When OCR announced in May 2023 that the COVID-era telehealth HIPAA enforcement discretion was ending, thousands of healthcare organizations realized they had been operating on borrowed time. Providers who had adopted Zoom, FaceTime, and other consumer platforms during the pandemic suddenly faced a hard deadline: get compliant or risk enforcement action. The transition period is over, and OCR expects full compliance with every provision of the HIPAA Privacy, Security, and Breach Notification Rules for virtual care delivery.

Why Telehealth HIPAA Compliance Is No Longer Optional

During the COVID-19 public health emergency, OCR issued a Notification of Enforcement Discretion that allowed covered entities to use non-public-facing communication platforms for telehealth without facing penalties for noncompliance. That discretion expired on May 11, 2023, when the public health emergency ended.

Since then, OCR has returned to full enforcement. Any covered entity or business associate transmitting protected health information (PHI) over a telehealth platform must comply with 45 CFR Part 164 — no exceptions. Organizations that haven't transitioned away from consumer-grade tools are actively exposed to HIPAA violations and potential penalties ranging from $137 to $68,928 per violation, with annual caps up to $2,067,813 per violation category under the updated penalty tiers.

Platform Selection: The Business Associate Agreement Requirement

The single most critical step in telehealth HIPAA compliance is selecting a platform vendor willing to sign a business associate agreement (BAA). Under the HIPAA Privacy Rule, any entity that creates, receives, maintains, or transmits PHI on behalf of a covered entity qualifies as a business associate and must be under a BAA before any PHI is exchanged.

Consumer platforms like standard FaceTime, Facebook Messenger, and regular Zoom accounts will not sign BAAs. HIPAA-eligible platforms — including Zoom for Healthcare, Doxy.me, Microsoft Teams with a healthcare configuration, and others — explicitly offer BAAs as part of their service agreements.

Before signing, verify that the vendor's BAA covers all services you intend to use: video, chat, file sharing, and session recording. A BAA that only covers video conferencing does not extend to a messaging feature within the same platform.

Security Rule Requirements for Virtual Care Environments

A signed BAA does not make your organization compliant on its own. The HIPAA Security Rule at 45 CFR §164.302–318 requires covered entities to implement administrative, physical, and technical safeguards for all electronic PHI (ePHI) — and telehealth introduces unique risks that your risk analysis must address.

Technical Safeguards You Must Verify

  • Encryption in transit: All telehealth sessions must use end-to-end or transport-layer encryption (TLS 1.2 or higher). Verify this with your vendor — do not assume.
  • Access controls: Unique user identification, automatic logoff, and emergency access procedures must be in place for every clinician accessing the platform.
  • Audit controls: Your platform must generate logs showing who accessed what session and when. These logs support both your compliance program and breach investigation capabilities.
  • Transmission security: Integrity controls must prevent ePHI from being improperly modified during transmission.

Administrative Safeguards That Get Overlooked

Healthcare organizations consistently struggle with the administrative side of telehealth security. Your risk analysis must specifically evaluate threats introduced by remote care delivery: clinicians conducting sessions from home networks, shared devices, and environments where family members may overhear conversations.

Document policies addressing minimum workspace requirements for telehealth sessions, including private rooms, screen positioning, and headphone use. These details matter during an OCR investigation.

The Privacy Rule Obligations Specific to Telehealth

The minimum necessary standard applies to telehealth just as it applies to in-person care. Only the minimum PHI necessary to accomplish the purpose of the session should be visible, shared, or stored. Screen sharing during a telehealth session, for example, must be limited to relevant clinical information — not an entire EHR dashboard.

Your Notice of Privacy Practices should be updated to address telehealth-specific data uses and disclosures. Patients have a right to understand how their PHI is handled during virtual visits, including whether sessions are recorded, where recordings are stored, and who has access.

Patient consent processes also need attention. While HIPAA itself does not require consent for treatment, payment, or healthcare operations, many state telehealth laws do. Your compliance program must account for both federal and state requirements.

The Workforce Training Requirement Most Organizations Underestimate

Under 45 CFR §164.530(b), covered entities must train all workforce members on HIPAA policies and procedures relevant to their job functions. For telehealth, this means every clinician, scheduler, and support staff member involved in virtual care needs training that specifically addresses telehealth privacy and security risks.

Generic annual HIPAA training is not sufficient. Your workforce needs to understand how to verify patient identity over video, how to handle a session where an unauthorized person enters the room on the patient's side, how to securely document telehealth encounters, and what to do if a platform experiences a security incident.

Investing in comprehensive HIPAA training and certification that covers telehealth-specific scenarios ensures your workforce is prepared for the realities of virtual care — not just the theory. Organizations that treat training as a checkbox exercise consistently appear in OCR enforcement actions.

Breach Notification Considerations for Telehealth Incidents

A telehealth-related breach triggers the same Breach Notification Rule requirements under 45 CFR §§164.400–414 as any other PHI breach. If a telehealth session is accessed by an unauthorized individual, if session recordings are exposed, or if a platform vendor suffers a data breach, your organization must conduct a risk assessment using the four-factor test and, if necessary, notify affected individuals within 60 days.

Work with your telehealth vendor to establish incident response protocols before a breach occurs. Know who at the vendor organization will notify you, what information they will provide, and what your internal escalation process looks like. Waiting until a breach happens to figure out your response chain is a compliance failure.

Build a Sustainable Telehealth Compliance Program

Telehealth HIPAA compliance is not a one-time project. Platforms update features, new vulnerabilities emerge, workforce members rotate, and OCR continues to refine its enforcement priorities. Your compliance program needs ongoing attention.

Start with a telehealth-specific risk analysis, ensure every vendor is under a current BAA, update your Notice of Privacy Practices, and implement role-based workforce training. Review your telehealth policies at least annually and after any significant change to your technology environment or care delivery model.

Organizations looking to strengthen their compliance posture across the board — including telehealth — can explore HIPAA Certify's workforce compliance solutions to ensure every team member meets their regulatory obligations. The enforcement discretion era is over. What remains is the expectation that your organization treats virtual care with the same rigor you apply to every other form of PHI handling.