When OCR announced in late 2023 that the COVID-era telehealth enforcement discretion would not last forever, many healthcare organizations realized they had been operating telemedicine platforms for years without fully addressing underlying HIPAA obligations. The temporary flexibility that began in March 2020 — allowing providers to use non-compliant communication tools like FaceTime and Skype — masked a deeper problem. Telemedicine and HIPAA compliance were always intertwined, and organizations that treated the pandemic waiver as permanent policy are now facing serious regulatory exposure.

Why Telemedicine and HIPAA Compliance Gaps Persist Post-Pandemic

During the public health emergency, OCR exercised enforcement discretion and declined to impose penalties for good faith use of non-public-facing communication technologies. Many providers interpreted this as a blanket exemption from the Security Rule. It was not.

The discretion applied only to specific telehealth scenarios and never suspended the Privacy Rule, the Breach Notification Rule, or the requirement to conduct a thorough risk analysis under 45 CFR §164.308(a)(1). Organizations that migrated to platforms like Zoom for Healthcare, Doxy.me, or Microsoft Teams with BAAs in place were ahead. Those still using consumer-grade tools without business associate agreements have a compliance debt that must be addressed immediately.

In my work with covered entities transitioning back to standard enforcement, I consistently see the same three failures: no BAA with the telehealth vendor, no updated risk analysis reflecting virtual care workflows, and workforce members who were never trained on telehealth-specific PHI handling.

Business Associate Agreements: The Non-Negotiable Foundation

Every telehealth platform that transmits, stores, or processes protected health information on behalf of your organization is a business associate under the Omnibus Rule. That means a signed business associate agreement is required before a single patient encounter takes place — no exceptions.

The BAA must specify how the vendor will safeguard PHI, report breaches, and limit use of data to the minimum necessary standard. If your telemedicine vendor refuses to sign a BAA, that vendor cannot be used for clinical care involving PHI. Period.

OCR enforcement actions have repeatedly targeted organizations that failed to secure BAAs. In 2023 alone, multiple settlements cited the absence of proper business associate agreements as a contributing factor to HIPAA violations. Your organization should audit every telehealth tool in use — including messaging apps, remote monitoring platforms, and patient intake forms — and confirm BAA coverage for each.

Conducting a Risk Analysis That Accounts for Virtual Care

The Security Rule requires covered entities to perform a comprehensive risk analysis that identifies threats to the confidentiality, integrity, and availability of electronic PHI. When your organization added telemedicine, the threat landscape changed fundamentally. If your risk analysis has not been updated to reflect telehealth workflows, you are out of compliance with 45 CFR §164.308(a)(1)(ii)(A).

A telehealth-specific risk analysis should address:

  • Transmission security: Is end-to-end encryption in place for all video, audio, and chat communications?
  • Access controls: How do clinicians authenticate before accessing the telehealth platform? Is multi-factor authentication enforced?
  • Device security: Are workforce members conducting virtual visits from personal devices? If so, what mobile device management policies apply?
  • Recording and storage: Are telehealth sessions recorded? Where are recordings stored, and who has access?
  • Patient environment: How does your organization handle situations where a patient's surroundings may compromise the privacy of the encounter?

Risk analysis is not a one-time checkbox. It must be reviewed and updated whenever you adopt new telehealth technologies, change vendors, or modify clinical workflows.

The Workforce Training Requirement Most Telehealth Programs Miss

Under the Privacy Rule at 45 CFR §164.530(b), covered entities must train all workforce members on policies and procedures related to PHI. When telemedicine became a primary delivery channel, most organizations failed to update their training programs to address the unique risks of virtual care.

Your workforce needs to understand how to verify patient identity before a telehealth session, how to handle PHI displayed on screen during a virtual visit, what to do if a session is inadvertently recorded, and how to manage technical failures that could expose PHI. These are not abstract concerns — they are daily operational realities in telehealth.

Investing in a structured HIPAA training and certification program that includes telehealth-specific modules ensures your clinicians, administrative staff, and IT teams understand their responsibilities. Generic annual training that never mentions telemedicine is insufficient under current OCR expectations.

Technical Safeguards Your Telehealth Platform Must Support

The Security Rule's technical safeguard requirements under 45 CFR §164.312 apply directly to telemedicine platforms. At minimum, your telehealth solution must support:

  • Encryption in transit and at rest for all ePHI, including video streams, chat logs, and shared documents
  • Unique user identification so every workforce member accessing the platform has individual credentials
  • Automatic logoff to terminate sessions after a defined period of inactivity
  • Audit controls that log who accessed the system, when, and what actions they took

If your platform cannot demonstrate these capabilities, it likely does not meet Security Rule requirements — regardless of what the vendor's marketing materials claim. Request documentation. Review independent security assessments. Verify compliance before relying on vendor promises.

Patient Rights and the Notice of Privacy Practices

Telemedicine doesn't change your obligations under the Privacy Rule regarding patient rights. Your Notice of Privacy Practices should be updated to reflect how PHI is collected, used, and disclosed during virtual visits. Patients must still be able to request access to their records, request amendments, and receive an accounting of disclosures — even when care is delivered through a screen.

If your organization collects new categories of information through telehealth — such as screenshots, chat transcripts, or remote monitoring data — your NPP must reflect those practices. Failing to update this document is a commonly overlooked HIPAA violation that OCR has flagged in compliance reviews.

Building a Sustainable Telehealth Compliance Program

Telemedicine is not a temporary workaround. It is a permanent feature of healthcare delivery, and your compliance infrastructure must treat it that way. That means ongoing risk analysis updates, current BAAs with every telehealth vendor, documented policies that address virtual care scenarios, and regular workforce training refreshers.

Organizations that build compliance into their telehealth programs from the ground up avoid the costly remediation that follows an OCR investigation. The most effective approach is to integrate telemedicine and HIPAA compliance requirements into your existing compliance framework rather than treating them as separate initiatives.

A comprehensive workforce HIPAA compliance program that covers telehealth-specific risks, updated policies, and role-based training is the most reliable way to protect your organization and your patients. OCR's enforcement posture is returning to pre-pandemic standards. The time to close your telehealth compliance gaps is now — not after a breach investigation begins.