When OCR announced in late 2024 that the pandemic-era telehealth enforcement discretion would not be extended indefinitely, hundreds of healthcare organizations suddenly realized they had been operating virtual care programs on borrowed time. The relaxed posture that allowed providers to use platforms like FaceTime and Skype without penalty is over. HIPAA telehealth requirements are now enforced with the same rigor as any in-person care setting — and the compliance gaps are enormous.

What the End of Enforcement Discretion Means for Telehealth

In March 2020, OCR issued a Notification of Enforcement Discretion stating it would not impose penalties for good-faith use of non-public-facing communication technologies during the COVID-19 public health emergency. That discretion was always temporary.

With the public health emergency declaration expired since May 11, 2023, covered entities and business associates must now fully comply with the HIPAA Privacy Rule, Security Rule, and Breach Notification Rule for every telehealth encounter. Organizations that built telehealth workflows during the pandemic without updating their compliance infrastructure are exposed.

OCR has not signaled any leniency. In my work with covered entities transitioning back to full enforcement standards, the most common finding is that telehealth platforms were adopted without a corresponding update to the organization's risk analysis — a direct violation of 45 CFR § 164.308(a)(1).

Core HIPAA Telehealth Requirements Under the Security Rule

The Security Rule doesn't include a separate "telehealth section." Instead, every administrative, physical, and technical safeguard applies wherever protected health information is created, received, maintained, or transmitted — including a video visit conducted from a clinician's home office.

Here are the specific requirements your organization must address:

  • Encryption in transit: All telehealth platforms must encrypt PHI during transmission. Under 45 CFR § 164.312(e)(1), this is an addressable specification — meaning you must implement it or document why an equivalent alternative is reasonable.
  • Access controls: Unique user identification and automatic logoff (45 CFR § 164.312(a)(2)) must be configured on every device used for telehealth, including personal devices under BYOD policies.
  • Audit controls: Your platform must generate audit logs that track who accessed PHI and when (45 CFR § 164.312(b)).
  • Business associate agreements: Every telehealth vendor that handles PHI — the platform provider, the cloud hosting service, any transcription tool — must have a signed BAA in place before the first session.

Healthcare organizations consistently struggle with that last point. A telehealth platform vendor that refuses to sign a BAA is not HIPAA-compliant, full stop. Using that platform to transmit PHI creates direct liability for your covered entity.

Privacy Rule Obligations Specific to Virtual Care

The Privacy Rule applies to telehealth in ways that are easy to overlook. Your Notice of Privacy Practices must accurately describe how PHI is used and disclosed during telehealth encounters. If your NPP was last updated before 2020, it almost certainly doesn't reflect your current virtual care operations.

The minimum necessary standard also applies. Clinicians conducting telehealth visits from shared spaces — a home office with family nearby, a coworking space — must take reasonable steps to prevent incidental disclosures. This isn't theoretical: OCR considers environmental safeguards part of the Privacy Rule's administrative requirements.

Patient authorization requirements don't change because care is delivered virtually. If a telehealth session is recorded, your organization needs explicit patient authorization unless a specific Privacy Rule exception applies.

The Risk Analysis Gap That Catches Most Organizations

The single most critical of all HIPAA telehealth requirements is conducting a thorough risk analysis that specifically addresses your virtual care environment. Under 45 CFR § 164.308(a)(1)(ii)(A), you must identify every reasonably anticipated threat to the confidentiality, integrity, and availability of ePHI — and telehealth introduces threats that didn't exist in your brick-and-mortar risk profile.

Your risk analysis must now account for:

  • Home networks used by remote clinicians
  • Personal devices accessing telehealth platforms
  • Third-party integrations (scheduling tools, chat features, AI scribes)
  • Recording and storage of telehealth sessions
  • Patient-side risks, such as screen sharing in non-private environments

If your last risk analysis was performed before you launched telehealth, it is incomplete. OCR's enforcement record makes this clear — risk analysis deficiencies have been cited in the majority of HIPAA settlements, with penalties ranging from $100,000 to over $5 million.

Workforce Training: The Requirement Most Organizations Underestimate

Under 45 CFR § 164.530(b), every member of your workforce must receive training on your HIPAA policies and procedures — including those specific to telehealth. This isn't a one-time event. Training must be updated when material changes occur, and launching or modifying a telehealth program qualifies.

Your workforce training for telehealth should cover:

  • How to verify patient identity before a virtual visit
  • Approved platforms and prohibited alternatives
  • Environmental precautions to prevent incidental PHI disclosures
  • Procedures for reporting a suspected breach during or after a telehealth session
  • Proper documentation and storage of telehealth encounter records

Generic annual HIPAA training won't satisfy this requirement. Your organization needs role-specific telehealth training that reflects your actual workflows. Our HIPAA Training & Certification program includes modules built for the realities of modern virtual care delivery.

Practical Steps to Meet HIPAA Telehealth Requirements Now

If your organization offers any form of virtual care, take these steps immediately:

  • Audit your telehealth vendors. Confirm that every platform and subcontractor has a signed, current BAA. Terminate any vendor relationship where a BAA cannot be obtained.
  • Update your risk analysis. Add telehealth-specific threats, vulnerabilities, and controls. Document everything — OCR expects written evidence.
  • Revise your Notice of Privacy Practices. Ensure it accurately reflects how PHI is collected, used, and disclosed through telehealth.
  • Implement technical safeguards. Verify end-to-end encryption, enable automatic session timeouts, and enforce multi-factor authentication on telehealth platforms.
  • Train your workforce. Deliver targeted training that addresses telehealth-specific HIPAA obligations — not just general awareness content.

HIPAA violations in telehealth carry the same penalties as any other context: up to $2,067,813 per violation category per year under the updated penalty tiers. OCR does not distinguish between an in-person breach and a virtual one.

Telehealth Isn't Going Away — Your Compliance Must Keep Pace

Virtual care is now a permanent feature of healthcare delivery. That means HIPAA telehealth requirements are permanent compliance obligations, not temporary accommodations. The organizations that built telehealth programs during the pandemic's enforcement leniency now face a clear choice: formalize compliance or accept the risk of enforcement action.

At HIPAA Certify, we help covered entities and business associates close the gaps between how they deliver care today and what HIPAA actually requires. The enforcement landscape has shifted. Your compliance program needs to shift with it.