Telemedicine Compliance: HIPAA Considerations
Telemedicine HIPAA compliance is now a top priority for every practice. Virtual care has grown fast, pushed forward by COVID-19. Millions of patients now expect virtual visits as a permanent option.
But telehealth brings real privacy and security risks. Every video call and message sends health data (PHI) over digital channels. Your practice must meet HIPAA rules while keeping virtual care easy for patients.
Telehealth Growth and the Compliance Imperative
The New Normal of Virtual Care
Telehealth use is now far above pre-pandemic levels. Behavioral health, primary care, and specialist visits now happen by video and audio. Remote monitoring devices send clinical data non-stop, creating new streams of ePHI to protect.
This growth opens up more vulnerabilities for cyber threats. Telehealth platforms, patient portals, apps, and connected devices are all possible targets. Practices that ignore these risks face fines and the damage of a data breach.
Post-PHE Compliance rules
During COVID-19, OCR chose not to fine providers who used non-compliant platforms in good faith. That grace period has ended. All telehealth tools must now meet full HIPAA rules.
Key post-PHE changes include:
- No more enforcement discretion for non-compliant platforms like FaceTime, Skype, or standard Zoom.
- Full BAA rules apply to all telehealth technology vendors.
- Risk analysis duties must include telehealth systems.
- Standard HIPAA security safeguards must be set up for all telehealth communications.
- documentation rules apply to all telemedicine visits, including consent and access rights.
If you used temporary flexibilities during the PHE, audit your telehealth tools now. Bring every part into full HIPAA compliance.
Platform rules for HIPAA-compliant Telehealth
Essential Technical safeguards
A HIPAA-compliant telehealth platform must have strong tech safeguards. These protect ePHI during every virtual visit. Required and recommended features include:
encryption:.
- End-to-end encryption for all video, audio, and messaging.
- AES-256 encryption (or equal) for data in transit and at rest.
- TLS 1.2 or higher for all network communications.
- Encrypted storage for any recorded sessions or session data.
- Unique user IDs for all providers and patients on the platform.
- Strong authentication including multi-factor for provider accounts.
- Role-based access controls limiting PHI access by job function.
- Auto session timeout after inactivity.
- Emergency access steps for urgent clinical situations.
Audit Controls:.
- Full audit logs of all PHI access within the platform.
- Session logs showing who accessed what and when.
- Regular log reviews to catch unapproved access.
- Tamper-proof log storage to keep the audit trail intact.
Integrity Controls:.
- Data accuracy checks to ensure PHI is not changed in transit.
- Error correction for communication reliability.
- Backup and recovery for all platform data.
Evaluating Telehealth Vendors
When picking a telehealth platform, ask these questions:
- Does the vendor sign a Business Associate Agreement?
- Does the platform offer end-to-end encryption for all communications?
- Does the vendor hold SOC 2 Type II certification or equal?
- Does the platform have configurable access controls and audit logs?
- Does the vendor run regular penetration tests and vulnerability reviews?
- Where is PHI stored and does that location meet compliance rules?
- Does the vendor have a documented incident response plan?
- Does the platform support patient identity checks before sessions begin?
Need guidance on cloud telehealth tools? See our article on cloud storage compliance for healthcare data..
Business Associate Agreements for Telehealth Vendors
BAA rules
Any telehealth vendor that handles PHI for your practice is a business associate under HIPAA. You must sign a Business Associate Agreement before services start. This rule applies to:
- Video conferencing platform providers (e.g., telehealth-specific platforms).
- Cloud hosting providers that store session data or recordings.
- Remote patient monitoring vendors that collect and send clinical data.
- Scheduling and patient portal providers that handle PHI and appointments.
- Transcription and documentation services that process visit notes.
The BAA must spell out:
- The allowed uses and shares of PHI by the vendor.
- The vendor's duty to use proper safeguards.
- Breach notification rules including timelines and reporting steps.
- The vendor's duty to ensure subcontractors also follow HIPAA.
- End-of-contract steps including return or destruction of PHI.
Common BAA Pitfalls
Practices often run into these BAA problems:
- Using consumer-grade platforms that do not offer BAAs (e.g., standard Zoom, FaceTime, WhatsApp).
- Failing to update BAAs when vendors change their terms or tools.
- Not checking subcontractor compliance when the vendor uses third-party systems.
- Missing recording and storage terms that control who owns session recordings.
Patient Consent and Recording Policies
Informed Consent for Telehealth
HIPAA does not require a separate consent just for telehealth. But many states require specific informed consent for telemedicine visits. Best practices include:
- Document patient consent for telehealth care, including known risks and limits.
- Explain privacy and security steps in plain words so patients understand protection.
- Address recording policies clearly, telling patients if sessions may be recorded and why.
- Get consent before each session or keep a standing consent the patient can revoke.
- Respect patient preferences for how they communicate (video, audio, messaging).
Recording Policies
Recording telehealth sessions adds compliance duties:
- Recordings are part of the medical record and fall under HIPAA's Privacy and Security Rules.
- State law may require two-party consent for recording, including telehealth sessions.
- Stored recordings must meet HIPAA security rules including encryption and access controls.
- Retention and destruction policies must match relevant medical record laws.
- Patient access rights apply to telehealth recordings as part of the record set.
Set clear policies on when sessions are recorded. Make sure patients are informed and give proper consent.
Interstate Licensing and regulatory factors
Multi-State Telehealth Operations
Telehealth often means treating patients in other states. This raises licensing and regulatory questions that touch HIPAA compliance:
- State licensing rules usually require a license in the state where the patient is during the visit.
- Interstate medical licensure compacts help with multi-state practice but do not cover all states.
- Prescribing rules vary by state, with specific laws for telehealth and controlled substances.
- State privacy laws in the patient's state may add rules beyond HIPAA, including telehealth consent terms.
Practices offering telemedicine across state lines must track many state-specific rules. Learn how state privacy laws interact with HIPAA for multi-state telehealth programs.
Technical safeguards for Video and Remote Monitoring
Securing the Telehealth Environment
Beyond platform security, your practice must protect the setting where telehealth visits happen. That means both the provider side and the patient side.
Provider-Side safeguards:.
- Private consultation spaces where conversations cannot be overheard.
- Screen privacy filters to block visual access to PHI.
- Secure network connections — avoid public Wi-Fi for telehealth sessions.
- Device security including encryption, current software, and endpoint protection.
- Background checks for telehealth support staff.
Patient-Side Guidance:.
- Teach patients to join telehealth from a private location.
- Give instructions for checking that connections are encrypted.
- Offer backup access methods for patients without secure technology.
- Document patient-side risks that are outside your control.
Remote Patient Monitoring (RPM):.
- Encrypt all data sent from monitoring devices to provider systems.
- Check device identity to block unapproved connections.
- Secure data storage for continuous monitoring data streams.
- Set up alert systems for device tampering or unapproved access.
- Keep a device list and track all deployed monitoring equipment.
Telemedicine HIPAA FAQ
Can we use FaceTime or standard Zoom for telehealth?
No. Standard consumer video platforms do not offer BAAs. They also lack the security controls HIPAA requires. OCR's COVID-19 enforcement grace period has ended. Use HIPAA-compliant platforms that offer BAAs, end-to-end encryption, and proper access controls.
Do we need a separate BAA for our telehealth platform?
Yes. If your telehealth vendor handles PHI, you must sign a BAA with them. This covers the platform provider itself. It may also cover subcontractors like cloud hosts that the vendor uses.
What if a patient requests a non-compliant communication method?
Offer compliant options and explain why you cannot use tools that expose PHI. Document the patient's request and your response. If a patient insists, record the talk and the risks you explained.
How do we handle telehealth for patients in other states?
Make sure your providers hold valid licenses in the patient's state. Follow that state's telehealth rules and any privacy rules that go beyond HIPAA. Keep a current list of state-specific telehealth rules and update it as laws change.
Are telehealth encounters subject to the same documentation rules as in-person visits?
Yes. Document telehealth visits in the medical record just like in-person visits. Also note the telehealth method used (video, audio, messaging) and patient consent. Patient rights under HIPAA, including the right to access records, apply equally to telehealth visit documentation.
Telemedicine Compliance Takeaways
Telemedicine compliance means extending your HIPAA program into digital care. You must pick compliant platforms, sign BAAs, set up tech safeguards, and track multi-state rules. These duties are real, but manageable with a clear plan.
One Guy Consulting helps practices build HIPAA-compliant telemedicine programs from the ground up. We cover new launches and audits of existing programs. Contact us today to make sure your telemedicine program meets every relevant rule.
Key stat: Under 45 CFR 164.312(e), ePHI transmitted during telemedicine sessions must be protected by encryption and access controls. Consumer-grade platforms like FaceTime and Zoom (free tier) do not meet HIPAA requirements without a signed Business Associate Agreement from the vendor.
Sources
Related Reading
Key stat: Under 45 CFR 164.312(e), ePHI transmitted during telemedicine sessions must be protected by encryption and access controls. Consumer-grade platforms like FaceTime and Zoom (free tier) do not meet HIPAA requirements without a signed Business Associate Agreement from the vendor.