๐ฑ Offering telehealth? Make sure your setup is HIPAA compliant.
Start Your $499 SRA โThe Telehealth HIPAA Problem in 2026
During the COVID-19 public health emergency, HHS temporarily waived enforcement of HIPAA penalties for telehealth conducted on non-compliant platforms. Providers could use FaceTime, Skype, and consumer-grade Zoom without penalty. Those waivers have expired.
In 2026, if you’re conducting telehealth on a platform without a BAA, transmitting PHI over unencrypted channels, or failing to document your telehealth compliance controls, you’re violating HIPAA. OCR is actively enforcing again, and the 2024 HIPAA Security Rule update added new requirements specifically addressing remote access and telehealth technology.
8 Telehealth HIPAA Requirements You Must Meet
- HIPAA-compliant video platform with BAA โ Your telehealth platform must offer a Business Associate Agreement. Approved options: Zoom for Healthcare, Doxy.me, Teladoc, Amwell. NOT approved: consumer Zoom, FaceTime, Google Meet, Skype.
- End-to-end encryption โ All video, audio, and chat during telehealth sessions must be encrypted in transit. The platform must use TLS 1.2+ minimum.
- Patient identity verification โ You must verify the patient’s identity at each telehealth visit. Visual confirmation, date of birth, and security questions are common methods.
- Private environment documentation โ Both provider and patient should be in private settings. Document that you’ve advised patients about privacy during telehealth.
- Session recording consent โ If you record telehealth sessions, you need explicit patient consent AND the recording must be stored in a HIPAA-compliant system with encryption at rest.
- Secure messaging and follow-up โ Post-visit messages, prescriptions, and care instructions sent electronically must go through HIPAA-compliant channels โ not regular SMS or consumer email.
- Access controls on provider devices โ The laptop, tablet, or phone you use for telehealth must have screen lock, encryption, and unique login. No shared family computers.
- Remote patient monitoring (RPM) security โ If you use connected devices (blood pressure monitors, glucose meters, wearables), the data transmission must be encrypted and the vendor must have a BAA.
Is your telehealth setup fully HIPAA compliant? Find out in days.
Get Your Risk Assessment โMedcurity for Telehealth Providers
๐ Medcurity โ Complete Telehealth HIPAA Compliance
Starting at $499/year ยท 1,000+ healthcare organizations since 2018
Whether you’re a solo telemedicine provider, a behavioral health practice doing virtual therapy, or a health system running hybrid in-person/telehealth operations, Medcurity covers your telehealth-specific HIPAA requirements as part of your complete compliance program.
- Full Security Risk Assessment โ Evaluates your telehealth platform, remote access, device security, and all other HIPAA requirements
- 100% self-service option โ Complete your compliance assessment between patient visits, at your own pace
- Telehealth-specific policies โ Templates for telehealth consent, platform selection, recording policies, and remote work security
- BAA management โ Track agreements with your video platform, EHR, messaging tools, RPM vendors, and cloud storage
- Employee training โ HIPAA training that covers telehealth-specific risks and procedures
- Dedicated advisor option โ Add a year-round HIPAA expert who can answer telehealth compliance questions
- Onsite assessment option โ Physical security evaluation of your telehealth workspace (home office, clinic, etc.)
HIPAA-Compliant vs. Non-Compliant Telehealth Platforms
| Platform | HIPAA Compliant? | BAA Available? | Notes |
|---|---|---|---|
| Zoom for Healthcare | โ Yes | โ Yes | Paid healthcare plan only โ NOT free/business Zoom |
| Doxy.me | โ Yes | โ Yes | Built specifically for telehealth, free tier available |
| SimplePractice Telehealth | โ Yes | โ Yes | Integrated with SimplePractice EHR |
| Teladoc / Amwell | โ Yes | โ Yes | Enterprise telehealth platforms |
| Consumer Zoom | โ No | โ No | No BAA available โ HIPAA violation to use for PHI |
| FaceTime | โ No | โ No | Apple does not offer BAAs โ COVID waiver expired |
| Google Meet | โ ๏ธ Workspace only | โ ๏ธ Enterprise | Only Google Workspace with BAA โ not free Gmail |
| Skype | โ No | โ No | Microsoft does not offer BAA for Skype |
| โ No | โ No | No BAA, no encryption controls โ never HIPAA compliant |
Not sure if your current platform is compliant? Medcurity’s risk assessment identifies telehealth gaps and provides specific recommendations.
Stop guessing about telehealth compliance. Get definitive answers.
Start Your Risk Assessment โFrequently Asked Questions
Is telehealth subject to HIPAA?
Yes. Every telehealth session that involves PHI must comply with HIPAA. The COVID-era enforcement waivers have expired, meaning OCR is actively enforcing HIPAA requirements for telehealth. This includes video platforms, messaging, remote monitoring, and any electronic communication involving patient information.
Can I use FaceTime or regular Zoom for telehealth?
No. FaceTime and consumer Zoom do not offer Business Associate Agreements, which HIPAA requires for any service handling PHI. Use HIPAA-compliant alternatives like Zoom for Healthcare, Doxy.me, or SimplePractice Telehealth. The temporary COVID-era waivers that allowed non-compliant platforms have expired.
What are the new 2024 HIPAA rules for telehealth?
The 2024 HIPAA Security Rule update includes enhanced requirements for remote access security, multi-factor authentication, encryption standards, and technology asset inventory โ all of which directly impact telehealth operations. These rules are being enforced in 2026.
Do I need a BAA with my telehealth platform?
Yes. Any telehealth platform that transmits, processes, or stores PHI must sign a Business Associate Agreement with your organization. This applies to video platforms, secure messaging tools, remote patient monitoring vendors, and any cloud service involved in telehealth delivery.
How does Medcurity help with telehealth HIPAA compliance?
Medcurity’s Security Risk Assessment evaluates your entire telehealth setup โ platforms, devices, network security, policies, and procedures โ and identifies gaps. You get specific recommendations, policy templates for telehealth consent and platform use, BAA tracking for all vendors, and employee training that covers telehealth risks. Starting at $499/year.
Related Resources
Telehealth Is Here to Stay. Is Your Compliance?
COVID waivers are gone. OCR is enforcing. Protect your telehealth practice with Medcurity โ starting at $499/year.
Get Started with Medcurity โ