Telemedicine Compliance: HIPAA Considerations

Telemedicine Compliance: HIPAA factors

Telemedicine HIPAA rule-keeping is now a top priority for every practice. Virtual care has grown fast, pushed forward by COVID-19. Millions of patients now expect virtual visits as a permanent option.

But telehealth brings real privacy and security risks. Every video call and message sends health data (PHI) over digital channels. Your practice must meet HIPAA rules while keeping virtual care easy for patients.

Telehealth Growth and the Compliance Imperative

The New Normal of Virtual Care

Telehealth use is now far above pre-pandemic levels. Behavioral health, primary care, and specialist visits now happen by video and audio. Remote tracking devices send clinical data non-stop, creating new streams of ePHI to protect.

This growth opens up more weak points for cyber threats. Telehealth platforms, patient portals, apps, and connected devices are all possible targets. Practices that ignore these risks face fines and the damage of a data breach.

Post-PHE Compliance rules

During COVID-19, OCR chose not to fine providers who used non-in line platforms in good faith. That grace period has ended. All telehealth tools must now meet full HIPAA rules.

Key post-PHE changes include:

No more enforcement discretion for non-in line platforms like FaceTime, Skype, or standard Zoom.
Full BAA rules apply to all telehealth technology vendors.
Risk analysis duties must include telehealth systems.
Standard HIPAA security protections must be set up for all telehealth communications.
written records rules apply to all telemedicine visits, including consent and access rights.

If you used temporary flexibilities during the PHE, audit your telehealth tools now. Bring every part into full HIPAA rule-keeping.

Platform rules for HIPAA-in line Telehealth

Essential Technical protections

A HIPAA-in line telehealth platform must have strong tech protections. These protect ePHI during every virtual visit. Required and recommended features include:

data scrambling:.

End-to-end data scrambling for all video, audio, and messaging.
AES-256 data scrambling (or equal) for data in transit and at rest.
TLS 1.2 or higher for all network communications.
Encrypted storage for any recorded sessions or session data.

Access Controls:.

Unique user IDs for all providers and patients on the platform.
Strong login checks including multi-factor for provider accounts.
Role-based access controls limiting PHI access by job function.
Auto session timeout after inactivity.
Emergency access steps for urgent clinical situations.

Audit Controls:.

Full audit logs of all PHI access within the platform.
Session logs showing who accessed what and when.
Regular log reviews to catch unapproved access.
Tamper-proof log storage to keep the audit trail intact.

Integrity Controls:.

Data accuracy checks to ensure PHI is not changed in transit.
Error correction for communication reliability.
Backup and recovery for all platform data.

Evaluating Telehealth Vendors

When picking a telehealth platform, ask these questions:

Does the vendor sign a Business Associate Agreement?
Does the platform offer end-to-end data scrambling for all communications?
Does the vendor hold SOC 2 Type II certification or equal?
Does the platform have configurable access controls and audit logs?
Does the vendor run regular penetration tests and weak point reviews?
Where is PHI stored and does that location meet rule-keeping rules?
Does the vendor have a written down incident response plan?
Does the platform support patient identity checks before sessions begin?

Need guidance on cloud telehealth tools? See our article on cloud storage rule-keeping for healthcare data..

Business Associate Agreements for Telehealth Vendors

BAA rules

Any telehealth vendor that handles PHI for your practice is a business associate under HIPAA. You must sign a Business Associate Agreement before services start. This rule applies to:

Video conferencing platform providers (e.g., telehealth-specific platforms).
Cloud hosting providers that store session data or recordings.
Remote patient tracking vendors that collect and send clinical data.
Scheduling and patient portal providers that handle PHI and appointments.
Transcription and written records services that process visit notes.

The BAA must spell out:

The allowed uses and shares of PHI by the vendor.
The vendor's duty to use proper protections.
Breach notice rules including timelines and reporting steps.
The vendor's duty to ensure subcontractors also follow HIPAA.
End-of-contract steps including return or destruction of PHI.

Common BAA Pitfalls

Practices often run into these BAA problems:

Using consumer-grade platforms that do not offer BAAs (e.g., standard Zoom, FaceTime, WhatsApp).
Failing to update BAAs when vendors change their terms or tools.
Not checking subcontractor rule-keeping when the vendor uses third-party systems.
Missing recording and storage terms that control who owns session recordings.

HIPAA does not require a separate consent just for telehealth. But many states require specific informed consent for telemedicine visits. Best habits include:

Document patient consent for telehealth care, including known risks and limits.
Explain privacy and security steps in plain words so patients understand protection.
Address recording policies clearly, telling patients if sessions may be recorded and why.
Get consent before each session or keep a standing consent the patient can revoke.
Respect patient preferences for how they communicate (video, audio, messaging).

Recording Policies

Recording telehealth sessions adds rule-keeping duties:

Recordings are part of the medical record and fall under HIPAA's Privacy and Security Rules.
State law may require two-party consent for recording, including telehealth sessions.
Stored recordings must meet HIPAA security rules including data scrambling and access controls.
Retention and destruction policies must match relevant medical record laws.
Patient access rights apply to telehealth recordings as part of the record set.

Set clear policies on when sessions are recorded. Make sure patients are informed and give proper consent.

Interstate Licensing and rule-based factors

Multi-State Telehealth Operations

Telehealth often means treating patients in other states. This raises licensing and rule-based questions that touch HIPAA rule-keeping:

State licensing rules usually require a license in the state where the patient is during the visit.
Interstate medical licensure compacts help with multi-state practice but do not cover all states.
Prescribing rules vary by state, with specific laws for telehealth and controlled substances.
State privacy laws in the patient's state may add rules beyond HIPAA, including telehealth consent terms.

Practices offering telemedicine across state lines must track many state-specific rules. Learn how state privacy laws interact with HIPAA for multi-state telehealth programs.

Technical protections for Video and Remote Monitoring

Securing the Telehealth Environment

Beyond platform security, your practice must protect the setting where telehealth visits happen. That means both the provider side and the patient side.

Provider-Side protections:.

Private consultation spaces where conversations cannot be overheard.
Screen privacy filters to block visual access to PHI.
Secure network connections — avoid public Wi-Fi for telehealth sessions.
Device security including data scrambling, current software, and endpoint protection.
Background checks for telehealth support staff.

Patient-Side Guidance:.

Teach patients to join telehealth from a private location.
Give instructions for checking that connections are encrypted.
Offer backup access methods for patients without secure technology.
Document patient-side risks that are outside your control.

Remote Patient Monitoring (RPM):.

Encrypt all data sent from tracking devices to provider systems.
Check device identity to block unapproved connections.
Secure data storage for continuous tracking data streams.
Set up alert systems for device tampering or unapproved access.
Keep a device list and track all deployed tracking equipment.

Telemedicine HIPAA FAQ

Can we use FaceTime or standard Zoom for telehealth?

No. Standard consumer video platforms do not offer BAAs. They also lack the security controls HIPAA requires. OCR's COVID-19 enforcement grace period has ended. Use HIPAA-in line platforms that offer BAAs, end-to-end data scrambling, and proper access controls.

Do we need a separate BAA for our telehealth platform?

Yes. If your telehealth vendor handles PHI, you must sign a BAA with them. This covers the platform provider itself. It may also cover subcontractors like cloud hosts that the vendor uses.

What if a patient requests a non-in line communication method?

Offer in line options and explain why you cannot use tools that expose PHI. Document the patient's request and your response. If a patient insists, record the talk and the risks you explained.

How do we handle telehealth for patients in other states?

Make sure your providers hold valid licenses in the patient's state. Follow that state's telehealth rules and any privacy rules that go beyond HIPAA. Keep a current list of state-specific telehealth rules and update it as laws change.

Are telehealth encounters subject to the same written records rules as in-person visits?

Yes. Document telehealth visits in the medical record just like in-person visits. Also note the telehealth method used (video, audio, messaging) and patient consent. Patient rights under HIPAA, including the right to access records, apply equally to telehealth visit written records.

Telemedicine Compliance Takeaways

Telemedicine rule-keeping means extending your HIPAA program into digital care. You must pick in line platforms, sign BAAs, set up tech protections, and track multi-state rules. These duties are real, but manageable with a clear plan.

One Guy Consulting helps habits build HIPAA-in line telemedicine programs from the ground up. We cover new launches and audits of existing programs. Contact us today to make sure your telemedicine program meets every relevant rule.