The Enforcement Hammer Dropped — and Telehealth Was in the Crosshairs
In March 2023, HHS OCR announced that the telehealth enforcement discretion period — the pandemic-era flexibility that let providers use consumer-grade apps like FaceTime and Skype without fear of penalties — was officially over. Ninety days later, every covered entity in the country was expected to be fully compliant again. Many weren't.
I've worked with clinics that were still running virtual visits on platforms with no Business Associate Agreement in place months after the deadline. If your organization delivers care via telehealth, the HIPAA telehealth guidance from HHS OCR isn't optional reading. It's the rulebook that determines whether your next audit ends with a handshake or a seven-figure settlement.
This post breaks down exactly what OCR expects from telehealth providers right now, where organizations keep stumbling, and the specific steps you can take to lock down compliance before an investigator does it for you.
What Is the HHS OCR HIPAA Telehealth Guidance?
The HIPAA telehealth guidance HHS OCR published covers how the HIPAA Privacy, Security, and Breach Notification Rules apply when protected health information (PHI) is transmitted electronically during virtual care. It's not a separate regulation — it's OCR's interpretation of how existing HIPAA requirements map onto telehealth technology and workflows.
The guidance makes clear that any platform handling ePHI during a telehealth session must meet the Security Rule's administrative, physical, and technical safeguard requirements. That includes encryption in transit and at rest, access controls, audit logging, and a signed Business Associate Agreement with every vendor whose technology touches patient data.
You can read the full guidance directly from HHS.gov's telehealth and HIPAA page.
The Enforcement Discretion Period Is Gone — Here's What That Means
During COVID-19, OCR issued a series of Notifications of Enforcement Discretion that allowed healthcare providers to use non-public-facing communication tools for telehealth without risk of HIPAA penalties. That was extraordinary. It was also temporary.
OCR formally ended that discretion effective May 11, 2023, coinciding with the end of the COVID-19 public health emergency. Since that date, every telehealth encounter is subject to full HIPAA enforcement. No exceptions, no grace periods.
I've seen organizations that treated the enforcement discretion like a permanent policy change. It wasn't. If you're still using a consumer video app without a BAA, you're operating in violation right now.
What OCR Specifically Looks For
Based on published guidance and past enforcement actions, OCR scrutinizes several areas during telehealth-related investigations:
- Business Associate Agreements: Every telehealth vendor must have a signed BAA. No BAA means no legal basis for the vendor to handle ePHI.
- Encryption: End-to-end encryption is the expectation. If your platform can't provide it, OCR will ask why — and "we didn't know" isn't a defense.
- Risk Analysis: The Security Rule requires a thorough risk analysis that accounts for telehealth-specific threats. Remote endpoints, home Wi-Fi networks, shared devices — all of it.
- Minimum Necessary Standard: Only the ePHI needed for the encounter should be accessible during a telehealth session. Broad access to full medical records through a telehealth portal is a red flag.
- Patient Authentication: OCR expects covered entities to verify patient identity before sharing ePHI during virtual visits.
The $4.75 Million Lesson from Premera Blue Cross
While not exclusively a telehealth case, the 2020 OCR settlement with Premera Blue Cross for $6.85 million underscored a principle that applies directly to telehealth: failure to conduct an adequate, enterprise-wide risk analysis is one of the most expensive mistakes a covered entity can make. Premera's breach affected 10.4 million people, and OCR found the organization hadn't properly assessed risks to ePHI across its systems.
Now apply that to telehealth. Every virtual visit creates new attack surfaces — provider laptops, patient smartphones, third-party video platforms, cloud storage. If your risk analysis doesn't explicitly address these, you have the same gap that cost Premera millions. You can review OCR's enforcement action archive at the HHS enforcement outcomes page.
Five Things Your Telehealth Program Needs Right Now
1. A Telehealth-Specific Risk Analysis
Your organization's risk analysis must go beyond servers and on-premises workstations. It should inventory every device, connection type, and software application involved in delivering virtual care. I've reviewed risk analyses that were 40 pages long and never mentioned telehealth once. That's a compliance gap hiding in plain sight.
2. A Signed BAA with Every Telehealth Vendor
This sounds basic, but it's the single most common failure I see. Your EHR vendor has a BAA. Your billing company has one. But the video platform your providers chose because it "works well"? No BAA. That's a violation on day one.
3. Workforce Training That Covers Telehealth Scenarios
Generic HIPAA training doesn't cut it when your staff is conducting patient encounters from home offices and shared spaces. Your workforce needs training that addresses telehealth-specific risks: screen sharing mistakes, unsecured home networks, family members overhearing PHI, and the use of personal devices. Our HIPAA training catalog includes courses designed to address exactly these real-world scenarios.
4. Encryption at Every Layer
OCR's guidance emphasizes encryption as an addressable safeguard under the Security Rule — but "addressable" doesn't mean "optional." If you choose not to encrypt, you must document why an equivalent alternative is reasonable. In telehealth, there's almost never a reasonable alternative to encryption. Use it.
5. Policies That Match Your Actual Practices
I can't count how many organizations have a telehealth policy that says "all sessions must be conducted in a private location" while their providers routinely join calls from coffee shops. Policies are only worth the paper they're printed on if your workforce follows them — and if you enforce them. OCR will check both.
Does HIPAA Require Encrypted Video for Telehealth?
HIPAA doesn't mandate a specific technology, but the Security Rule requires covered entities to implement technical safeguards that protect ePHI during transmission. In practice, this means using a video platform with end-to-end encryption and a signed BAA. Consumer apps without these features — standard Zoom (non-healthcare), Google Hangouts, Facebook Messenger — do not meet the standard. HIPAA-compliant platforms like Zoom for Healthcare, Doxy.me, and others exist specifically because they offer encryption and will sign a BAA.
The Patient Side of the Equation
One thing I see organizations overlook is the patient's environment. While HIPAA obligations fall on the covered entity and its business associates — not the patient — you still have responsibilities. You need to inform patients about privacy risks on their end. OCR expects you to offer guidance on choosing a private location for visits and securing their device.
This isn't just good compliance. It's good medicine. A patient who doesn't feel their privacy is protected won't share critical information during a virtual visit. That affects outcomes.
State Laws Add Another Layer
HIPAA sets the floor, not the ceiling. Many states have enacted telehealth-specific privacy laws that impose additional requirements — consent disclosures, recording restrictions, cross-state licensing mandates. Texas, California, and New York each have rules that go beyond what HIPAA requires. Your compliance program needs to account for state law alongside the HHS OCR HIPAA telehealth guidance.
The HIPAA statute at 42 U.S.C. § 1320d-2 establishes the federal baseline, but always check your state's requirements too.
Your Compliance Checklist Starts with Training
Every enforcement action I've studied shares a common thread: the organization either failed to train its workforce or trained them on the wrong things. Telehealth has changed the threat landscape. Your training program needs to reflect that change — not with a generic slide deck from 2019, but with current, scenario-based education that prepares your staff for the way care is delivered today.
If your workforce training hasn't been updated to address telehealth risks, start with our HIPAA compliance training courses. They cover telehealth scenarios, ePHI handling, breach notification obligations, and the specific safeguards OCR expects from covered entities operating in a virtual care environment.
The Window Is Closing
OCR has made its position clear. The pandemic-era leniency is gone. Telehealth is here to stay, and so is full HIPAA enforcement. If your organization hasn't aligned its virtual care program with current HHS OCR guidance, every telehealth session you conduct is a potential violation.
The organizations that thrive in this environment aren't the ones with the fanciest technology. They're the ones with trained staff, documented risk analyses, airtight BAAs, and leadership that treats compliance as a clinical priority — not an afterthought.
Start now. Not after the breach. Not after the complaint. Now.