the session will be recorded and obtain explicit consent if so.
  • Document consent. Record that consent was obtained in the patient's chart before the session begins, noting the date, method, and scope.
  • Obtain fresh consent when needed. If the patient changes, the technology changes, or a new clinician joins the care team, re-consent may be required.

Providers operating across multiple states should review state telehealth consent laws annually, as these requirements continue to evolve.

Guidance on HIPAA and Audio-Only Telehealth

Audio-only telehealth, meaning visits conducted by telephone without video, presents a distinct set of HIPAA considerations. HHS OCR has issued specific guidance on this topic, recognizing that audio-only services are essential for patients who lack access to video-capable devices or reliable internet connections.

What the OCR Guidance Covers

Under the HIPAA Privacy Rule, covered entities may use the telephone to provide telehealth services without violating HIPAA, provided appropriate safeguards are in place. Key points from the OCR guidance include:

  • Verification of patient identity. Before discussing PHI, providers should verify that they are speaking with the correct patient using established identification protocols.
  • Minimum necessary standard. Only the PHI required for the specific encounter should be discussed during an audio-only visit.
  • BAA requirements for third-party platforms. If a third-party telephony platform or call routing service is used, a BAA is required unless the vendor qualifies as a conduit (a basic transmission-only service such as a standard telephone company).
  • No recording without consent. Recording a telephone visit creates a new record containing PHI. Explicit patient consent is required, and the recording must be stored securely in compliance with the Security Rule.

Audio-only telehealth can be a fully compliant and valuable service modality when these safeguards are applied consistently.

Patient Privacy Risks and How to Educate Your Patients

Providers are not the only ones responsible for maintaining privacy during a telehealth encounter. Patients introduce their own risks based on their physical location and environment. OCR has published resources specifically to help providers educate patients on secure practices.

Providers must verify the patient's location and environment at the start of the call. If a patient is calling from a public space, such as a gym or a ski lift, sensitive information could easily be overheard. In these cases, providers should ask the patient to move to a private area before proceeding with the visit.

Key guidance to share with patients includes:

  • Avoid public Wi-Fi. Unsecured networks expose health information to interception. Patients should use a private, password-protected connection for all telehealth visits.
  • Use a private room. Patients should conduct visits from a location where they cannot be overheard by family members, roommates, or bystanders who have not been included in the consent process.
  • Use personal devices. Shared or work-owned devices may have monitoring software or shared access. A personal device with an updated operating system is preferable.
  • Log out after visits. Patients should close the telehealth app or browser tab immediately after a session ends and log out of any patient portal.

Providers can distribute these tips through pre-visit reminder messages, patient portal notifications, or a brief verbal prompt at the start of each session. OCR's published "Privacy and Security Tips for Patients" document is a free resource that can be linked or printed for distribution.

HIPAA Compliance Penalties and What Happens During a Violation

HIPAA compliance penalties play a crucial role in ensuring that healthcare organizations adhere to the regulations. The penalties for non-compliance depend on the severity of the violation and whether the entity knew or should have known about the violation. Here are some examples of HIPAA violations and the corresponding punishments:

Unintentional Violations

  • Fine: up to $50,000 per violation, with an annual maximum of $1.5 million.
  • Example: accidental disclosure of patient information due to a misaddressed email. If multiple patients' information is disclosed in a single incident, each patient's record may be considered a separate violation.

Reasonable Cause

  • Fine: up to $50,000 per violation, with an annual maximum of $1.5 million.
  • Example: failure to conduct a thorough risk assessment to identify vulnerabilities in the handling of electronic patient data.

Willful Neglect (Corrected)

  • Fine: minimum of $10,000 per violation, with an annual maximum of $1.5 million.
  • Example: not having proper technical safeguards in place despite awareness of the risk, but correcting the issue promptly after the violation is discovered.

Willful Neglect (Not Corrected)

  • Fine: minimum of $50,000 per violation, with an annual maximum of $1.5 million.
  • Example: not addressing a known vulnerability or ignoring a breach in patient privacy, leading to further unauthorized access or disclosure of patient information.

Criminal Violations

  • Fine: up to $250,000 and imprisonment for up to 10 years for intentional wrongful disclosure or obtaining patient information under false pretenses.
  • Example: deliberate theft or sale of patient records for personal gain.

Individual Penalties

  • Fine: individuals who knowingly obtain or disclose PHI without authorization can face fines of $50,000 and imprisonment for up to one year.
  • Example: an employee accessing patient records without a valid reason, such as curiosity or personal vendetta.

State Attorney General Enforcement

  • Fine: state attorneys general can also bring civil actions against entities for HIPAA violations, resulting in monetary penalties.
  • Example: a healthcare organization suffering a data breach and not promptly notifying affected patients, as required by state laws, leading to legal action by the state attorney general.

It's important to note that the penalties can also include corrective action plans, increased oversight by the U.S. Department of Health and Human Services, and reputational damage, which can have long-lasting consequences for healthcare organizations and individuals involved.

Frequently Asked Questions

  1. Can I still use standard Skype for telehealth visits if I sign a BAA?

No. Since the COVID-19 PHE transition period ended on August 9, 2023, enforcement discretion no longer applies. Standard consumer Skype does not meet HIPAA technical safeguard requirements, and a BAA alone cannot make a non-compliant platform compliant. Providers must use a platform that is purpose-built or configured for HIPAA compliance, such as Zoom for Healthcare or Doxy.me.

  1. What happened to the HIPAA telehealth flexibilities from the COVID-19 pandemic?

The HHS OCR Notifications of Enforcement Discretion expired when the COVID-19 Public Health Emergency ended on May 11, 2023. OCR provided a 90-day transition period that ran through August 9, 2023. After that date, full HIPAA compliance was required for all telehealth services without exception.

  1. Are standard phone calls HIPAA compliant for telehealth post-PHE?

Yes, standard audio-only telehealth HIPAA compliance is achievable using regular telephone lines, because standard telephone networks act as conduits and do not require a BAA. However, if you use a third-party app or software to route the call, a BAA is required. Providers must still verify patient identity, apply minimum necessary standards, and obtain consent before recording.

  1. Do I need a separate BAA for every telehealth platform I use?

Yes. Any vendor that creates, receives, maintains, or transmits ePHI on your behalf qualifies as a business associate and requires a BAA. This includes video platforms, secure messaging tools, scheduling software, and any cloud-based storage used in connection with patient care.

  1. What are the most important steps a small practice should take to become HIPAA-compliant for telehealth?

Start with a formal risk analysis to identify where ePHI is created and transmitted in your workflow. Then ensure every technology vendor has signed a BAA, implement platform-level encryption and access controls, train all staff on telehealth-specific privacy requirements, and document your policies in writing. Review your compliance posture at least annually or whenever you adopt a new platform.

Final Thoughts

In the growing realm of telehealth technology, following HIPAA rules isn't just a legal necessity; it's a promise to patient safety. Understanding the rules, picking the right platforms, and using good practices benefits both healthcare providers and patients. Staying aware and taking action is vital to making the most of telemedicine while keeping patient data private and secure.

EHR vs EMR: Key Differences & Advantages

EHR vs EMR: Key Differences & Advantages

EHR vs EMR: how are they different? How are they similar? Most importantly, which one does your practice need? Read our article to find out!
How to Start a Physical Therapy Clinic in 2025

How to Start a Physical Therapy Clinic in 2025

Discover how to start a successful physical therapy clinic with our comprehensive 10-step guide. Learn about business plans, financing, and more.
Top 5 Medical Dictation Software for Your Private Practice in 2025

Top 5 Medical Dictation Software for Your Private Practice in 2025

Confused by medical speech recognition software? We break down 5 top options to help you pick the perfect tool for faster, more accurate documentation.