In January 2025, HHS confirmed that the temporary telehealth enforcement discretion introduced during the COVID-19 public health emergency has ended. That means every healthcare organization using video conferencing, remote patient monitoring, or virtual care tools is now fully accountable under standard HIPAA rules. If your organization chose a telehealth vendor during the pandemic without a Business Associate Agreement or proper security vetting, you are exposed. Understanding what the regulations actually require of HIPAA telehealth platforms is no longer optional — it is an immediate compliance priority.

Why Most HIPAA Telehealth Platforms Fall Short

Healthcare organizations consistently assume that if a vendor markets itself as "HIPAA compliant," the compliance box is checked. That assumption has led to some of the costliest enforcement actions in OCR's history. No platform is inherently HIPAA compliant — compliance is a shared responsibility between the covered entity and the business associate providing the technology.

OCR has made clear that using a consumer-grade communication tool — FaceTime, standard Zoom, WhatsApp — for clinical encounters involving protected health information violates the HIPAA Security Rule under 45 CFR § 164.312. These platforms lack the administrative, technical, and physical safeguards that the Security Rule demands. The enforcement discretion that temporarily allowed their use is gone.

Even platforms specifically designed for healthcare can fall short. A telehealth vendor that offers end-to-end encryption but stores session recordings on unencrypted servers, or one that fails to implement proper access controls, creates a compliance gap that your organization — not just the vendor — will answer for.

The Business Associate Agreement Is Non-Negotiable

Under the HIPAA Privacy Rule and the Omnibus Rule, any telehealth platform vendor that creates, receives, maintains, or transmits PHI on behalf of a covered entity is a business associate. Before a single virtual visit takes place, your organization must have a signed Business Associate Agreement in place.

The BAA must specifically address how the vendor will safeguard protected health information, report breaches, and limit uses and disclosures to what the agreement permits. A generic terms-of-service page on a vendor's website does not constitute a BAA. I've reviewed agreements from major telehealth companies that omit breach notification timelines entirely — a direct violation of the Breach Notification Rule at 45 CFR §§ 164.400–414.

If your telehealth vendor refuses to sign a BAA, that is your answer. Walk away. No feature set or pricing advantage justifies the regulatory and financial exposure of operating without one.

Security Rule Requirements Every Telehealth Platform Must Meet

When evaluating HIPAA telehealth platforms, your risk analysis should verify the following safeguards required under the Security Rule:

  • Encryption in transit and at rest: All PHI transmitted during telehealth sessions must be encrypted using standards consistent with NIST guidelines. This applies to video, audio, chat, and any shared files.
  • Access controls: The platform must support unique user identification, automatic logoff, and role-based access so that only authorized workforce members can access patient sessions and records.
  • Audit controls: The system must generate and retain audit logs that track who accessed PHI, when, and what actions they performed.
  • Transmission security: Beyond encryption, the platform must protect against unauthorized access to PHI during electronic transmission — including integrity controls that verify data has not been altered.
  • Authentication: The platform must verify that the person seeking access to PHI is who they claim to be, ideally through multi-factor authentication.

These are not best practices or suggestions. They are regulatory requirements. Failure to implement them has resulted in settlements ranging from $100,000 to over $4 million in recent OCR enforcement actions.

Conduct a Telehealth-Specific Risk Analysis

The Security Rule at 45 CFR § 164.308(a)(1) requires an accurate and thorough assessment of potential risks and vulnerabilities to PHI. When your organization introduces or continues using a telehealth platform, the risk analysis must specifically account for that technology.

In my work with covered entities, I've found that many organizations perform a general risk analysis once and never revisit it when adding telehealth services. That approach leaves critical gaps. Your telehealth risk analysis should evaluate the vendor's data storage locations, the device types your workforce uses for virtual visits, the network environments patients connect from, and how session data is retained or disposed of.

Document everything. OCR investigators do not accept verbal assurances. They ask for written risk analyses, remediation plans, and evidence that policies were implemented — not just drafted.

Workforce Training Is Where Telehealth Compliance Breaks Down

Even the most secure telehealth platform cannot compensate for an untrained workforce. Under 45 CFR § 164.530(b), covered entities must train all workforce members on policies and procedures related to PHI — and telehealth introduces scenarios that traditional in-office training does not cover.

Your staff must understand how to verify patient identity before a telehealth session, ensure they are in a private setting where conversations cannot be overheard, properly handle screen sharing to avoid exposing other patients' records, and apply the minimum necessary standard to information discussed during virtual visits.

These are not abstract risks. OCR complaints have been filed by patients who overheard another patient's information during a poorly managed telehealth session. Investing in HIPAA training and certification that specifically addresses telehealth scenarios is one of the most effective steps your organization can take to prevent violations before they occur.

The Notice of Privacy Practices Must Reflect Telehealth

If your organization has added telehealth services, your Notice of Privacy Practices likely needs updating. The Notice must inform patients about how their PHI will be used and disclosed — and virtual care introduces new categories of use, including third-party platform vendors, cloud storage of session data, and potentially AI-powered transcription services.

Patients have a right to understand that their video visit is being facilitated through a business associate's platform and what safeguards are in place. Failing to update your Notice is a Privacy Rule violation that OCR can cite independently of any breach.

Choosing the Right Platform Is Only Half the Work

Selecting a telehealth vendor with robust security features and a signed BAA is necessary — but it is not sufficient. Your organization remains responsible for configuring the platform correctly, training every workforce member who touches it, conducting ongoing risk analyses, and maintaining documentation that proves compliance.

HIPAA telehealth platforms are tools. Compliance is the discipline your organization builds around those tools. The covered entities that avoid enforcement actions are the ones that treat telehealth compliance as an ongoing operational requirement, not a one-time procurement decision.

If your workforce needs to get current on telehealth-specific HIPAA obligations, HIPAA Certify's workforce compliance program provides the structured training and documentation your organization needs to demonstrate compliance to OCR — before an investigator asks for it.