HIPAA Compliance for Telehealth: What Providers Must Get Right in 2026

The pandemic-era free pass is gone. OCR’s enforcement discretion for telehealth ended on May 11, 2023, with a 90-day transition period that expired August 9, 2023. Since that date, every virtual visit your practice conducts is held to the full weight of the HIPAA Privacy, Security, and Breach Notification Rules.

If you are still running telehealth the way you did in 2020, you have a compliance problem. Here is how to fix it.

The Enforcement Landscape Has Changed

During COVID, OCR stated it would not penalize providers using non-compliant platforms for telehealth in good faith. That attracted millions of providers to FaceTime, Skype, and consumer-grade Zoom.

That era is over. In 2024 alone, OCR pursued 22 enforcement actions. Children’s Hospital Colorado paid $548,000 after a help desk technician disabled a physician’s MFA and never reactivated it, exposing records of over 3,300 children. Gulf Coast Pain Consultants paid $1.19 million for failing basic Security Rule requirements. These were not sophisticated cyberattacks. They were basic compliance failures, the exact kind telehealth providers risk when they skip security fundamentals.

Platform Requirements: Three Non-Negotiables

Meeting HIPAA telehealth requirements starts with your platform. Every telehealth tool that touches ePHI must satisfy three baseline conditions:

1. A Signed Business Associate Agreement

Your telehealth vendor is a business associate. If they will not sign a BAA, you cannot use them for patient care. Consumer versions of Zoom, Google Meet, Microsoft Teams, WhatsApp, and FaceTime do not offer BAAs. Using any of them means two separate violations per session: unsecured transmission and no contractual agreement.

2. End-to-End Encryption

ePHI in transit must be encrypted per 45 CFR 164.312(e)(1), and the proposed 2026 Security Rule changes would make encryption mandatory rather than addressable. That means TLS 1.2+ in transit and AES-256 at rest. If your platform cannot confirm both, find one that can.

3. Access Controls

Only authorized users should join a session or access recorded visit data. 45 CFR 164.312(a)(1) requires unique user identification, automatic logoff, and encryption. In practice: unique logins per staff member, session timeouts, and multi-factor authentication.

The Security Rule Applies to Every Virtual Visit

Telehealth is not exempt from the 45 CFR 164.312 technical safeguards. The same standards that govern your EHR govern your video visits:

• Access controls (45 CFR 164.312(a)(1)): Unique user IDs, role-based access, automatic logoff.
• Audit controls (45 CFR 164.312(b)): Logs showing who accessed what, when, and from where.
• Integrity controls (45 CFR 164.312(c)(1)): Mechanisms confirming ePHI has not been altered or destroyed.
• Transmission security (45 CFR 164.312(e)(1)): Encryption covering video, audio, chat, shared files, and recordings.

A proper risk assessment will identify where your telehealth workflows fall short.

Patient Consent and Privacy Considerations

The Privacy Rule does not disappear because a visit happens over video. Patients must understand how their information will be used during virtual visits. Minimum necessary standards apply to who is present, including staff in the room and screen sharing. Session recordings are part of the designated record set. States with stricter privacy laws (California’s CMIA, for example) may require additional consent.

Document your telehealth consent process. If OCR investigates, “we told them verbally” is not a defensible answer.

Common Mistakes That Create Real Liability

After working with medical practices on HIPAA compliance, these are the mistakes we see repeatedly:

1. Using consumer apps without BAAs. If your vendor will not sign a BAA, the platform is off limits for clinical use.
2. No risk analysis covering telehealth. Many practices never updated their risk assessment to include telehealth workflows and vendors added during COVID.
3. Shared login credentials. Multiple staff using one account eliminates audit trail integrity and violates access control requirements.
4. Ignoring the waiting room. Unmonitored virtual waiting rooms let patients overhear or see other patients’ information.
5. Recording sessions without safeguards. Visits stored on local drives, unencrypted cloud storage, or personal devices create breach exposure.

What the 2026 Proposed Security Rule Means for Telehealth

The NPRM published January 6, 2025, proposes changes that directly affect telehealth. If finalized:

• “Addressable” goes away. Encryption, MFA, and other controls become mandatory. No more documenting why you chose not to implement them.
• Asset inventory required. Every device and system touching ePHI, including telehealth endpoints, must be cataloged.
• Mandatory testing. Vulnerability scanning every six months, penetration testing annually.
• 72-hour incident notification to business associates and covered entities.

Read our full breakdown of the proposed 2026 Security Rule changes for details on timelines and preparation steps.

Compliant Telehealth Platforms Worth Evaluating

Several platforms will sign BAAs and are built for clinical use: Doxy.me (browser-based, BAA on paid plans), Zoom for Healthcare (separate from consumer Zoom), Microsoft Teams for Healthcare (enterprise tier), and niche options like Updox, VSee, and TheraNest.

A compliant platform alone is not enough. You still need policies, training, risk analysis, and proper configuration to meet HIPAA telehealth requirements.

Get Your Telehealth Program Compliant

If your practice adopted telehealth during COVID and never formalized compliance, now is the time. OCR is actively enforcing, the proposed Security Rule will raise the bar further, and “we started during the pandemic” is not a defense.

We help practices close telehealth compliance gaps and build programs that hold up under scrutiny. Talk to our HIPAA consulting team to get started.