HIPAA telehealth compliance was effectively optional for three years. During the COVID-19 public health emergency, OCR exercised enforcement discretion, allowing healthcare providers to conduct telehealth visits using consumer-grade platforms such as FaceTime, Skype, and standard Zoom without facing HIPAA penalties. The reasoning was sound: the healthcare system needed to pivot to remote care immediately, and requiring providers to vet and implement compliant platforms in the middle of a pandemic would have delayed access to care for millions of patients.

That enforcement discretion ended on May 11, 2023. A 90-day transition period followed, expiring on August 9, 2023. Since that date, every telehealth session conducted by a covered entity must comply with the full requirements of the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule. No exceptions. No grace period. Full enforcement.

The problem is that many providers never made the transition. They adopted consumer video platforms in 2020, continued using them through 2023, and are still using them today. These providers are not in a gray area. They are in violation of HIPAA with every session they conduct. In this article, we’ll examine what HIPAA telehealth compliance requires in the current regulatory environment, where the most common gaps exist, and how practices can bring their telehealth operations into compliance before OCR comes looking.

The Platform Is the First Problem

The foundational requirement for HIPAA-compliant telehealth is a platform that supports the technical safeguards HIPAA mandates and whose vendor has signed a Business Associate Agreement (BAA) with your practice. A BAA is not optional. Any vendor that transmits, processes, or stores ePHI on your behalf is a business associate under HIPAA, and a signed BAA must be in place before any clinical sessions are conducted.

Consumer video platforms, including FaceTime, Google Meet, standard Zoom, Skype, and WhatsApp, do not offer BAAs. They are not designed for healthcare, do not provide the audit controls HIPAA requires, and do not guarantee the encryption standards necessary to protect ePHI in transit. Using these platforms for clinical telehealth is a direct violation of the Security Rule.

HIPAA-compliant alternatives exist across a range of price points. Platforms like Zoom for Healthcare, Doxy.me, SimplePractice Telehealth, and others offer signed BAAs, end-to-end encryption, session logging, and access controls that meet HIPAA requirements. Many EHR systems now include integrated telehealth functionality with a BAA already built into the existing vendor agreement. For practices already using a cloud-hosted EHR, checking whether the vendor offers compliant telehealth may be the fastest path to compliance.

Encryption, Authentication, and Access Controls

Beyond the platform itself, HIPAA telehealth compliance requires the same technical safeguards that apply to any system handling ePHI. Video and audio transmitted during a telehealth session must be encrypted in transit. Any data generated or stored during the session, including session recordings, clinical notes, and chat transcripts, must be encrypted at rest. Under the proposed Security Rule update, encryption at rest and in transit will be mandatory across all systems, eliminating the addressable flexibility that some organizations previously relied on.

Access to the telehealth platform must be controlled through unique user credentials. Each clinician must have their own login. Shared accounts are a Security Rule violation regardless of whether the system is used for telehealth or any other purpose. Under the proposed Security Rule, multi-factor authentication will be required for all access to systems containing ePHI, which includes telehealth platforms. Practices that have not yet implemented MFA for their telehealth tools should begin planning for that transition now.

Audit logging is also required. The platform should record who accessed the system, when sessions occurred, and what actions were taken. These logs serve as both a compliance safeguard and a forensic tool in the event of a breach investigation. If your current telehealth platform does not support audit logging, it does not meet HIPAA requirements.

The Home Office Is Part of Your Compliance Perimeter

When a clinician conducts a telehealth session from their home, the home office becomes part of the practice’s compliance environment. The same safeguards that apply in the clinic apply in the spare bedroom. This is where many practices fail to extend their compliance thinking.

The telehealth device must be secured. If a clinician is using a personal laptop, it must have encryption enabled, a lock screen with authentication, up-to-date operating system updates, and, ideally, be managed under the practice’s BYOD policy. If the laptop is shared with family members, the risk of unauthorized access to ePHI increases significantly. A child opening the laptop and viewing a patient session recording stored on the desktop is a potential breach.

The physical environment matters as well. Telehealth sessions should be conducted in a private setting where conversations cannot be overheard by unauthorized individuals. A clinician conducting a therapy session from a coffee shop or a shared living space where family members can hear the conversation is violating the Privacy Rule’s requirement for reasonable safeguards against unauthorized disclosure. The practice should establish clear expectations for where and how telehealth sessions are conducted from remote locations.

Patient Communication Before and After the Visit

The compliance obligations surrounding telehealth extend beyond the video session itself. Appointment reminders, pre-visit instructions, post-visit summaries, prescription communications, and follow-up messages all involve PHI and must be transmitted through compliant channels.

Standard SMS, consumer email, and messaging apps like iMessage or WhatsApp are not HIPAA-compliant channels for transmitting PHI. If a practice sends a patient a text message containing clinical information, that message is unencrypted, stored on the patient’s device indefinitely, and potentially backed up to a cloud account the practice has no control over. Secure patient communication platforms, patient portals integrated with the EHR, and HIPAA-compliant messaging tools should replace consumer channels for any communication involving PHI.

Patient consent for telehealth should also be documented. While HIPAA does not prescribe a specific consent form for telehealth, obtaining and documenting the patient’s informed consent for receiving care via a remote platform is both a best practice and, in many states, a legal requirement. The consent process should explain how the session will be conducted, what technology will be used, and how the patient’s information will be protected.

Session Recordings and Documentation

If your practice records telehealth sessions, those recordings are PHI and must be treated with the same protections as any other patient record. Recordings must be stored in a HIPAA-compliant system with encryption at rest and access controls that limit who can view them. Storing session recordings on a clinician’s personal device, in a consumer cloud storage account, or on a local hard drive without encryption is a violation.

Explicit patient consent is required before recording any telehealth session. The consent should specify that the session will be recorded, the purpose of the recording, and how it will be stored and protected. Many states have their own recording consent laws that may impose additional requirements beyond those mandated by HIPAA. Practices should verify their state’s requirements and build them into their consent process.

Risk Assessments Must Include Telehealth

If your practice offers telehealth and your most recent risk assessment does not address the specific risks associated with remote care delivery, it is incomplete. Telehealth introduces risks that do not exist in a traditional in-office setting: data transmitted over the internet, clinicians accessing ePHI from remote locations and personal devices, third-party platforms processing session data, and patients connecting from unsecured environments.

Each of these risk factors should be evaluated, documented, and addressed through appropriate safeguards in the practice’s policies and procedures. The risk assessment should identify which telehealth platforms are in use, whether BAAs are in place, how devices used for remote sessions are secured, and what controls are in place to protect ePHI throughout the telehealth workflow. Under the proposed Security Rule, the annual technology asset inventory and network mapping requirements will further formalize this obligation by requiring practices to document every system involved in telehealth delivery.

The Waiver Era Is Over

The COVID-era enforcement discretion served its purpose. It allowed healthcare to continue when in-person care was impossible. But that window closed over three years ago, and the regulatory landscape has only tightened since. Providers who adopted consumer platforms in 2020 and never transitioned are carrying compliance risk with every session they conduct. The proposed Security Rule will add mandatory encryption, MFA, asset inventories, and annual audits on top of the requirements that are already in effect. The time to bring telehealth operations into full HIPAA compliance is not when the new rule is finalized. It was three years ago.

At Axeleos, we help healthcare practices build telehealth compliance programs that satisfy current HIPAA requirements and prepare for the proposed Security Rule changes. Sentraeus360 provides the tools to conduct risk assessments that account for telehealth workflows, document vendor BAAs, manage device security policies, and maintain the evidence trail that regulators expect. Contact us today to close the gap between how your practice delivers telehealth and how HIPAA says you should.