Features

ATTRACT PATIENTS
Online booking
Book appointments anytime
Scheduling
Manage appointments with ease
Medical CRM
Track patient relationships
DELIVER CARE
Electronic health recordsConsultation templatesTelemedicine
RUN YOUR PRACTICE
Patient communicationsTask managementLaboratoryStock & inventory
MANAGE FINANCES
Payments & billingPayroll calculationsReports & analytics

Specialities

General PracticePsychology & Mental HealthTrichologyIndependent SurgeryAllied HealthcarePaediatricsAlternative HealthOphthalmologyUltrasound & MSKCounsellingPodiatryOptometryChiropracticPhysical TherapyMassage TherapyPhysiotherapy

Resources

LEARN & SUPPORT
BlogTraining and Support
ABOUT
ReviewsSecurityPartner ProgramContacts
Pricing
Empower Your Practice

Journal for Practice Managers

Table of Contents

Navigating HIPAA Compliance in Telemedicine: A Guide

Kate Pope
Written by
Kate Pope
Vlad Kovalskiy
Reviewed by
Vlad Kovalskiy
Last updated:
Expert Verified

The rise of telemedicine during the COVID-19 era has elevated the accessibility of medical services to a whole new level. Today, patients can receive assistance regardless of their location or time zone. All they need is an internet connection.

However, with increased accessibility of medical services comes the need for safeguarding patient data and protection against unauthorized access. That's where HIPAA, the Health Insurance Portability and Accountability Act, steps in. Understanding HIPAA and telemedicine together is essential for any provider delivering virtual care in 2026, especially following the public health emergency expiration telehealth rules that took effect in 2023.

In our guide, we delve into essential topics related to HIPAA compliance for healthcare professionals:

  • What is HIPAA?
  • How do I choose the right telemedicine platform?
  • What practices are included in HIPAA compliance?
  • What measures are taken for violations?
  • How does secure messaging between patient and physician occur?

Stay tuned.

Learn how to simplify your practice workflow and free up more time for patients with Medesk.

Open the detailed description >>

Key Aspects of HIPAA: What You Need to Know

HIPAA is a federal law designed to safeguard protected health information. The United States Department of Health and Human Services (HHS) has established a set of rules regulating the confidentiality of patients' medical records. Unauthorized disclosure of private medical information is illegal.

This applies to:

  • Healthcare service providers
  • Insurance companies
  • Information platforms
  • Cloud services.

In other words, to all companies and individuals with access to medical information.

The End of COVID-19 PHE Enforcement Discretion

During the pandemic, the HHS Office for Civil Rights (OCR) exercised enforcement discretion, relaxing certain HIPAA requirements to make telemedicine more accessible. Those flexibilities are no longer in effect. On April 12, 2023, OCR announced that its COVID-19 Notifications of Enforcement Discretion would expire on May 11, 2023, when the Public Health Emergency officially ended. OCR provided a 90-day transition period running from May 12, 2023 through August 9, 2023, during which covered providers were not penalized for good-faith telehealth noncompliance. That transition period has now fully expired. As of August 9, 2023, all covered entities must comply with HIPAA Rules in full when providing telehealth services.

A key practical consequence is that platforms previously permitted under enforcement discretion, such as standard consumer versions of Skype or FaceTime, are no longer acceptable for telehealth visits. Providers must use only HIPAA-compliant platforms and must have a valid Business Associate Agreement (BAA) in place. Organizations like AAAAI explicitly identify tools such as Zoom for Healthcare and Doxy.me as examples of compliant options.

When it comes to telemedicine, HIPAA ensures that healthcare providers, referred to as covered entities, and their service providers, known as business associates, adhere to strict guidelines. These guidelines are detailed in the HIPAA Privacy, Security, and Breach Notification Rules.

The HIPAA Privacy Rule establishes national standards for protecting medical records and applies to health plans, clearinghouses, and certain electronic healthcare transactions dealing with PHI.

The HIPAA Security Rule ensures the safety of electronic Protected Health Information (ePHI), which includes any PHI created, stored, transmitted, or received electronically.

Medesk helps automate scheduling and record-keeping, allowing you to recreate an individual approach to each patient, providing them with maximum attention.

Learn more >>

How to Choose a HIPAA-Compliant Telehealth Platform

Since the PHE transition period ended on August 9, 2023, providers can no longer rely on enforcement discretion to justify using non-compliant tools. Even if a BAA is signed, the underlying platform must itself meet HIPAA technical safeguard requirements. A platform that securely guards your data should have:

  • Secure messaging system
  • Data encryption
  • Staff training
  • BAA (Business associate agreement)
  • Integrations
  • Security audits

Approved HIPAA-Compliant Telehealth Platforms

The following platforms are widely recognized as HIPAA-compliant and suitable for telehealth use in 2026. Each offers BAA execution and meets the technical safeguard requirements under the HIPAA Security Rule:

  • Zoom for Healthcare. A healthcare-specific configuration of Zoom with encryption, access controls, and BAA availability. Providers must configure it correctly to maintain compliance.
  • Doxy.me. A browser-based platform designed specifically for healthcare, requiring no app download from the patient. BAAs are available on paid tiers.
  • Teladoc Health. An enterprise telehealth platform with built-in HIPAA compliance and EHR integration capabilities.
  • Updox. Offers HIPAA-compliant video visits alongside secure messaging and patient communication tools.
  • VSee. A clinical-grade video platform with end-to-end encryption and BAA support.

Standard consumer tools, including the non-healthcare version of Skype and personal Zoom accounts, do not qualify, regardless of whether a BAA is attempted.

Secure Messaging

Secure messaging pertains to ePHI (electronic Protected Health Information). According to HIPAA guidelines, both covered entities and their business associates must implement measures to protect messages and use various tools for this purpose.

Encryption

Messages containing ePHI must be encrypted to prevent unauthorized access during transmission. Encryption ensures that the data remains secure and unreadable to anyone except the intended recipient.

Access control

Secure messaging systems should implement access controls, such as usernames and passwords, to verify the identities of users. Access should be limited to authorized individuals, and each user should have a unique identifier to track their activities within the system.

access-permissions-png

Discover more about the essential features of Medesk and claim your free access today!

Explore now >>

Authentication and authorization

Authentication ensures that the sender and receiver of the messages are who they claim to be. Authorization mechanisms define what actions users are allowed to perform within the messaging system, ensuring that only authorized personnel can access ePHI.

Message retention and disposal policies

HIPAA mandates the implementation of retention and disposal policies for electronic messages containing ePHI. Secure messaging systems should have mechanisms to automatically delete messages after a specified retention period to prevent unauthorized access after the information is no longer needed.

Secure file transfer

In healthcare, files such as medical images or documents often need to be shared securely. Secure messaging systems should allow the secure transfer of files, ensuring that attachments containing ePHI are encrypted and protected during transmission.

Secure messaging policies

Organizations should establish clear policies and procedures governing the use of secure messaging systems. These policies should cover topics such as acceptable use, password management, reporting security incidents, and consequences for violating security protocols.

Staff Training

Staff training ensures that every healthcare professional understands their responsibilities and the importance of safeguarding patient information, including the unique challenges that arise in virtual care settings.

Physical environment security

Telehealth introduces risks that do not exist in a clinic setting. Staff must be trained to conduct sessions from a private, secure location where conversations cannot be overheard. This includes using headphones, closing doors, and avoiding public spaces such as coffee shops or shared workrooms.

Providers must understand the rules around third-party presence during a virtual visit. If a colleague, student, or family member is present on either side of the call, informed consent must be obtained from the patient before the session begins. Staff should be trained to ask explicitly and document that consent.

Understanding the rules

HIPAA rules can be complex, but staff training breaks them down into simple, understandable parts. It teaches employees what they can and cannot do with patient information, ensuring they don't accidentally breach confidentiality.

Spotting risks

Training helps staff recognize potential risks and vulnerabilities in their daily tasks. By being aware of these risks, employees can take the necessary precautions to prevent breaches. One way to minimize this risk is by using a VPN.

Handling electronic devices

In the age of smartphones and tablets, it's vital to know how to handle electronic devices properly. Staff training provides guidelines on securing these devices, ensuring that patient information isn't compromised if a device is lost or stolen.

Understanding when and how to obtain patient consent is critical. Staff training clarifies the procedures for getting proper consent before sharing any patient information, ensuring legal compliance.

Discover more about the essential features of Medesk and claim your free access today!

Explore now >>

Reporting incidents

Training empowers employees to know what constitutes a security incident and how to report it promptly. Whether it's a lost file or a suspicious email, staff members should be aware of the reporting procedures to mitigate potential breaches.

Regular refreshers

HIPAA regulations evolve, and technology changes. Regular training sessions keep employees up-to-date with the latest HIPAA requirements and best practices, ensuring ongoing compliance.

Business Associate Agreement

The telehealth services provider should be willing to sign a business associate agreement with covered entities, outlining their responsibilities regarding the protection of patient data. This legal contract ensures that the platform provider shares the responsibility for HIPAA compliance.

Integration capabilities

The platform should be able to integrate with Electronic Health Records (EHR) systems securely. It ensures that medical history is accurately recorded and securely shared between healthcare providers. Seamless integration enhances the overall quality of care you give.

patient-record-1png

Regular security audits

The platform provider should conduct regular security audits and assessments to identify and address vulnerabilities, ensuring continuous HIPAA compliance and a high level of security.

Obtaining informed consent before a virtual visit is both an ethical obligation and, in many states, a legal requirement. Requirements vary by state, so providers must verify what their jurisdiction mandates. Some states require written consent specifically for telehealth, while others accept verbal consent documented in the medical record.

Best practices for obtaining informed consent prior to a virtual visit include:

  • Disclose the telehealth format. Inform the patient that the visit will be conducted via video or phone, and explain the technology being used.
  • Explain privacy limitations. Patients should understand that no digital platform is entirely without risk and that they should take steps to protect their own privacy (see the patient section below).
  • Address recording. Clarify whether the session will be recorded and obtain explicit consent if so.
  • Document consent. Record that consent was obtained in the patient's chart before the session begins, noting the date, method, and scope.
  • Obtain fresh consent when needed. If the patient changes, the technology changes, or a new clinician joins the care team, re-consent may be required.

Providers operating across multiple states should review state telehealth consent laws annually, as these requirements continue to evolve.

Guidance on HIPAA and Audio-Only Telehealth

Audio-only telehealth, meaning visits conducted by telephone without video, presents a distinct set of HIPAA considerations. HHS OCR has issued specific guidance on this topic, recognizing that audio-only services are essential for patients who lack access to video-capable devices or reliable internet connections.

What the OCR Guidance Covers

Under the HIPAA Privacy Rule, covered entities may use the telephone to provide telehealth services without violating HIPAA, provided appropriate safeguards are in place. Key points from the OCR guidance include:

  • Verification of patient identity. Before discussing PHI, providers should verify that they are speaking with the correct patient using established identification protocols.
  • Minimum necessary standard. Only the PHI required for the specific encounter should be discussed during an audio-only visit.
  • BAA requirements for third-party platforms. If a third-party telephony platform or call routing service is used, a BAA is required unless the vendor qualifies as a conduit (a basic transmission-only service such as a standard telephone company).
  • No recording without consent. Recording a telephone visit creates a new record containing PHI. Explicit patient consent is required, and the recording must be stored securely in compliance with the Security Rule.

Audio-only telehealth can be a fully compliant and valuable service modality when these safeguards are applied consistently.

Patient Privacy Risks and How to Educate Your Patients

Providers are not the only ones responsible for maintaining privacy during a telehealth encounter. Patients introduce their own risks, and OCR has published resources specifically to help providers educate patients on secure practices.

Key guidance to share with patients includes:

  • Avoid public Wi-Fi. Unsecured networks expose health information to interception. Patients should use a private, password-protected connection for all telehealth visits.
  • Use a private room. Patients should conduct visits from a location where they cannot be overheard by family members, roommates, or bystanders who have not been included in the consent process.
  • Use personal devices. Shared or work-owned devices may have monitoring software or shared access. A personal device with an updated operating system is preferable.
  • Log out after visits. Patients should close the telehealth app or browser tab immediately after a session ends and log out of any patient portal.

Providers can distribute these tips through pre-visit reminder messages, patient portal notifications, or a brief verbal prompt at the start of each session. OCR's published "Privacy and Security Tips for Patients" document is a free resource that can be linked or printed for distribution.

HIPAA Compliance Penalties

HIPAA compliance penalties play a crucial role in ensuring that healthcare organizations adhere to the regulations. The penalties for non-compliance depend on the severity of the violation and whether the entity knew or should have known about the violation. Here are some examples of HIPAA violations and the corresponding punishments:

Unintentional Violations

  • Fine: up to $50,000 per violation, with an annual maximum of $1.5 million.
  • Example: accidental disclosure of patient information due to a misaddressed email. If multiple patients' information is disclosed in a single incident, each patient's record may be considered a separate violation.

Reasonable Cause

  • Fine: up to $50,000 per violation, with an annual maximum of $1.5 million.
  • Example: failure to conduct a thorough risk assessment to identify vulnerabilities in the handling of electronic patient data.

Willful Neglect (Corrected)

  • Fine: minimum of $10,000 per violation, with an annual maximum of $1.5 million.
  • Example: not having proper technical safeguards in place despite awareness of the risk, but correcting the issue promptly after the violation is discovered.

Willful Neglect (Not Corrected)

  • Fine: minimum of $50,000 per violation, with an annual maximum of $1.5 million.
  • Example: not addressing a known vulnerability or ignoring a breach in patient privacy, leading to further unauthorized access or disclosure of patient information.

Criminal Violations

  • Fine: up to $250,000 and imprisonment for up to 10 years for intentional wrongful disclosure or obtaining patient information under false pretenses.
  • Example: deliberate theft or sale of patient records for personal gain.

Individual Penalties

  • Fine: individuals who knowingly obtain or disclose PHI without authorization can face fines of $50,000 and imprisonment for up to one year.
  • Example: an employee accessing patient records without a valid reason, such as curiosity or personal vendetta.

State Attorney General Enforcement

  • Fine: state attorneys general can also bring civil actions against entities for HIPAA violations, resulting in monetary penalties.
  • Example: a healthcare organization suffering a data breach and not promptly notifying affected patients, as required by state laws, leading to legal action by the state attorney general.

It's important to note that the penalties can also include corrective action plans, increased oversight by the U.S. Department of Health and Human Services, and reputational damage, which can have long-lasting consequences for healthcare organizations and individuals involved.

Frequently Asked Questions

  1. Can I still use standard Skype for telehealth visits if I sign a BAA?

No. Since the COVID-19 PHE transition period ended on August 9, 2023, enforcement discretion no longer applies. Standard consumer Skype does not meet HIPAA technical safeguard requirements, and a BAA alone cannot make a non-compliant platform compliant. Providers must use a platform that is purpose-built or configured for HIPAA compliance, such as Zoom for Healthcare or Doxy.me.

  1. What happened to the HIPAA telehealth flexibilities from the COVID-19 pandemic?

The HHS OCR Notifications of Enforcement Discretion expired when the COVID-19 Public Health Emergency ended on May 11, 2023. OCR provided a 90-day transition period that ran through August 9, 2023. After that date, full HIPAA compliance was required for all telehealth services without exception.

  1. Is audio-only telehealth HIPAA compliant?

Yes, audio-only telehealth can be fully HIPAA compliant when proper safeguards are in place. Providers must verify patient identity, apply the minimum necessary standard, obtain consent before recording, and ensure any third-party telephony platforms used have signed a BAA. OCR has published specific guidance on this topic.

  1. Do I need a separate BAA for every telehealth platform I use?

Yes. Any vendor that creates, receives, maintains, or transmits ePHI on your behalf qualifies as a business associate and requires a BAA. This includes video platforms, secure messaging tools, scheduling software, and any cloud-based storage used in connection with patient care.

  1. What are the most important steps a small practice should take to become HIPAA-compliant for telehealth?

Start with a formal risk analysis to identify where ePHI is created and transmitted in your workflow. Then ensure every technology vendor has signed a BAA, implement platform-level encryption and access controls, train all staff on telehealth-specific privacy requirements, and document your policies in writing. Review your compliance posture at least annually or whenever you adopt a new platform.

Final Thoughts

In the growing realm of telehealth technology, following HIPAA rules isn't just a legal necessity; it's a promise to patient safety. Understanding the rules, picking the right platforms, and using good practices benefits both healthcare providers and patients. Staying aware and taking action is vital to making the most of telemedicine while keeping patient data private and secure.

Popular
EHR vs EMR: Key Differences & Advantages

EHR vs EMR: Key Differences & Advantages

EHR vs EMR: how are they different? How are they similar? Most importantly, which one does your practice need? Read our article to find out!
How to Start a Physical Therapy Clinic in 2025

How to Start a Physical Therapy Clinic in 2025

Discover how to start a successful physical therapy clinic with our comprehensive 10-step guide. Learn about business plans, financing, and more.
Top 5 Medical Dictation Software for Your Private Practice in 2025

Top 5 Medical Dictation Software for Your Private Practice in 2025

Confused by medical speech recognition software? We break down 5 top options to help you pick the perfect tool for faster, more accurate documentation.
Features
Company

Run a fully booked practice that grows consistently

Built for busy doctors, not IT departments
Get your first patient booking today, not next month
From solo practice to thriving team — grow at your pace
No credit card required
EnglishEspañol
© 2026 Medesk™