When HHS announced in late 2024 that the COVID-era telehealth enforcement discretion would not be extended indefinitely, many healthcare organizations realized they had been operating virtual care programs on borrowed time. The relaxed posture that OCR adopted during the pandemic — declining to impose penalties for good-faith use of non-compliant platforms — is giving way to full enforcement expectations. If your organization delivers care through video, audio, or messaging platforms, telehealth compliance is no longer optional or aspirational. It is an active enforcement priority.

Why the End of Enforcement Discretion Changes Everything for Telehealth Compliance

During the public health emergency, OCR exercised enforcement discretion under its March 2020 Notification, allowing providers to use consumer-grade platforms like FaceTime and Skype without facing penalties. That discretion was always temporary. OCR Director Melanie Fontes Rainer has repeatedly signaled that covered entities must now meet every requirement of the HIPAA Privacy Rule and Security Rule when delivering telehealth services.

This means that every virtual encounter involving protected health information (PHI) must occur on platforms that satisfy the administrative, physical, and technical safeguards required under 45 CFR Part 164. Organizations still using non-compliant tools face the same penalty structure as any other HIPAA violation — up to $2,067,813 per violation category, per year, under the adjusted penalty tiers.

The Business Associate Agreement Gap That Exposes Your Organization

One of the most common telehealth compliance failures I see in my work with covered entities is the absence of a valid business associate agreement (BAA) with the technology vendor. Under the HIPAA Omnibus Rule, any platform that transmits, stores, or has access to PHI on your behalf qualifies as a business associate. No BAA means no legal authorization for that vendor to handle PHI — and it means your organization is in violation before a single appointment starts.

Zoom for Healthcare, Doxy.me, and other HIPAA-eligible platforms will sign BAAs. Consumer versions of those same products typically will not. The distinction matters. Before your next telehealth session goes live, confirm that a signed BAA is on file for every platform touching patient data — including scheduling tools, chat interfaces, and cloud storage services integrated into the workflow.

Conducting a Risk Analysis That Covers Virtual Care Environments

OCR's enforcement actions consistently cite the failure to perform a comprehensive risk analysis as the root cause of violations. Under 45 CFR § 164.308(a)(1), your organization must identify and evaluate risks to the confidentiality, integrity, and availability of all ePHI — and telehealth platforms introduce risks that did not exist in traditional settings.

Your risk analysis must address:

  • Transmission security: Is all PHI encrypted in transit and at rest during telehealth sessions?
  • Access controls: Who can join or monitor a virtual session? How are sessions authenticated?
  • Device security: Are clinicians conducting sessions from personal devices? If so, are those devices managed under your organization's mobile device policy?
  • Audit logging: Does your platform generate audit logs that track access to ePHI?
  • Data retention: Are telehealth session recordings stored, and if so, where and for how long?

If your last risk analysis was conducted before your organization launched telehealth services, it is already outdated. Risk analysis is not a one-time event — it must be updated whenever your operating environment changes, and telehealth adoption is exactly that kind of change.

The Minimum Necessary Standard in a Virtual Care Setting

The minimum necessary standard under the Privacy Rule requires your organization to limit PHI disclosures to what is reasonably needed. In telehealth, this creates practical challenges. A clinician conducting a video session from a shared office may inadvertently expose PHI to unauthorized individuals. A screen share that displays a patient's full medical record when only a lab result is needed violates minimum necessary principles.

Establish clear protocols: clinicians should conduct telehealth sessions in private spaces, use headphones, limit on-screen data to what the encounter requires, and avoid recording sessions unless clinically necessary and permitted under your policies.

Workforce Training Specific to Telehealth Workflows

General HIPAA training does not adequately prepare your workforce for telehealth-specific risks. Under 45 CFR § 164.530(b), covered entities must train all workforce members on policies and procedures relevant to their job functions. A billing specialist and a telehealth clinician face fundamentally different risk profiles.

Your telehealth training should cover secure platform use, patient identity verification before each session, handling of session recordings, and incident reporting procedures when a virtual session is compromised. Investing in a structured HIPAA training and certification program ensures that your workforce understands both the general regulatory framework and the specific safeguards telehealth demands.

Patient-Facing Obligations: Notice of Privacy Practices Updates

If your organization has added telehealth services since your Notice of Privacy Practices (NPP) was last revised, the NPP likely needs updating. Patients have the right to understand how their PHI will be used and disclosed during virtual encounters — including whether sessions may be recorded, what platform is being used, and how their data is stored.

OCR has not issued telehealth-specific NPP guidance, but the existing requirements under 45 CFR § 164.520 apply fully. A clear, updated NPP reduces complaint risk and demonstrates good-faith compliance.

Building a Sustainable Telehealth Compliance Program

Telehealth compliance is not a single checklist item — it requires integrating virtual care safeguards into your organization's broader HIPAA compliance program. That means updated policies, vendor management, ongoing risk analysis, and workforce training that evolves as your technology stack changes.

Healthcare organizations that treat telehealth as a permanent part of care delivery — not a pandemic workaround — are the ones that avoid OCR scrutiny. The organizations that will struggle are those still relying on informal practices adopted under enforcement discretion.

Start by auditing your current telehealth environment against the Security Rule's full safeguard requirements. Close your BAA gaps. Update your risk analysis. Train your workforce on telehealth-specific protocols through a credible workforce HIPAA compliance platform. The enforcement landscape has shifted, and your telehealth compliance program must shift with it.