The Zoom Call That Cost a Psychiatrist Everything

A solo psychiatrist in New England conducted therapy sessions over a consumer-grade video app for two years. No business associate agreement. No encryption audit. No risk analysis. When a patient filed a complaint with OCR after discovering session recordings were stored on an unencrypted cloud server, the investigation didn't just find one violation — it found a pattern of neglect. The practice shuttered within eight months.

I share this because it's not hypothetical. It's the kind of scenario I've watched play out repeatedly since telehealth exploded during the pandemic and never retreated. If you're delivering care remotely in 2026, understanding HIPAA compliance requirements for telehealth isn't optional — it's the difference between a thriving practice and a federal investigation.

The COVID-era enforcement discretion from HHS is gone. OCR has made it abundantly clear: telehealth providers are held to the same Security Rule, Privacy Rule, and Breach Notification Rule standards as every other covered entity. This post walks you through exactly what that means for your organization right now.

What HIPAA Compliance Requirements for Telehealth Actually Look Like

Let's cut through the noise. HIPAA doesn't have a separate "telehealth rule." Instead, the existing framework — the Privacy Rule, the Security Rule, and the Breach Notification Rule — applies fully to any electronic transmission of protected health information (PHI). Telehealth simply creates more transmission points, more devices, and more attack surfaces.

Here's what OCR expects from every covered entity and business associate offering telehealth services:

  • A thorough, documented risk analysis covering every telehealth platform, device, and workflow your organization uses.
  • End-to-end encryption for all ePHI in transit and at rest. Consumer apps without encryption don't cut it.
  • A signed Business Associate Agreement (BAA) with every telehealth technology vendor that touches PHI.
  • Access controls and audit logs on every platform used for virtual visits.
  • Workforce training specific to telehealth risks — not just generic annual training.
  • A breach notification process that accounts for telehealth-specific incidents like unauthorized recording or screen sharing.

Miss any one of these, and you've given OCR a thread to pull.

The BAA Trap: Where Most Telehealth Providers Fail First

In my experience, the number one gap I find during telehealth compliance audits is the missing or incomplete business associate agreement. Providers assume that because a vendor markets itself as "HIPAA compliant," a BAA must already be in place. That assumption is dangerous.

A vendor's marketing claim means nothing to OCR. What matters is a signed, executed BAA that specifies how the vendor will safeguard ePHI, report breaches, and limit use of your patients' data. If you're using a telehealth platform without one, you're in violation of 45 CFR § 164.502(e) — period.

I've seen organizations using three or four different platforms across departments — one for behavioral health, one for primary care, one for follow-ups — each with a different compliance posture. You need a BAA for every single one. And you need to verify those agreements annually, not just sign them once and forget.

What Should a Telehealth BAA Include?

  • Specific obligations regarding encryption, access controls, and data retention
  • Breach notification timelines (must align with the 60-day federal requirement)
  • Terms for return or destruction of PHI upon contract termination
  • Restrictions on subcontractors and downstream access to ePHI

HHS provides direct guidance on business associate requirements at hhs.gov/hipaa/for-professionals/privacy/guidance/business-associates. Bookmark it.

Encryption Isn't Optional — OCR Has Proven That With Seven-Figure Penalties

The Security Rule requires covered entities to implement technical safeguards to protect ePHI. For telehealth, encryption is the most critical of those safeguards. Yet I still walk into practices where clinicians are conducting video visits over platforms that offer no end-to-end encryption or where recordings are saved to local, unencrypted hard drives.

Consider the enforcement record. In 2018, OCR settled with Fresenius Medical Care North America for $3.5 million after breaches involving unencrypted devices across multiple locations. While that case wasn't telehealth-specific, the principle is identical: unencrypted ePHI is a compliance failure waiting to become a headline. You can review OCR's enforcement actions directly at hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements.

For telehealth in 2026, encryption means:

  • AES-256 or equivalent for data at rest
  • TLS 1.2 or higher for data in transit
  • Encrypted storage for any session recordings, chat transcripts, or shared files

If your vendor can't demonstrate these standards in writing, find another vendor.

The Risk Analysis Nobody Wants to Do (But OCR Always Asks For)

Here's what happens in almost every OCR investigation: the agency asks for documentation of your most recent risk analysis. If you can't produce one, the investigation escalates immediately. It's the first domino.

A risk analysis under the Security Rule (45 CFR § 164.308(a)(1)) must identify every reasonably anticipated threat to ePHI. For telehealth, that means evaluating:

  • The security posture of each telehealth platform
  • Clinician home networks and personal devices used for virtual visits
  • Patient-side risks (screen sharing in public, unsecured Wi-Fi)
  • Recording and storage policies for telehealth sessions
  • Integration points between your telehealth platform and your EHR

This isn't a one-time exercise. Your risk analysis must be reviewed and updated whenever you adopt a new platform, change a workflow, or experience a security incident. I recommend conducting a full review at least annually — and documenting every step. HHS offers detailed guidance on risk analysis methodology at hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis.

Workforce Training: The Gap OCR Exploits Most Often

You can have the most secure platform in the world, and a single untrained staff member can unravel it. I've seen it happen with a medical assistant who emailed a session recording to the wrong patient. I've seen it happen with a receptionist who shared login credentials across three clinicians.

HIPAA requires workforce training under 45 CFR § 164.530(b). For telehealth, that training must go beyond the basics. Your staff needs to understand:

  • How to verify patient identity before a virtual visit
  • Proper procedures for screen sharing and session recording
  • What to do if a session is accidentally joined by an unauthorized person
  • How to recognize phishing attempts targeting telehealth credentials

If your team hasn't completed training tailored to current telehealth risks, the Annual HIPAA Refresher course covers these scenarios in a practical, scenario-based format. For staff who are new to HIPAA entirely, start with the HIPAA Introduction Training for 2026 before layering on telehealth-specific policies.

What About Dental Practices Offering Virtual Consultations?

Dental telehealth has grown significantly, especially for initial consultations, orthodontic check-ins, and post-operative follow-ups. The same HIPAA compliance requirements for telehealth apply to dental practices without exception. If your dental office is exploring virtual visits, the HIPAA Training for Dental Offices course addresses these workflows directly.

Quick-Answer: What Are the Core HIPAA Requirements for Telehealth?

If you're scanning for a direct answer, here it is. HIPAA compliance requirements for telehealth include: (1) conducting a documented risk analysis covering all telehealth platforms and workflows; (2) using only platforms that offer end-to-end encryption and will sign a BAA; (3) implementing access controls, unique user IDs, and audit logging; (4) training all workforce members on telehealth-specific privacy and security risks; and (5) maintaining a breach notification process that covers telehealth incidents. No separate telehealth rule exists — the standard Privacy, Security, and Breach Notification Rules apply in full.

The Enforcement Discretion Era Is Over — Act Accordingly

During the COVID-19 public health emergency, OCR announced it would exercise enforcement discretion for good-faith use of non-compliant telehealth platforms. That discretion ended. HHS has not renewed it, and OCR leadership has repeatedly signaled that telehealth enforcement is a priority.

What that means for your organization is simple: every telehealth session you conduct must meet the same compliance standard as an in-person visit. The platform must be secure. The BAA must be signed. The training must be current. The risk analysis must be documented.

I've audited practices that assumed the pandemic exceptions would quietly persist. They didn't. And when OCR comes knocking — usually triggered by a patient complaint or a breach report — "we didn't know the rules changed" has never once worked as a defense.

Your Telehealth Compliance Checklist for 2026

Before your next virtual visit, confirm these items are in place:

  • Signed BAAs with every telehealth platform vendor
  • Documented risk analysis updated within the last 12 months
  • End-to-end encryption verified for video, audio, chat, and file sharing
  • Unique user credentials for every clinician — no shared logins
  • Audit logs enabled and reviewed regularly
  • Workforce training completed and documented for all staff involved in telehealth
  • Breach notification procedures that specifically address telehealth scenarios
  • Patient-facing privacy notices updated to reflect telehealth data practices

Telehealth is here to stay. It's expanded access, improved outcomes, and given patients options they never had before. But the compliance obligations that come with it are non-negotiable. Get ahead of them now, or let OCR find the gaps for you. I know which outcome I'd choose.